How to use Access Point to access trusted LAN network



  • Currently my configuration is:

    Verizon FIOS Internet (ethernet) --> WAN on pfSense -->

    pfsense LAN port --> unmanaged switch --> 1) storage server, & 2) desktop
    pfsense OPT port --> unmanaged switch --> 1) Archer Access Point, & 2) Verizon MOCA adapter to drop internet signal onto the coax for TV Guide features.

    Currently OPT port can access anywhere but LAN (!LAN).

    My goal is locally (at home) to have a secure way to connect my personal laptop to the LAN side via a wireless access point connection. Security of the LAN from a wireless invasion is the primary goal. In my case the access point is currently being used by mobile phones, tablets, AND also being used by crap devices in the home such as Apple TV, DVD player, TV, etc. Since the access point is being used by IoT devices, I don't trust using the same AP for wireless access into the LAN. I've considered setting up an OpenVPN tunnel to remote access into the LAN from laptops but that seems like overkill.

    Thanks for any suggestions on how I could change my topology or settings for this to work best. I do have 1 more unused port on the pfSense.



  • Configure your AP with a pair of VLANs & SSIDs respectively, one for trusted and one for untrusted. Or, if you would rather have all things wifi on one subnet, then create DHCP reservations for the trusted devices and use firewall rules to control access.



  • Thanks seems easy enough. I’d probably prefer the separate subnet for trusted wifi.

    But how do you protect against weaknesses in access point hardware software which it seldom maintained/updated? I have read in places where this makes the case for a VPN. Not sure I agree though. Can the firewall rules mitigate this risk?


  • LAYER 8 Global Moderator

    huh? Weakness in what exactly? Lets say X gets on your wifi network because your psk to get on this network was p@ssw0rd - so.. They only have access to that vlan.. They would only have access to what that vlan has access to, not anything else..

    Pfsense can not protect you against a shitty psk password, or weakness in the wireless protocols that allow them access to that vlan.. All it can do is protection from devices on that vlan from talking to other vlans..



  • Got it, thanks. I can use the firewall rules to limit which devices can cross over to LAN.


  • LAYER 8 Global Moderator

    Exactly... The great thing about actual AP that can do multiple vlans.. So for example to get on my trust network via wifi client has to auth with eap-tls.. You can only get on limited vlans via psk.. And those are restricted from talking to other stuff on other vlans.

    I allow my normal use wifi to access plex (port 32400) for example, but you can not access any file shares.. Only way to access file shares is via the trusted wifi ssid, which means your device needs a cert issued by me, etc..



  • I am not familiar with eap-tls and how to set that up. I have a Unifi AP and have a vlan set for my LANwifi, and a firewall rule allowing only 2 laptop IPs to access my wired LAN interface. Not sure if I have it set up right for that part. I was thinking of using a OpenVPN tunnel between the subnets for a secure encrypted wifi client connection to the LAN. Is eap-tls better? Here is what I have so far:
    subnets.png
    interfaces.png
    firewallrules.png


Log in to reply