Question on wireless router firewalling



  • hi all,

    i dont know if this is the right to post.
    base on what i have read and research about connecting a wireless router to pfsense i come up with this diagram.

    internet >>> [WAN] pfsense [LAN] >>> switch/hub >>> | workstation (10 pc attached)
    ….........................................................................| wireless router

    note: dont mind the dots

    pfsense lan ip: 192.168.1.1
    wireless router ip: 192.168.1.3 (disable DHCP)
    switch/hub >>>>>> wireless router [LAN port] not the WAN port

    Questions:
    1. How to setup wireless router and LAN PCs for firewalling?
    i mean i want to make my clients accessing through wireless router as exclusive and cannot access to LAN PCs.

    2. If I enable "Captive Portal" (CP), is it possible to use for my wireless router only (so that the clients before using the internet will pass through the CP), excluded the LAN PCs?

    TIA



  • Would require multiple interfaces or VLANs. LAN computers on one and wireless on another.



  • @XIII:

    Would require multiple interfaces or VLANs. LAN computers on one and wireless on another.

    you mean i have to separate my lan computer from wireless router using another interface?
    like this?
    eth0: LAN >>>>> Switch/Hub
    eth1: WAN <<<< internet
    eth2: OPT1 >>>> Wireless Router

    internet >>> [WAN] pfsense [LAN] >>> switch/hub >>> | workstation (10 pc attached)
    …...................................[OPT1]>>> wireless router

    what would be the connection to the port of the wireless router? is it the WAN or the LAN port? TIA



  • Connect pfSense OPT1 to a LAN port on the wireless router.

    On pfSense, enable captive portal on OPT1, not on LAN. You may need to add firewall rules to OPT1 to allow internet access. (I'm not sure of the interaction between captive portal and firewall. I have such rules on my captive portal interface but they pre-date me using captive portal on that interface.)



  • @wallabybob:

    Connect pfSense OPT1 to a LAN port on the wireless router.

    On pfSense, enable captive portal on OPT1, not on LAN. You may need to add firewall rules to OPT1 to allow internet access. (I'm not sure of the interaction between captive portal and firewall. I have such rules on my captive portal interface but they pre-date me using captive portal on that interface.)

    i see.
    the only thing that i do not know is adding firewall rules for OPT1 just to allow internet access through wireless router.



  • You would add an Interface as OPT1, rename to WiFi (or whatever you want), enable the Captive Portal for that Interface, add rules to allow access to Internet only.

    The source would be OPT1 net and the destination would be the WAN net, that is the only firewall rule needed, this would allow access to the Internet as well as the firewall. You would need an additional rule to block access to the firewall, but just using a non standard port throws off most people. Let me know if you need a screenshot.



  • @XIII:

    You would add an Interface as OPT1, rename to WiFi (or whatever you want), enable the Captive Portal for that Interface, add rules to allow access to Internet only.

    The source would be OPT1 net and the destination would be the WAN net, that is the only firewall rule needed, this would allow access to the Internet as well as the firewall. You would need an additional rule to block access to the firewall, but just using a non standard port throws off most people. Let me know if you need a screenshot.

    thanks for sharing your thought XIII
    can you show me a screenshots?
    i do not know how to add rules.
    i just started using pfsense a month ago.

    btw, is this correct diagram?

    opt1 (wifi) - 192.168.3.1 >>>>> wireless router (change IP to 192.168.3.3, gateway: 192.168.3.1)
    lan - 192.168.1.1 >>>> switch/hub >>>>> workstation

    opt1 interface ip must not be the same subnet as with lan

    TIA



  • If you're using DHCP on wireless router you should disable it and use DHCP on pfSense instead.

    I suggest you get the configuration working without captive portal then enable captive portal.

    Firewall rule: In web GUI: Firewall -> Rules, click on OPT1 tab, click on "+" on right of the page, add rule: Action=PASS, Interface=OPT1, Protocol=TCP/UDP, Source=Type=OPT1 subnet,  Destination=Type=Any
    Click Save then go to Diagnostics -> States, click on Reset States tab, read the explanation then click on the Reset button.

    This will allow OPT1 to access anything - useful for testing.

    To block access from OPT1 to LAN, create a new firewall rule BEFORE the one given above but with Action=BLOCK, Interface=OPT1, Protocol=any, Source=Type=any,  Destination=Type=LAN subnet then, as before, click Save then go to Diagnostics -> States, click on Reset States tab, read the explanation then click on the Reset button.

    I don't think the single rule suggested in a previous reply to allow access to WAN net will work because I don't think WAN net will be a sufficient range of IP addresses to match the likely range of hosts to be accessed.



  • @wallabybob:

    If you're using DHCP on wireless router you should disable it and use DHCP on pfSense instead.

    I suggest you get the configuration working without captive portal then enable captive portal.

    Firewall rule: In web GUI: Firewall -> Rules, click on OPT1 tab, click on "+" on right of the page, add rule: Action=PASS, Interface=OPT1, Protocol=TCP/UDP, Source=Type=OPT1 subnet,  Destination=Type=Any
    Click Save then go to Diagnostics -> States, click on Reset States tab, read the explanation then click on the Reset button.

    This will allow OPT1 to access anything - useful for testing.

    To block access from OPT1 to LAN, create a new firewall rule BEFORE the one given above but with Action=BLOCK, Interface=OPT1, Protocol=any, Source=Type=any,  Destination=Type=LAN subnet then, as before, click Save then go to Diagnostics -> States, click on Reset States tab, read the explanation then click on the Reset button.

    I don't think the single rule suggested in a previous reply to allow access to WAN net will work because I don't think WAN net will be a sufficient range of IP addresses to match the likely range of hosts to be accessed.

    wow..thanks for this wallabybob..
    i will try this.
    i will update you guys if i manage to do this successfully.
    thanks for sharing.



  • I will provide screen shots when I can do so later.

    I will double check on that rule then, I think it would work, if I remember correctly it is the same as copying the default LAN rule to the opt interface and changing LAN Net to OPT1 net and then putting a block rule above it denying access to the LAN net should do the same thing.



  • Here is the screenshot for the two rules I mentioned. The Top one allows access to all. Bottom allows access to WAN. If the bottom doesn't work, use the top one but add a rule above it blocking access to your other LAN interfaces and that will do what you want.




  • thanks for this screeny..
    i'll try and experiment again.. ;)

    i'll already set my wireless router to an Access point already.
    do i need to assign an IP for my wireless router same with the OPT1 ip address? TIA



  • @cheonne:

    i'll already set my wireless router to an Access point already.
    do i need to assign an IP for my wireless router same with the OPT1 ip address? TIA

    You don't want conflicting ip-address. assign another one



  • You do need to assign the AP an IP address, assign it one that is outside of the DHCP range and that is different from the OPT1 address, so it wont conflict.



  • so you mean guys if my OPT1 ip is 192.168.3.1 ill set my router's ip as 192.168.3.2?
    if i choose AP for my dlink dir 300…dhcp and the rest are disabled.
    does this mean that the router can distribute internet wireless and dependent to the dhcp ip's of the OPT1?tia



  • Thats the way AP works, you can imagine that it's only different kind of lancable for wireless users


Locked