Network topology Question

hendi

What was wanted:

• Any new computer connected to the network, LAN or WIFI should not have access to the rest of the computers or to the Internet. A router with a public password that anyone can connect to and have access to the Internet but not have access to the other computers.

I configured as follows:

• pfsense with dhcp disabled on the LAN (Allow known clients from only this interface)
• when I add a computer to the network, I assign it a static IP from 10.0.0.1/24
• on the router where everyone can connect, I assigned 10.0.0.200 on the WAN and left the dhcp server active on the LAN (192.168.1.1/24)

How safe is the configuration I made regarding what was wanted?

Thanks

Jarhead

@hendi A router has nothing to do with a computer accessing another computer on the same network. Those computers are connected by layer 2 so a router isn't even needed for them to talk to each other.

stephenw10

Yeah, it's not 'safe'. Anything connected to the public access router (a wifi access point?) would be able to connect to anything on the pfSense LAN unless you have rules in the router to prevent it.

You probably want, at a minimum, the public access router connected to a separate interface in pfSense. That could be a VLAN if the router has that capability. That way you can control the public access traffic in pfSense.

To prevent new LAN clients connecting to each other is a layer 2 problem as Jarhead says. You need a switch that can do port isolation to properly do that.

Steve

SteveITS

@hendi Is 10.0.0.0/24 your pfSense LAN? And the wireless router's WAN is connected to that LAN network? Then no, that (via NAT) isolates the wireless network from the main network but not the main network from the wireless network. It needs two networks (LAN and VLAN, or two interfaces on pfSense, or two routers) for that as Steve W mentions.

hendi

This part is intended for employees.
Pfsense - sw without management - 10 tplinks with disabled dhcp used as access points (they have statically assigned ip assigned on the lan interface, each cable connected from the switch to the lan on the routers. not on the wan port).
10.0.0.0/24 is pfsense. The computers connected here can see each other which is ok. The desired restriction on this side was only if a new computer is connected to the network not to receive an IP until a static one is assigned to it, so that it cannot access the rest of the computers.

Another tplink has active dhcp with 192.168.1.0/24 connected from the switch to the WAN port of the router. It has a static ip assigned from 10.0.0.0/24 on the WAN interface. Here it is important that a computer connected to it cannot access the rest of the computers in 10.0.0.0/24

hendi

I think I will add another network card for the public network.

Patch

@hendi said in Network topology Question:

I think I will add another network card for the public network.

Or level 2 switch and use a vlan

stephenw10

@hendi said in Network topology Question:

Another tplink has active dhcp with 192.168.1.0/24 connected from the switch to the WAN port of the router. It has a static ip assigned from 10.0.0.0/24 on the WAN interface. Here it is important that a computer connected to it cannot access the rest of the computers in 10.0.0.0/24

In that scenario the only thing stopping clients in the 192.168.1.X subnet accessing any host in the the 10.0.0.X subnet are the rules in the TP-Link router.

@hendi said in Network topology Question:

I think I will add another network card for the public network.

Good idea. That will make it much easier.

You can configure DHCP in pfSense to use static leases only and it not hand out an IP to new hosts until you enter it. But that would not stop a host using a static IP and accessing other resources in the subnet. That traffic does not go through pfSense so it cannot filter it.

Steve

hendi

@stephenw10 said in Network topology Question:

@hendi said in Network topology Question:

I think I will add another network card for the public network.

Good idea. That will make it much easier.

You can configure DHCP in pfSense to use static leases only and it not hand out an IP to new hosts until you enter it. But that would not stop a host using a static IP and accessing other resources in the subnet. That traffic does not go through pfSense so it cannot filter it.

Steve

Is there any method to prevent this?

johnpoz

@hendi said in Network topology Question:

Is there any method to prevent this?

from devices on the same network from talking to each other? L2 isolation, AP isolation is what it common called on wifi. For a switch called normally private vlan.

Your L2 devices need to suport doing that that. For example if all you have is some dumb switch, not going to support it. Most wifi do support isolation though.

stephenw10

Yeah, since you appear to be using all wifi devices there then client isolation on the APs would do it.
But that would then prevent any LAN hosts talking to each other whether or not you had added them. And that might break numerous things!

Steve

hendi

@stephenw10 said in Network topology Question:

Yeah, since you appear to be using all wifi devices there then client isolation on the APs would do it.
But that would then prevent any LAN hosts talking to each other whether or not you had added them. And that might break numerous things!

Steve

First of all, thank you all for the answers!

Won't Wifi AP Isolation prevent an authorized ip from accessing a network printer connected via LAN? Or does it strictly refer to the isolation between the ip addresses assigned via wifi? In my case, routers are used as access points.

johnpoz

@hendi no AP isolation would not stop your device on the wifi from sending traffic to your gateway to get to some other network.. If that was the case no devices on this network would be able to do anything.

stephenw10

Right but it would prevent a LAN wifi client accessing a wifi printer that was also on LAN. Which is probably not what you want!

You can probably enable MAC address filtering on the APs to prevent new LAN clients connecting with the passkey. Though that's only very basic security. Enabling 802.1X auth on the APs would be much better. And much more complex to setup!

Steve

hendi

I added another network card for the guest network. 192.168.100.1/24 with dhcp range 192.168.100.11-192.168.100.254.
I configured a tplink as an access point with static ip on LAN 192.168.100.2 and dhcp disabled. I set a rule in the firewall for the guest network so that it can access the Internet but not the lan network. It works perfectly but I cannot access tplink interface 192.168.100.2 from the LAN, I can only access it from the guest network. Any idea ?

stephenw10

You need a rule on LAN to allow that.

You may also need to NAT that traffic because the AP probably has no default route in order to reply.