Unsecured Access Point behind PfSense - Security Question



  • I've got the following setup:

    Modem -> Alix Box (pfsense with Captive Portal) -> Router (Connected: Office PC via ethernet cable / Guests via Wireless) (The Router is in Wireless Bridge Mode)

    The Router has encryption disabled, it is unsecured and "open".

    So anybody can connect, but when you open up the browser, you are redirected to the Captive Portal Login Page where you have to enter a Username/Password combination.

    Some people have voiced their concern because they get a warning when they are connecting to the unsecured access point.

    I can only enable WEP on the router, people would have to enter a password and then again a password/username once they start the browser.

    Is this current setup too unsafe?



  • Question is, too unsafe for WHAT?

    If the network is unencrypted people can easily:

    • sniff the network and see HTTP/POP3/SMTP (plaintext passwords);
    • set up a rogue accesspoint imitating yours.

    Lot of cafe/hotels do this in this way, and I ALWAYS use a VPN connection on those open APs.



  • My point was not made clear, pardon :)

    Basic browsing is not my concern, but what about people logging in to their gmail- / facebook-account, are their login-details at risk?

    The network is protected by the pfsense firewall from the "outside", but traffic between the laptops and the bridge on the "inside" is not encrypted.

    Is there a way to offer some kind of protection (besides WEP, which is not considered safe anymore, but maybe better than nothing)



  • @SamLeb:

    Basic browsing is not my concern, but what about people logging in to their gmail- / facebook-account, are their login-details at risk?

    I think gmail and FB use session encryption as default by now, but a lot of other sites are vulnerable to things like:
    http://en.wikipedia.org/wiki/Firesheep  ;D

    or a rogue AP with http://www.thoughtcrime.org/software/sslstrip/

    Is there a way to offer some kind of protection (besides WEP, which is not considered safe anymore, but maybe better than nothing)

    WPA2- Enterprise?

    But for a coffee shop/hotel setup that is harder to do (unprotected setup Wi-Fi, protected "real" network, or generated username/pass from the till).

    In the coffee shop i frequent you just get a big red disclaimer on the login page, stating that it is unencrypted.



  • Thanks for the reply

    WPA2- Enterprise?

    The routers I found which I could use in Bridge-Mode (available in electronic stores) didn't offer anything above WEP

    So I'll just put a disclaimer on the login page :)



  • almost all netgears have a bridge mode (its hidden) some others do as well.

    What you do is:
    1. give router an IP you want it to have
    2. disable DHCP server
    3. dont use WAN port, plug pfSense into one of the LAN ports, you can use the other 3 ports as you see fit.


Log in to reply