Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unsecured Access Point behind PfSense - Security Question

    Scheduled Pinned Locked Moved Wireless
    6 Posts 3 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SamLeb
      last edited by

      I've got the following setup:

      Modem -> Alix Box (pfsense with Captive Portal) -> Router (Connected: Office PC via ethernet cable / Guests via Wireless) (The Router is in Wireless Bridge Mode)

      The Router has encryption disabled, it is unsecured and "open".

      So anybody can connect, but when you open up the browser, you are redirected to the Captive Portal Login Page where you have to enter a Username/Password combination.

      Some people have voiced their concern because they get a warning when they are connecting to the unsecured access point.

      I can only enable WEP on the router, people would have to enter a password and then again a password/username once they start the browser.

      Is this current setup too unsafe?

      1 Reply Last reply Reply Quote 0
      • S
        SeventhSon
        last edited by

        Question is, too unsafe for WHAT?

        If the network is unencrypted people can easily:

        • sniff the network and see HTTP/POP3/SMTP (plaintext passwords);
        • set up a rogue accesspoint imitating yours.

        Lot of cafe/hotels do this in this way, and I ALWAYS use a VPN connection on those open APs.

        1 Reply Last reply Reply Quote 0
        • S
          SamLeb
          last edited by

          My point was not made clear, pardon :)

          Basic browsing is not my concern, but what about people logging in to their gmail- / facebook-account, are their login-details at risk?

          The network is protected by the pfsense firewall from the "outside", but traffic between the laptops and the bridge on the "inside" is not encrypted.

          Is there a way to offer some kind of protection (besides WEP, which is not considered safe anymore, but maybe better than nothing)

          1 Reply Last reply Reply Quote 0
          • S
            SeventhSon
            last edited by

            @SamLeb:

            Basic browsing is not my concern, but what about people logging in to their gmail- / facebook-account, are their login-details at risk?

            I think gmail and FB use session encryption as default by now, but a lot of other sites are vulnerable to things like:
            http://en.wikipedia.org/wiki/Firesheep  ;D

            or a rogue AP with http://www.thoughtcrime.org/software/sslstrip/

            Is there a way to offer some kind of protection (besides WEP, which is not considered safe anymore, but maybe better than nothing)

            WPA2- Enterprise?

            But for a coffee shop/hotel setup that is harder to do (unprotected setup Wi-Fi, protected "real" network, or generated username/pass from the till).

            In the coffee shop i frequent you just get a big red disclaimer on the login page, stating that it is unencrypted.

            1 Reply Last reply Reply Quote 0
            • S
              SamLeb
              last edited by

              Thanks for the reply

              WPA2- Enterprise?

              The routers I found which I could use in Bridge-Mode (available in electronic stores) didn't offer anything above WEP

              So I'll just put a disclaimer on the login page :)

              1 Reply Last reply Reply Quote 0
              • X
                XIII
                last edited by

                almost all netgears have a bridge mode (its hidden) some others do as well.

                What you do is:
                1. give router an IP you want it to have
                2. disable DHCP server
                3. dont use WAN port, plug pfSense into one of the LAN ports, you can use the other 3 ports as you see fit.

                -Chris Stutzman
                Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                Check out the pfSense Wiki

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.