Router's Guest Network on different subnet with separate DHCP as main Network - Is it Protected?

kollkash · Dec 15, 2019, 7:07 AM

I'm scratching my head, so I'm looking for some outside input. Apologies if this post isn't in the correct sub.

I'm using an Amplifi HD Mesh network in bridge mode. My pfSense box is running DHCP as a PPPoE modem and router, connected to a switch off of the LAN interface, which runs to the Amplifi Router in bridge mode. My pfSense LAN interface has my main network IP set to 192.168.158.1/24.

However, Amplifi just released a Guest Network capability, but it is not configurable. The IPs that the Guest network hands out are in the 192.168.224.1/24 network.

I'm trying to determine if that Guest subnet is protected by the pfSense firewall. I can't seem to see any devices on the Guest network in the ARP table and a pcap didn't pick them up. I know that anything on the Guest network has to go out via the pfSense box to the Internet, but I can't figure out how...

Any suggestions on where I can dig?

Thanks all!!

jd

kiokoman · Dec 15, 2019, 3:16 PM

deleted.. my bad i've read wrong.

yeah it's probably like sthephenw10 wrote here

stephenw10 · Dec 15, 2019, 3:02 PM

@kollkash said in Router's Guest Network on different subnet with separate DHCP as main Network - Is it Protected?:

I'm using an Amplifi HD Mesh network in bridge mode.

By that do you mean you're using them effectively in access point mode? So:

PPPoE => (WAN) pfSense (LAN) => switch => Amplify HD ~> wifi clients

If so it's unclear how the separate guest network would connect. Probably the amplify router is NATing the traffic to the LAN subnet. In which case it does not protect LAN from Guest but Guest clients are still filtered through pfSense to WAN.

Steve

kollkash · Dec 17, 2019, 8:02 PM

@stephenw10 Thanks Steve! Yes - essentially, I'm using the Amplifi Mesh router and mesh points as APs, largely due to some of the limitations of the Amplifi HD system when I first got it.

When you say "does not protect LAN from Guest," do you mean that Guest clients could attack clients on the main LAN?

If the Amplifi Router is indeed NAT'ing the Guest network (inquiry sent to Amplifi to confirm), then the PFsense firewall would still be providing perimeter protection (which I think is what your comment indicates), correct?

Thanks again!

stephenw10 · Dec 18, 2019, 5:43 PM

Yes exactly.

What you really want is the guest subnet passed to pfSense over a VLAN. That way pfSense can filter it like any other interface including traffic between GUEST and LAN. I don't know if that's possible though with Amplifi.

Steve

kollkash · Dec 18, 2019, 5:43 PM

@stephenw10 Thanks again Steve! Amplifi got back to me, with the following information, after I asked if they were VLAN tagging the Guest wireless. I'm not sure if I understand totally and certainly don't know if there's any implications to the outbound filtering of the traffic via pfSense and the segregation between Guest network and main network...

...any insight you have is appreciated :)

"No, we don't use VLAN tags for guest SSID. Instead of VLAN tags, we use GRE tunnel. We cannot use VLAN tags because, in wired backbone mode, there could be an ethernet switch in between that does not support VLAN tags. GRE tunnel works in every case. GRE is used to provide Guest service on mesh points."

stephenw10 · Dec 23, 2019, 9:19 PM

Hmm, GRE tunnel to where? Between the amplifi nodes? To some cloud location?

More info needed there. Not really sure how that might be used, though it probably could be....

Steve