Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest Wireless Subnet - Couple Issues

    Scheduled Pinned Locked Moved Captive Portal
    14 Posts 5 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hmeister
      last edited by

      Hi…

      I followed the setup for a basic guest wireless setup and applied the rule "any" and blocked the regular LAN subnet. This works great including the challange/response page.

      Like I said, everything works however I can still get to the pfSense administrator login on this new Wireless subnet that is setup. The default gateway address will allow the pfSense administrator console to be available for attempted login. The portal popup works fine with the password page but my only concern is now the console is available wirelessly for attempted login if someone uses the gateway address. Is there any way to work this guest subnet and not allow the administration console to be available? I am thinking that there is not a way since this is the gateway address. So, when you static IP the guest wireless subnet you can hit the console using the static address that is setup on the CP page inside pfSense setup. I hope I am making sense to everyone trying to explain this. Has anyone else worked through this issue?

      Regards;

      H.

      Best Regards;
      H.

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        Have you tried creating firewall rules to block access to pfSense from the wireless interface/subnet?

        1 Reply Last reply Reply Quote 0
        • S
          SEMIJim
          last edited by

          @wallabybob:

          Have you tried creating firewall rules to block access to pfSense from the wireless interface/subnet?

          Since the pfSense device is likely supplying DHCP and DNS, is acting as the default gateway and is the hot spot captive portal, wouldn't blocking that make it unusable ???

          Jim

          1 Reply Last reply Reply Quote 0
          • H
            hmeister
            last edited by

            Yes - I agree with Jim…
            I think if the rule is created it will defeat the gateway - to Jim's point - Yes, you can't block the web login as it is on the gateway address - I will have to make sure that there is a complex pass-phrase for that web interface as I don't think there is a way to block it with a rule as it will block the guest access...
            Unless there is another way.... ?

            I will setup a rule tonight and test it and will let everyone know the results.... My guess is it will not work unless there is another way to block that particular web page without disturbing the guest access...

            H.

            Best Regards;
            H.

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Depending on your needs there are multiple solutions here.
              You can just add a block rule to the ports used by the webConfigurator and that is fine.
              You can leave the ports open and pfSense will monitor the logins and if the failed limit is reached will block the ip, iirc for 24 hours.
              If you are using CP on LAN there is the default rule to allow access to the GUI which can be disabled under advanced system options.

              1 Reply Last reply Reply Quote 0
              • H
                hmeister
                last edited by

                @ermal:

                Depending on your needs there are multiple solutions here.
                You can just add a block rule to the ports used by the webConfigurator and that is fine.
                You can leave the ports open and pfSense will monitor the logins and if the failed limit is reached will block the ip, iirc for 24 hours.
                If you are using CP on LAN there is the default rule to allow access to the GUI which can be disabled under advanced system options.

                Ermal…
                Thanks for monitoring and the reply. Ok, I will check this out and setup a rule to block the port. Isn't the web interface going to be using port 8080 or 80?? I will find out... or to your point perhaps the challange response page is using a unique port number... I am using this on a guest wireless port with the "Any" rule and blocking LAN.

                H.

                Best Regards;
                H.

                1 Reply Last reply Reply Quote 0
                • H
                  hmeister
                  last edited by

                  @ermal:

                  Depending on your needs there are multiple solutions here.
                  You can just add a block rule to the ports used by the webConfigurator and that is fine.
                  You can leave the ports open and pfSense will monitor the logins and if the failed limit is reached will block the ip, iirc for 24 hours.
                  If you are using CP on LAN there is the default rule to allow access to the GUI which can be disabled under advanced system options.

                  Ermal…
                  I looked yesterday trying to determine what ports are uesed by webConfigurator.
                  I like to blocked ports idea but what ports does the webConfigurator use besides 80? I don't think I can block 80 as that will defeat the guest wireless setup... Does it use 8080? still looking...

                  H.

                  Best Regards;
                  H.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hmeister
                    last edited by

                    Hello all….
                    I found this on another thread - Port 10000.
                    I am going to setup the rule and test...

                    The rule that block access on TCP port 10000 to the LAN interface is moved to the top of the rules list so it will be proccessed first.This rule blocks access to the webmin interface on the servers on the subnet Backbone.

                    H.

                    UPDATE - This does not work either… I picked port 10000 off the logs and it is not what this needs...

                    Best Regards;
                    H.

                    1 Reply Last reply Reply Quote 0
                    • H
                      hmeister
                      last edited by

                      UPDATE…

                      I was able to set this block up using port 443 on the guestwireless services subnet...
                      This is working as expected...

                      Best Regards;
                      H.

                      1 Reply Last reply Reply Quote 0
                      • H
                        hmeister
                        last edited by

                        @wallabybob:

                        Have you tried creating firewall rules to block access to pfSense from the wireless interface/subnet?

                        Yes - that is in place and working - That rule is setup on the LAN tab…
                        To your point that rule should be blocking the admin page however if I place the web gateway address on a wireless user the admin challenge/response page pops up.... It's like the blocking rule ignores the wireless gateway... Perhaps I can create a rule to block the gateway on the lan?
                        Still working this issue...

                        Thanks for the reply and I am still trying...

                        H.

                        Best Regards;
                        H.

                        1 Reply Last reply Reply Quote 0
                        • H
                          hmeister
                          last edited by

                          @hmeister:

                          UPDATE…

                          I was able to set this block up using port 443 on the guestwireless services subnet...
                          This is working as expected...

                          This doesn't work as it blocks not only 443 on GuestWireless but all 443 (https) going out to WAN as well… ???

                          Best Regards;
                          H.

                          1 Reply Last reply Reply Quote 0
                          • W
                            wallabybob
                            last edited by

                            @hmeister:

                            @hmeister:

                            UPDATE…

                            I was able to set this block up using port 443 on the guestwireless services subnet...
                            This is working as expected...

                            This doesn't work as it blocks not only 443 on GuestWireless but all 443 (https) going out to WAN as well… ???

                            Your rule probably needs to be refined to block access to port 443 on pfSense (rather than '*'?).

                            1 Reply Last reply Reply Quote 0
                            • L
                              LostInIgnorance
                              last edited by

                              As said by wallabybob, just set up the rule to block port 443 with a destination of the firewall IP.  That's what I have done with my rules.

                              1 Reply Last reply Reply Quote 0
                              • H
                                hmeister
                                last edited by

                                Hi…

                                I am back on this thread - I had to troubleshoot a hardware issue unrelated to this.
                                Ok, I will look closer at the rule...

                                I will critique the setup again...

                                Thanks Lost, Wally & everyone for the response...

                                H.

                                Best Regards;
                                H.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.