Recommendations for setting up security with Wireless Access Point
-
I have a wireless access point that I am about to put onto its own NIC in pfsense (in some software firewalls, they would call this a blue zone). What do you all recommend that I do for security? I have guests come in and out, so I don't want to set up something so tight that it is a 30 minute config thing when they arrive. However, I don't want to lock things down a bit. A few options I have thought about.
1. Leave my wireless access point completely open with no encryption on the device itself and set up rules in PFsense to block all access, then set up VPN using PPTP. This would mean to use my access point, you would need to use VPN to do anything useful.
2. Set up encryption on my access point, but block all access to local resources… giving users who have the key access to the internet, but not my network. Then for users that need to gain access to my network such as my kids and myself, setting up PPTP.
3. Forgetting all of the above and just relying on the encryption of the wireless access device. This sort of defeats setting up a blue zone!
4. Other ideas?
It is fair to say that one of the things I realise is that not all our guests are Windows users, so I don't know if requiring a user to set up a PPTP will be antisocial for the occasional MAC user.
Any advice from real time situations would be helpful... including a sample rule or two if poss! (as I am new to PFsense)
-
If this is for home use, i'd say, set up encryption on the AP (WPA prefered) then treat the zone as if it WAN. Add pptp to it in order for yourself/kids to use the internal LAN. (if you set up rules for some ip's (you, your kids etc.) you have basically opened up the network anyways. So, WPA or WEP on AP, PPTP to reach lan, and deny any acess from WLAN other then what you would normally allow on WAN.
-
@lsf:
If this is for home use, i'd say, set up encryption on the AP (WPA prefered) then treat the zone as if it WAN. Add pptp to it in order for yourself/kids to use the internal LAN. (if you set up rules for some ip's (you, your kids etc.) you have basically opened up the network anyways. So, WPA or WEP on AP, PPTP to reach lan, and deny any acess from WLAN other then what you would normally allow on WAN.
That's what I was sort of thinking. I think I will try to set up rules that if we have guests, they have basic internet access just by authenticating on the access point. Then for myself, kids, etc. VPN into the network for additional functionality. Thanks!
-
@lsf:
If this is for home use, i'd say, set up encryption on the AP (WPA prefered) then treat the zone as if it WAN. Add pptp to it in order for yourself/kids to use the internal LAN. (if you set up rules for some ip's (you, your kids etc.) you have basically opened up the network anyways. So, WPA or WEP on AP, PPTP to reach lan, and deny any acess from WLAN other then what you would normally allow on WAN.
Set it up today and it is working like a charm. Way cool. pfsense rocks. 8)