Guest Wireless Subnet - Couple Issues



  • Hi…

    I followed the setup for a basic guest wireless setup and applied the rule "any" and blocked the regular LAN subnet. This works great including the challange/response page.

    Like I said, everything works however I can still get to the pfSense administrator login on this new Wireless subnet that is setup. The default gateway address will allow the pfSense administrator console to be available for attempted login. The portal popup works fine with the password page but my only concern is now the console is available wirelessly for attempted login if someone uses the gateway address. Is there any way to work this guest subnet and not allow the administration console to be available? I am thinking that there is not a way since this is the gateway address. So, when you static IP the guest wireless subnet you can hit the console using the static address that is setup on the CP page inside pfSense setup. I hope I am making sense to everyone trying to explain this. Has anyone else worked through this issue?

    Regards;

    H.



  • Have you tried creating firewall rules to block access to pfSense from the wireless interface/subnet?



  • @wallabybob:

    Have you tried creating firewall rules to block access to pfSense from the wireless interface/subnet?

    Since the pfSense device is likely supplying DHCP and DNS, is acting as the default gateway and is the hot spot captive portal, wouldn't blocking that make it unusable ???

    Jim



  • Yes - I agree with Jim…
    I think if the rule is created it will defeat the gateway - to Jim's point - Yes, you can't block the web login as it is on the gateway address - I will have to make sure that there is a complex pass-phrase for that web interface as I don't think there is a way to block it with a rule as it will block the guest access...
    Unless there is another way.... ?

    I will setup a rule tonight and test it and will let everyone know the results.... My guess is it will not work unless there is another way to block that particular web page without disturbing the guest access...

    H.



  • Depending on your needs there are multiple solutions here.
    You can just add a block rule to the ports used by the webConfigurator and that is fine.
    You can leave the ports open and pfSense will monitor the logins and if the failed limit is reached will block the ip, iirc for 24 hours.
    If you are using CP on LAN there is the default rule to allow access to the GUI which can be disabled under advanced system options.



  • @ermal:

    Depending on your needs there are multiple solutions here.
    You can just add a block rule to the ports used by the webConfigurator and that is fine.
    You can leave the ports open and pfSense will monitor the logins and if the failed limit is reached will block the ip, iirc for 24 hours.
    If you are using CP on LAN there is the default rule to allow access to the GUI which can be disabled under advanced system options.

    Ermal…
    Thanks for monitoring and the reply. Ok, I will check this out and setup a rule to block the port. Isn't the web interface going to be using port 8080 or 80?? I will find out... or to your point perhaps the challange response page is using a unique port number... I am using this on a guest wireless port with the "Any" rule and blocking LAN.

    H.



  • @ermal:

    Depending on your needs there are multiple solutions here.
    You can just add a block rule to the ports used by the webConfigurator and that is fine.
    You can leave the ports open and pfSense will monitor the logins and if the failed limit is reached will block the ip, iirc for 24 hours.
    If you are using CP on LAN there is the default rule to allow access to the GUI which can be disabled under advanced system options.

    Ermal…
    I looked yesterday trying to determine what ports are uesed by webConfigurator.
    I like to blocked ports idea but what ports does the webConfigurator use besides 80? I don't think I can block 80 as that will defeat the guest wireless setup... Does it use 8080? still looking...

    H.



  • Hello all….
    I found this on another thread - Port 10000.
    I am going to setup the rule and test...

    The rule that block access on TCP port 10000 to the LAN interface is moved to the top of the rules list so it will be proccessed first.This rule blocks access to the webmin interface on the servers on the subnet Backbone.

    H.

    UPDATE - This does not work either… I picked port 10000 off the logs and it is not what this needs...



  • UPDATE…

    I was able to set this block up using port 443 on the guestwireless services subnet...
    This is working as expected...



  • @wallabybob:

    Have you tried creating firewall rules to block access to pfSense from the wireless interface/subnet?

    Yes - that is in place and working - That rule is setup on the LAN tab…
    To your point that rule should be blocking the admin page however if I place the web gateway address on a wireless user the admin challenge/response page pops up.... It's like the blocking rule ignores the wireless gateway... Perhaps I can create a rule to block the gateway on the lan?
    Still working this issue...

    Thanks for the reply and I am still trying...

    H.



  • @hmeister:

    UPDATE…

    I was able to set this block up using port 443 on the guestwireless services subnet...
    This is working as expected...

    This doesn't work as it blocks not only 443 on GuestWireless but all 443 (https) going out to WAN as well… ???



  • @hmeister:

    @hmeister:

    UPDATE…

    I was able to set this block up using port 443 on the guestwireless services subnet...
    This is working as expected...

    This doesn't work as it blocks not only 443 on GuestWireless but all 443 (https) going out to WAN as well… ???

    Your rule probably needs to be refined to block access to port 443 on pfSense (rather than '*'?).



  • As said by wallabybob, just set up the rule to block port 443 with a destination of the firewall IP.  That's what I have done with my rules.



  • Hi…

    I am back on this thread - I had to troubleshoot a hardware issue unrelated to this.
    Ok, I will look closer at the rule...

    I will critique the setup again...

    Thanks Lost, Wally & everyone for the response...

    H.


Locked