How to use Access Point to access trusted LAN network



  • Currently my configuration is:

    Verizon FIOS Internet (ethernet) --> WAN on pfSense -->

    pfsense LAN port --> unmanaged switch --> 1) storage server, & 2) desktop
    pfsense OPT port --> unmanaged switch --> 1) Archer Access Point, & 2) Verizon MOCA adapter to drop internet signal onto the coax for TV Guide features.

    Currently OPT port can access anywhere but LAN (!LAN).

    My goal is locally (at home) to have a secure way to connect my personal laptop to the LAN side via a wireless access point connection. Security of the LAN from a wireless invasion is the primary goal. In my case the access point is currently being used by mobile phones, tablets, AND also being used by crap devices in the home such as Apple TV, DVD player, TV, etc. Since the access point is being used by IoT devices, I don't trust using the same AP for wireless access into the LAN. I've considered setting up an OpenVPN tunnel to remote access into the LAN from laptops but that seems like overkill.

    Thanks for any suggestions on how I could change my topology or settings for this to work best. I do have 1 more unused port on the pfSense.



  • Configure your AP with a pair of VLANs & SSIDs respectively, one for trusted and one for untrusted. Or, if you would rather have all things wifi on one subnet, then create DHCP reservations for the trusted devices and use firewall rules to control access.



  • Thanks seems easy enough. I’d probably prefer the separate subnet for trusted wifi.

    But how do you protect against weaknesses in access point hardware software which it seldom maintained/updated? I have read in places where this makes the case for a VPN. Not sure I agree though. Can the firewall rules mitigate this risk?


  • LAYER 8 Global Moderator

    huh? Weakness in what exactly? Lets say X gets on your wifi network because your psk to get on this network was p@ssw0rd - so.. They only have access to that vlan.. They would only have access to what that vlan has access to, not anything else..

    Pfsense can not protect you against a shitty psk password, or weakness in the wireless protocols that allow them access to that vlan.. All it can do is protection from devices on that vlan from talking to other vlans..



  • Got it, thanks. I can use the firewall rules to limit which devices can cross over to LAN.


  • LAYER 8 Global Moderator

    Exactly... The great thing about actual AP that can do multiple vlans.. So for example to get on my trust network via wifi client has to auth with eap-tls.. You can only get on limited vlans via psk.. And those are restricted from talking to other stuff on other vlans.

    I allow my normal use wifi to access plex (port 32400) for example, but you can not access any file shares.. Only way to access file shares is via the trusted wifi ssid, which means your device needs a cert issued by me, etc..



  • I am not familiar with eap-tls and how to set that up. I have a Unifi NanoHD AP and have a vlan set for my LANwifi on pfsense, and a firewall rule allowing source of only 2 laptop IPs to access anywhere. Not sure if my rule logic is right. For encryption I was thinking of using a OpenVPN tunnel between the subnets. Is EAP-TLS more suitable for this and is there a good tutorial somewhere? Thanks


  • Netgate Administrator

    Not sure what you want to encrypt here or where at should be encrypted.

    EAP-TLS is used for authentication of connecting clients not to encrypt the traffic so it's not something you would use as a substitute for OpenVPN.

    Steve



  • I always thought encryption should be used even on home wireless access points. Not trying to be paranoid, just to implement what makes sense for secure wireless access to the LAN. Are the setup steps here the best practice for eap-tls authentication?

    https://docs.netgate.com/pfsense/en/latest/packages/using-eap-and-peap-with-freeradius.html


  • LAYER 8 Global Moderator

    WPA2 is encrypted... I think you need to do some research into the difference between wpa2 psk, and wpa2 enterprise.. All that changes is the auth method... The encryption doesn't change depending on eap you use.

    I am not familiar with eap-tls

    Then I would not suggest you use it... Its not going to get you anything but a complex setup you do not understand.... You understand that consumer devices normally do not understand methods of wpa2 enterprise..

    I suggest you create a secure PSK, and be done with it... Your wireless is now secure.


Log in to reply