Bridged LAN + WLAN Setup Confirmation
I've been reading through all of the threads regarding setup and I wanted to see if this sounds correct. First, here are the requirements (quite simple):
1. pfSense 2.0 box with 3 NICs: one for WAN, one for wired LAN and one OPT1 which connects to an external wireless AP (Apple Airport Extreme).
2. A single subnet 192.168.1.x for both the wired LAN and OPT1 wireless clients
3. All IPs in the 192.168.1.x subnet assigned via DHCP
4. The wireless clients on OPT1 should NOT have access to any machines in the wired LAN
5. However wired LAN clients can access wireless OPT1 interface (there is a printer connected to the wireless AP).
In the default configuration before I did anything here is the interface setup:
1. WAN = vr1, type DHCP
2. LAN = vr0, type Static
3. OPT1 = vr2, type None
Here is what I have done:
1. Created an OPT2 interface which is enabled and
2. Set OPT2 = vr0, type None
3. Created a BRIDGE0 which has members OPT1, OPT2
4. Set LAN = BRIDGE0, Type Static
5. Run DHCP server on LAN
As it stands all clients (both wired and wireless) are served IP addresses from the 192.168.1.x subnet (good). Further, wired clients can print on the printer connected to the wireless AP on the OPT1 interface (good).
However wireless clients are still able to access wired clients (bad). I can't think of how I could set up my rules to stop this. Unless I am missing something, all clients are on the same LAN subnet which is the same as the OPT1 subnet and the OPT2 subnet.
Are there any thoughts as to how this could be done or improved? Thank you!
Quick update: I spent some time tinkering with the firewall rules and it appears that the following works. For OPT1 (wireless clients) I create a rule which says:
Source: OPT1 net
Destination: OPT2 net
It appears that this works. What is counter-intuitive for me at least is that OPT1 and OPT2 subnets are actually the same due to the BRIDGE. Am I understanding this correctly that the rule is really saying: block any traffic requests from the OPT1 interface to the OPT2 interface?
I'm worried about the implications down the road if this isn't setup correctly.
Unless I am missing something, all clients are on the same LAN subnet which is the same as the OPT1 subnet and the OPT2 subnet.
You are missing something. In its basic form a bridge allows traffic to freely pass between its members.
Based on what you have written here I can't see why you have bridged the interfaces. Maybe you were following a recipe you didn't fully understand.
I suggest you return to your original configuration. Default firewall rules allow LAN access anywhere and other interfaces no access anywhere so you will need to add a firewall rule to OPT1 to PASS any traffic to NOT LAN subnet. Then you should reset firewall states (see Diagnostics -> States, click on Reset states tab, read the explanation and click on the Reset button). Then you should have what you want.
Thanks for the feedback wallabybob; I appreciate your insight. Assuming I go back to the original configuration:
In order to hand out IPs via DHCP from OPT1 I would need to set its type to Static with a DHCP server running on this interface. However doing this would require me to use a different subnet, e.g. 192.168.2.x. So in this case LAN is 192.168.1.x and OPT1 is 192.168.2.x and I implement the Rule you described below. I hope this is what you mean?
So in summary:
1. WAN = vr1, type DHCP
2. LAN = vr0, type = Static, running DHCP Server range 192.168.1.x
3. OPT1 = vr2, type = Static, running DHCP Server range 192.168.2.x
I then have my rule on OPT1 to PASS any traffic !LAN subnet. This allows LAN full access to OPT1 and WAN (everything) and only allows OPT1 anything BUT traffic to LAN.
In order to hand out IPs via DHCP from OPT1 I would need to set its type to Static with a DHCP server running on this interface.
However doing this would require me to use a different subnet, e.g. 192.168.2.x. So in this case LAN is 192.168.1.x and OPT1 is 192.168.2.x and I implement the Rule you described below.
Yes, the LAN and OPT1 subnets need to be distinct. It is not necessary for OPT1 to be 192.168.2.0/24, for example, it could be 192.168.7.0/24.
I then have my rule on OPT1 to PASS any traffic !LAN subnet.
AT the risk of being pedantic, the rule could be something like: Interface=OPT1, Action=Pass, Destination= NOT LAN Subnet, with all other fields Default or Any.
If you add another OPT interface in the future you might need to tweak this rule.
Since you are using DHCP on OPT1 you will also need a rule allowing DHCP: something like Action=Pass, Protocol=UDP, Source=0.0.0.0, Source Port=68, Destination=255.255.255.255, Destination Port=67
Thank you sir! All makes perfect sense. I was making this a little harder than it needed to be :)