Allow IPs on another subnet straight to the WAN gateway
-
@Jarhead switch arrived this morning, will install the configuration tool in the office pc and set its IP in the lan subnet.
Once all the machines are connected to the firewall through the switch, I should put the Fritz on DMZ and manage port forwarding from the firewall itself, right? There are some ports i need open for UPS, NAS, RDP, etc.. -
@Troniclab Yup. You're gonna have to trunk the ports connected to the AP's. Set up the vlans in the AP's with the correct ssid's.
You should probably just start with ANY ANY rules on both subnets to test, then block as needed. -
@Jarhead OK, will try with the only segment of the network I can easily access also by hand, so that if anything goes wrong I can reset the machines and try again. Once that segment is functional I'll apply the same procedure to the other ones that hopefully will work as well. Will keep you posted.
-
I am officially getting frustrated. I was setting an IPCam to the new ssid and now the pfsense machine randomly reboots.. Cutting me off the webgui and making me lose the cam for good. I don't know wtf happened.
-
@Troniclab
Update: had to reset the camera and start over.
On pfsense
-assigned vlan 1 and 2 to the lan interface
On the switch
-created 802 based vlan 2 with untagged ports 1 and 13 (the one going to the ap
On the ap
-created secondary ssid assigned to vlan 2
On the cam
-link to the new ssid..cam is not pingable any longer.
I get it back if I reassign the secondary ssid to vlan 1
Probably something wrong in the switch settings..my knowledge is limited, so far I only used port-based vlans.. -
@Troniclab I thought you said you have 3 nics in pfSense, didn't you? I haven't gone back and read this thread again but if you did, just use both for each subnet. No need for a vlan in pfSense, but if you want to do it that way, then you can leave the "LAN" as default and just add 1 vlan to it. This way your LAN traffic will be untagged and the vlan will be tagged.
In the switch, the interface going to pfSense will be tagged with the vlan id you used in the router, and untagged with vlan 1. You need to do 802.1q vlans.
Do the same thing on the port going to the AP you're testing with.
The best thing you can do is test this right from the switch with wired devices before you add in the AP's. To do this, set one port as pvid 2 (assuming you used vlan id 2) and untagged with vlan 2. This is after you did the above "trunk" to pfSense. Then plug one device into the vlan 2 port, it should get an address, if you enabled DHCP on it, and have Internet access. Then plug another device into another port that has vlan 1 untagged on it. Should get an address and have Internet. They should both be able to access each other. Then add firewall rules to block as needed.
Where you're at up to now, you have the 2 subnets in pfSense. They both go to the switch over the trunk. They are both broken out to 1 port (or more) on the switch and can be used per each network.
Once you have this working, add the one AP and make sure it works the same as the wired devices. Then add the rest. -
@Jarhead I need to put everything on hold: pfsense machine randomly reboots and then gets stuck sending offline the whole network. I have to find out what/why happens. Will come back to you as soon as I have a stable firewall.
-
@Jarhead said in Allow IPs on another subnet straight to the WAN gateway:
@Troniclab I thought you said you have 3 nics in pfSense, didn't you? I haven't gone back and read this thread again but if you did, just use both for each subnet.
So, WAN to the Fritz, LAN to the machines (0.1) and OPT for the visitors' wifi (1.1)?
Which parameters for the firewall rule to block access from the 1.1 subnet to the 0.1 one? -
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
So, WAN to the Fritz, LAN to the machines (0.1) and OPT for the visitors' wifi (1.1)?
You're asking me? That's one way of doing it but it's up to you. Do you want to use a vlan or the physical interface? your call.
Which parameters for the firewall rule to block access from the 1.1 subnet to the 0.1 one?
Either way you go per the above, the firewall will function the same.
Assuming you want the "guest" to not have any access to the other networks, you would want to put a block rule on the 1.1 interface.
There's many ways to do it but the most common is to create a firewall Alias for all rfc1918 addresses. Then use the alias in the block rule. This blocks access to any private addresses. But you'll need to put an allow rule above it for DNS since the pfSense interface will be a rfc1918 address and you don't want that blocked.
Just search the forum for "Guest wifi" and you'll find the rules you need, it's simple enough.
Some people also allow for pings and NTP. I can see the time thing but I wouldn't care if a guest can ping anything. Don't see why they would need to but to each his own. -
@Jarhead incredibly easy with 3 NICs: one WAN to the Fritz and TWO LANs, main one 0.1/16 carrying all the machines and one 1.1/16 DHCP enabled, routed to the WAN.
Boom: if I connect to the APs all I can ping is myself and the router, every other connection is forbidden by the firewall; but I still can reach all the machines from the office PC which belongs to the 0.1 subnet.
Thank you very much for all the patience and support!
Now I'm facing the issue of setting up a capitive portal that allows users to register.. But I guess it's off-topic here so, I'll eventually ask for help in another section of the forum. -
@Troniclab sorry, correction: both subnets are /24 ;-)