Best way to setup network?



  • I have just now successfully flashed my Fonera router (got it for free), to dd-wrt.  Now I have all sorts of possibilities as far as what I can do to configure my network.

    Here's what I have currently:

    Pfsense on normal PC, three nics
    16 port switch connect to the LAN interface of the PfSense box, plenty of open ports.
    Fonera wireless router that I can configure any way I want.

    Requirements:

    I want to give all wireless clients (2 as of now), access to the LAN and internet, with as much security put in place as possible without installing additional software.  One of the clients will be a digital picture frame that I am putting together, using this tutorial:

    http://www.frontiernet.net/~pictureframe/

    However, since my laptop that I am using does not have any network connectivity built in, and I have an old Linksys WUSB11 USB network adapter, assuming that it works with Damn Small Linux, I will be using that as the network connection for the laptop to grab new pictures from my file server over NFS, that is the reason for my quest to flash my Fonera in the first place.

    Since this network adapter is so old, I highly doubt that it supports WPA encryption, which would be the best bet from a security standpoint to keep unauthorized users out of my wireless network.  So, I am stuck with probably no encryption at all on the Fonera.

    My plan is to use MAC address filtering on the wireless clients, whichever that one works out to, and to ONLY allow those MAC addresses.

    My question is, should I plug the Fonera into my switch, and set it up so that pfSense gives that MAC address the same IP every time, or should I plug it into the OPT interface?  If I plug it into the OPT interface, what do I need to do to allow seamless traffic between the LAN and OPT interfaces, and should I set the fonera up in Bridged mode, and let the pfSense box handle all DHCP, or what?

    Sorry for my cluelessness and rambling, just not sure what direction I should go here.

    Thanks.



  • Running completely unencrypted is dangerous, even with macadress filtering. macs are easy to fake and to sniff. I would do it in the following way:

    • Connect the AP in bridge mode to an OPT-Interface
    • enable macfiltering at the AP for your photoframe and other wlanclients
    • enable Captive Portal at the OPT1 with no user (upload a nice "you won't get in here!" page with no authentication form)
    • add captive portal mac adress passthrough for the macs you need (your photoframe and your notebook or whatever client you need)
    • enable the dhcp-server at OPT1 and add static MAC/IP assignments. enable deny unknown clients and enable static ARP
    • configure the PPTP-Server and setup a user to be available to tunnel in
    • add a firewallrule at opt1 to only allow the IP of the photoframe to access the ports and servers needed at LAN
    • add a firewallrule to allow your pptp client anywhere

    This makes it only harder to get through. It doesn't grant absolute security. Now your Photoframe can only go to the photo storage and your notebook is vpned to lan and is part of your lan subnet. This traffic is encrypted (though pptp is not the best encryption one could get).


Log in to reply