WLAN bridged with LAN - Firewall & DHCP?
-
Hi,
I've been setting up pfSense to bridge my WLAN interface with the LAN interface and so far, so good. Initially I had set up firewall rules to allow all traffic from LAN -> WLAN and WLAN -> LAN (on both LAN & WLAN interfaces) but soon noticed that DHCP was being blocked by the firewall as the interface was being tagged as BRIDGE0, thus blocking the traffic.
To make it work I set the WLAN interface to have a firewall rule allowing all traffic from all sources to all destinations but I wanted to know if this is safe? To me it sounds like I've just broadcasted the WLAN interface to the world or is it safe as it's bridged to LAN?
I know for peace of mind I could have the WLAN interface on a separate subnet and I'd know for sure the Firewall rules would protect it, but for simplicity I'd like to have it bridged.
Thanks!
Verta
-
Its hard to say if your configuration is "safe" because you haven't stated your security policy or requirements. For example, if you are happy to have any WLAN client look through your LAN systems then what you have done is probably "safe". On the other hand, if you live in an apartment and have hackers around you and you don't want them to have any access to the LAN system on which you do your internet banking then what you have done is probably not "safe".
-
Its hard to say if your configuration is "safe" because you haven't stated your security policy or requirements. For example, if you are happy to have any WLAN client look through your LAN systems then what you have done is probably "safe". On the other hand, if you live in an apartment and have hackers around you and you don't want them to have any access to the LAN system on which you do your internet banking then what you have done is probably not "safe".
I agree with what your saying; I've had this type of setup on my WRT54GL running the Tomato firmware and it's been fine for me for years - I just wanted a few more functions and a bit more firewall throughput that a pfSense box provides, hence the upgrade. If it was a corporate environment I'd definitely segment the WLAN from the LAN. I was really after an explanation as to why my first rule didn't allow DHCP through, I'm guessing this was because the bridge is seen as BRIDGE0 -> LAN rather than WLAN -> LAN, but needed confirmation on this :)
Thanks for your reply wallabybob :)
Verta
-
I was really after an explanation as to why my first rule didn't allow DHCP through, I'm guessing this was because the bridge is seen as BRIDGE0 -> LAN rather than WLAN -> LAN, but needed confirmation on this :)
Without the log message and exact form of the firewall rules its hard to be certain why DHCP wasn't allowed through the firewall.
Did you reset firewall states after changing the rules the first time? (See Diagnostics -> States, click on Reset States tab.)
-
I was really after an explanation as to why my first rule didn't allow DHCP through, I'm guessing this was because the bridge is seen as BRIDGE0 -> LAN rather than WLAN -> LAN, but needed confirmation on this :)
Without the log message and exact form of the firewall rules its hard to be certain why DHCP wasn't allowed through the firewall.
Did you reset firewall states after changing the rules the first time? (See Diagnostics -> States, click on Reset States tab.)
I did indeed reset the states after making the firewall changes; I'll set the rules back to how they were initially and monitor the firewall logs to see what is being blocked. Thanks again wallabybob :)