Locking Down Public Wifi



  • I'm fairly new to Pfsense, but I have successfully installed and configured my LAN and WAN interfaces with DHCP. My Pfsense box has 5x1Gb NICs. My ultimate goal is to utilize four of the five interfaces. One will be my WAN, one will be my wired LAN, one will be my private WIFI, and the last will be my public WIFI.

    The issue I'm having is setting up the proper firewall rules to isolate the public WIFI from the rest of my network. In addition to that I would like to lock my public WIFI down to just port 80 (http) and 443 (https) for simple web browsing by guests. I have figured out and configured the captive portal properly, but every time I try to set firewall rules that only allow http and https access I get no connectivity at all.

    My current rule setup for the public WIFI interface is as follows:
    source:
    interface: PublicWifi
    proto: tcp/udp
    source: PublicWifi subnet
    ports: any

    Destination: WAN Address
    port range HTTP

    I have an identical rule for HTTPS traffic. If anyone has any suggestions of things to try I would really appreciate it. I have googled extensively and either my searching skills are lacking after a long day of work or the solution just isn't easily findable.

    Thanks in advance for you help.



  • Hi HJ
    You can setup one port for public wifi and use the "any" rule instead of "tcp" and then block to LAN. This blocking will be available in the interface on the port your designate your public wifi… You can block any of your other configured ports and only allow the guest wireless port access to the gateway. This is similar to tunneling or trunking your port.  You can also use the Captive Portal and allow control of the public wifi.
    http://www.nettechonline.net/index.php?option=com_content&view=article&id=85:pfsense-captive-portal-edit&catid=57:pfsense-captive-portal&Itemid=58
    H.



  • The problem you have come from a mistake in the destination in your rules: you have to use any instead of "WAN Address".

    Here are my advices:

    • create an alias containing all your internal networks (wired LAN & private WiFi in your case).
    • create an alias containing all the ports you will allow for the public WiFi (HTTP, HTTPS & DNS).
    • create the following rules:
    • public WiFi to alias "internal networks" block any ports

    • public WiFi to firewall interface block any ports

    • public WiFi to any permit ports in alias "public allowed trafic"

    Remark: you have to allow DNS trafic in order to have name resolution for the public WiFi.


Log in to reply