Selective client traffic filtering over Bridged Access Point



  • Hello;
    I have set up PFSENSE on a 6 port machine with a wireless card.
    My aim is to setup a bridged wireless access point and to be able to control which clients in the bridge network can access other client machine under the same network. With my current setup i am able to allow or deny LAN-LAN and LAN-WIFI client traffic under the bridge; but i cannot seem to control the WIFI-WIFI client traffic even with BSS intercommunication disabled and bridge.pfil_bridge flag set to 1.

    I have one of the LAN interfaces(OPT1) bridged with the wireless interface that is working in hostap mode.

    Snippets of the configuration xml are added below.

    I have a rule to allow all traffic on the Bridge interface in order to allow internet access.
    With the BSS Intercommunication option selected under the AP settings; all connected clients are able to communicate with each other(as expected).
    Yet once the BSS-Intercommunication flag is unselected and i add rules to allow certain clients(connected on the ap) to communicate with each other(Both Floating and Interface Rules) they are unable to do so.

    I changed the system flags under the Advanced settings menu and set bridge member filtering to 0 and bridge filtering to 1.

    Still i was unable to get wireless clients to communicate with each other.

    Any help in solving the matter is appreciated.

    System Flags:

    <sysctl>
    	<item>
    		<tunable>net.link.bridge.ipfw</tunable>
    		<value>1</value>
    	</item>
    	<item>
    		<tunable>net.link.bridge.pfil_onlyip</tunable>
    		<value>0</value>
    	</item>
    	<item>
    		<tunable>net.link.bridge.pfil_local_phys</tunable>
    		<value>1</value>
    	</item>
    	<item>
    		<tunable>net.link.bridge.pfil_member</tunable>
    		<value>0</value>
    		<descr><![CDATA[Packet filter on the member interface]]></descr>
    	</item>
    	<item>
    		<tunable>net.link.bridge.pfil_bridge</tunable>
    		<value>1</value>
    	</item>
    </sysctl>
    

    Bridge Configuration:

    <bridged>
    	<members>lan,opt5</members>
    	<enablestp></enablestp>
    	<descr><![CDATA[br1]]></descr>
    	<maxaddr></maxaddr>
    	<timeout></timeout>
    	<maxage></maxage>
    	<fwdelay></fwdelay>
    	<hellotime></hellotime>
    	<priority></priority>
    	<proto>stp</proto>
    	<holdcnt></holdcnt>
    	<ifpriority></ifpriority>
    	<ifpathcost></ifpathcost>
    	<stp>lan,opt5</stp>
    	<edge>lan,opt5</edge>
    	<bridgeif>bridge1</bridgeif>
    </bridged>
    
    <opt3>
               <descr><![CDATA[Br1]]></descr>
               <if>bridge1</if>
               <enable></enable>
               <spoofmac></spoofmac>
              <ipaddr>10.0.6.1</ipaddr>
              <subnet>24</subnet>
    </opt3>
    

    Wireless Interface:

    <opt5>
          <descr><![CDATA[AP]]></descr>
          <if>run0_wlan0</if>
          <wireless>
                       <standard>auto</standard>
                       <protmode>off</protmode>
                       <channel>7</channel>
                       <regdomain></regdomain>
                       <reglocation>indoor</reglocation>
                       <mode>hostap</mode>
                       <ssid>TestAP</ssid>
                       <authmode></authmode>
                       <txpower></txpower>
                       <distance></distance>
                       <wpa>
                                <macaddr_acl></macaddr_acl>
                                <wpa_mode>2</wpa_mode>
                                <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt>
                                <wpa_pairwise>CCMP</wpa_pairwise>
                                <wpa_group_rekey>60</wpa_group_rekey>
                                <wpa_gmk_rekey>3600</wpa_gmk_rekey>
                                <passphrase>testing</passphrase>
                                <ext_wpa_sw></ext_wpa_sw>
                                <enable></enable>
                      </wpa>
                      <auth_server_addr></auth_server_addr>
                      <auth_server_port></auth_server_port>
                      <auth_server_shared_secret></auth_server_shared_secret>
                      <auth_server_addr2></auth_server_addr2>
                      <auth_server_port2></auth_server_port2>
                      <auth_server_shared_secret2></auth_server_shared_secret2>
                      <apbridge></apbridge>
                      <wme>
                      <enable></enable>
                      </wme>
                      <pureg>
                      <enable></enable>
                      </pureg>
             </wireless>
             <spoofmac></spoofmac>
             <enable></enable>
    </opt5>
    
    <interfaces>
             <run0>
                    <standard>auto</standard>
                    <protmode>off</protmode>
                    <channel>7</channel>
                    <regdomain></regdomain>
                    <regcountry>TR</regcountry>
                    <reglocation>indoor</reglocation>
             </run0>
    </interfaces>
    
    <clone>
            <if>run0</if>
            <mode>hostap</mode>
            <descr><![CDATA[AP]]></descr>
            <cloneif>run0_wlan0</cloneif>
    </clone>
    


  • @json-paul said in Selective client traffic filtering over Bridged Access Point:

    My aim is to setup a bridged wireless access point and to be able to control which clients in the bridge network can access other client machine under the same network.

    PfSense does not affect connections between devices on the same network.


Log in to reply