Wifi router behind pfsense appliance - bypass risk?



  • Hello,

    I was given an SG-4860 to install at home (nothing commercially critical, just home office with a couple of local servers). It has no wifi-card installed, and am thinking of retaining wifi at home by letting my old Netgear router sit behind the pfsense and serve as wifi receptor/emitter.

    But I am starting to think that this may not be a good idea, that the pfsense would be facing the wired internet but the Netgear router would be facing the wifi internet and could thus be more easily hackable (as far as the wifi signal can be picked up). I.e., basically mitigating the increased pfsense security implementation by retaining a 'consumer grade router' entry vector that can pypass the pfsense.

    Am I correct about such a concern? Or can I write pfsense rules for the Netgear router just as I would with other devices on the LAN and thus not risk exposure?



  • @pastic said in Wifi router behind pfsense appliance - bypass risk?:

    Am I correct about such a concern?

    With WPA2, there's not much risk. This was not the case with the first WiFi encryption, WEP, which was easily broken.



  • Would there be any pros security-wise installing a Wi-Fi card in the pfsense box instead?



  • @pastic said in Wifi router behind pfsense appliance - bypass risk?:

    Would there be any pros security-wise installing a Wi-Fi card in the pfsense box instead?

    No, and my understanding is that, with the poor WiFi support in FreeBSD, it's not worth the effort. Just use an external AP. Many WiFi routers can be configured that way.



  • OK, I'll look into that solution then. Thanks!



  • If you really want to lock it up as best as possible, use the existing router in access point mode (that's normally done by turning off DHCP on the Netgear and plugging one of it's LAN ports into the pfsense box or a switch connected to your pfsense box), and put it on an isolated subnet. Give it NO access to your network(s), and only let it talk out to the internet.

    Jeff



  • @akuma1x said in Wifi router behind pfsense appliance - bypass risk?:

    Give it NO access to your network(s), and only let it talk out to the internet.

    That would be appropriate if he wants a guess WiFi, but I didn't see that mentioned. If he wants to access his network via WiFi, as is often done in homes and businesses, then that's not a such a good idea.



  • @jknott said in Wifi router behind pfsense appliance - bypass risk?:

    @akuma1x said in Wifi router behind pfsense appliance - bypass risk?:

    Give it NO access to your network(s), and only let it talk out to the internet.

    That would be appropriate if he wants a guess WiFi, but I didn't see that mentioned. If he wants to access his network via WiFi, as is often done in homes and businesses, then that's not a such a good idea.

    True, he didn't say one way or the other how he wanted to do it.

    Here's one: guest network with a good WPA2 passcode, like above. Limit, or give it no access, to your main LAN network.

    Here's the other: on and part of your main LAN network. Use a good WPA2 passcode, maybe make the SSID hidden (but it can be found by anybody with basic wifi tools), make sure it's firmware stays up-to-date to plug up any security holes. Remember, you're dealing with consumer gear, the manufacturer tends to not update firmware for too long, they want to sell more, newer, better wifi gear. It's just going to be a simple access point, so you won't get much, if any, in the way of firewalling or routing.

    Is getting newer wifi gear out of the question? I ask, because most, if not all, of the newer access point things offer VLAN capabilities. That means, with 1 wifi box, you can offer up multiple wifi networks, guest and main LAN, as an example. Add a simple 5-8 port managed switch to the mix to move this traffic in the right directions, and you can be done. This gives you 2 wifi signals, 1 that can be isolated to just the internet, the other that sits on your main LAN.

    Jeff