Best topology for my network

tknospdr

For the sake of FW rules, the physical adapter is completely divorced from the "interface" right?
I think part of my confusion lies in the fact that I have a physical adapter called ETH3, and I have a pfSense interface also called ETH3.

My WAP is connected to physical adapter ETH3.
There are 3 pfSense interfaces going to the WAP.
ETH3 - 10.100.10.0 - WPA2 personal for authentication - HomeKit devices - SSID subspace
ETH3_20_SECURE - 10.100.20.0 - WPA2 enterprise for auth - computers and tablets - SSID secure_subspace
ETH3_30_LEGACY - 10.100.30.0 - WPA2 personal for authentication - older game handhelds - SSID legacy_subspace

So when I remove all rules from interface ETH3, I can no longer get on secure_subspace because the WAP can't contact the RADIUS server to auth against. I surmised this based on the fact that if I was already connected to secure_subspace when I removed the rules I could stay on it, but no new devices could connect.

@NollipfSense:

Also, so far every rule I've seen written have the adapter and the source be the same. Is that always the case or is there a rule where the adapter is different from the network?

Not sure what you're speaking of...

Sorry, wrong terms.
So far, every rule I've seen has the interface and the source being the same. For example:

FW rule for interface CCC, source is always CCC.
If there's never a reason to build a rule for interface CCC where the source is BBB, why can we choose a different source?

johnpoz

@tknospdr said in Best topology for my network:

why can we choose a different source?

Because if the interface network is a transit..

In such a setup for network 192.168.2/24 to get to say 192.168.3.0 it transits through the 192.168.1 network. So on this interface on the upstream router you would need to allow this downstream network 192.168.2/24 that is not the interfaces directly attached network 192.168.1

SteveITS

@tknospdr the interface is on Interfaces/Assignment. The physical adaptor the interface uses is the port column. The port can be a VLAN. Firewall rules are on interfaces.

tknospdr

So in order to get RADIUS auth working on my WAP I had to put a rule on the ETH3 interface, even though the auth happens for clients on the ETH3_20_SECURE interface.
A little confusing when you're just starting out.

johnpoz

@tknospdr what? Auth from an AP would come from the management IP, and what network that is on. Not what network you have setup for clients to use.

tknospdr

Trying to post a reply, but getting a error that Akismet thinks I'm spamming the forum.

SteveITS

@tknospdr IIRC that is relaxed when you get 5 upvotes, here.

tknospdr

@SteveITS
Appreciate it.

johnpoz

@tknospdr I gave you some thumbs up - I show your at 5 now, you should hopefully be able to post what you were trying to post now.

tknospdr

@johnpoz

Thanks. I figured we've beaten this thread for all it's worth and I should post additional FW questions in the proper section of the forum, so I had tried to post:

You seem surprised. Did I mention that I'm just learning all this? :)
My AP has no reference to or configuration options for a 'Management IP', so I had no idea the auth would be on anything other than the network that it was using that auth on.
I know now, and I appreciate all the help I'm receiving here.
But be prepared, I'll continue to have "dumb" questions, especially about the FW, until I... get it.
Like this one for instance