Open AP with captive portal, seperate from LAN interface?



  • Ok, here is the setup that I want to do, I tried to set it up without 100% success.

    I will try to explain best as I can of what I did, as I am not in front of this PC anymore to see  exactly.
    Basically what I want is a PfSense with 3 nics in it, 1 for wan, 1 for lan (office use) and one for open wifi AP.
    I have the box working perfectlly with just 2 nic cards with pfblocker, opendns, dyndns, clamav, squidguard, and some simple proxy and firewall rules.

    What I want is to have all that + a open AP net gear wgr614v9 on a 3rd nic card (opt1), that does not have access to the lan, because of our server and other stuff on that network, and some simple blocking on this interface, such as blocking p2p, captive portal, pfblocker, blacklist and whitelist.

    I did try to set it up, here is what I did with no success. I basically followed this guide http://doc.pfsense.org/index.php/InstallationGuide

    1. Installed 3rd nic card
    2. Plugged wireless AP into opt1
    3. enabled 3rd nic card opt1
    4. I left all settings under here alone, type was none and nothing else was filled out.
    5. Made sure the opt1 and LAN were bridged.
    6. Added firewall rule on OPT1 to allow any traffic through.
    7. Logged onto wireless router
    8. disabled DHCP on router.
    9. Changed the local router IP address to 192.168.2.5 ( my pfsense box is 192.168.1.1 )

    At this point I could connect to the wireless AP, but I lost the ability to access the admin page ( 192.168.2.5 ) it was 192.168.1.2. But I did have internet access, but I could see the entire network attached to the LAN interface.

    I do not understand what rules to add if that is the problem.

    Sorry if this is confusing, I am horrible at posting technical stuff.

    pfsense ver = 2.0.1
    cpu= pentium 4 single core.
    Ram = 1.5gb
    hard drive = 80gb
    minimal logging enabled.



  • @virtualliquid:

    What I want is to have all that + a open AP net gear wgr614v9 on a 3rd nic card (opt1), that does not have access to the lan,
    . . .

    Then you shouldn't bridge LAN and OPT1.

    @virtualliquid:

    9. Changed the local router IP address to 192.168.2.5 ( my pfsense box is 192.168.1.1 )

    Which is the "local router"? Why did you change its IP address? Each pfSense interface can have its own IP address; I presume you mean the pfSense LAN interface has IP address 192.168.1.1

    @virtualliquid:

    At this point I could connect to the wireless AP, but I lost the ability to access the admin page ( 192.168.2.5 ) it was 192.168.1.2.

    You probably messed up your routing but without more details its difficult to say.

    @virtualliquid:

    Sorry if this is confusing, I am horrible at posting technical stuff.

    Its not always easy to know which technical details are significant. Please provide IP address and network mask of pfSense LAN interface and OPT1 interface and wireless AP. I presume your AP is actually a router and you have connected pfSense to one of its LAN ports; correct? Do you want DHCP service for the wireless clients? If so, who is to provide that service - AP or pfSense?



  • Then you shouldn't bridge LAN and OPT1.

    I did try this with out it bridged to lan and just the wan, it then gave the computers connecting my local outside IP address.

    Which is the "local router"? Why did you change its IP address? Each pfSense interface can have its own IP address; I presume you mean the pfSense LAN interface has IP address 192.168.1.1

    I changed it, because I was following that guide I linked, but if I can leave it alone then I would rather keep things simple, such as have my pfsense box on its current 192.168.1.1 and my wireless AP on 192.168.1.2 if possible.

    You probably messed up your routing but without more details its difficult to say.

    Welcome to my world :P

    Its not always easy to know which technical details are significant. Please provide IP address and network mask of pfSense LAN interface and OPT1 interface and wireless AP. I presume your AP is actually a router and you have connected pfSense to one of its LAN ports; correct? Do you want DHCP service for the wireless clients? If so, who is to provide that service - AP or pfSense?

    wireless access point is dhcp disabled, with default ip address of 192.168.1.1, i changed it to 192.168.2.5 ( per guide ) Id rather keep it at 192.168.1.2 if possible.

    I presume your AP is actually a router and you have connected pfSense to one of its LAN ports; correct?

    Yes it is actually a router and the pfsense is connected to one of the 4 lan ports not a wan port.

    Do you want DHCP service for the wireless clients?

    Yes I want DHCP for all clients connecting to the wireless access point. - and I would like pfsense to provide all services if possible, I want to use captive portal in future so I think it would be better if pfsense handled all request. I could be wrong I dont know.



  • http://en.wikipedia.org/wiki/Ip_address is a good article on IP addresses. For now you can ignore the IPv6 parts. This article might be good background for the following discussion.

    In an IP router every interface belongs to a distinct sub network.
    Computers using IP communicate with other computers on the same network directly and communicate with computers on different networks by going through a router on the same network.

    Consider your desired configuration: pfSense LAN interface: 192.168.1.1/24 and AP: 192.168.1.2/24 These interfaces are on the same network so they can communicate directly. In particular, the AP can communicate directly with any computer on your LAN (192.168.1.x/24). But you have said you want to block the LAN from AP and wireless clients. Therefore the AP and wireless clients need to be on a separate network, say 192.168.2.0/24, and be connected to an interface in that network, pfSense OPT1.

    You have configured the AP to be 192.168.2.5 (presumably with a network mask of 24 bits) so the pfSense OPT1 interface needs an IP address of 192.168.2.x/24 (where x not = 5 since 5 is already used and x not =0 since that is the network number and x not = 255 since that would be the network broadcast address) so, for the sake of illustration lets pick x = 254.

    You want DHCP service on OPT1 and the pfSense web GUI allows one range of IP addresses for DHCP allocation so lets pick 192.168.2.100 to 192.168.2.199. Enable the DHCP server on OPT1 (Services -> DHCP Server, click on OPT1 tab) and enter the range and save

    Now you need to consider firewall rules. PfSense LAN interface defaults to have a rule allowing any access to anywhere while OPTx interfaces default to have firewall rules blocking all accesses. Hence a rule needs to be added to OPT1 interface allowing access to anything BUT the LAN network. Go to Firewall -> Rules, click on OPT1 tab then click on the "+" button to add the rule: Action=Pass, Interface=OPT1, Protocol=Any, Source=Any, Destination=NOT LAN Net and Save.

    In pfSense firewall packets are matches against firewall rules from top down and processing stops at first match. Hence with that rule an access to an internet site from a wireless client will match the first rule and be allowed while an access to LAN will not match the first rule and fall into the default OPTx rule mentioned earlier and be blocked.

    Now you should try an access from a wireless client: start it up, check it gets an IP address in the correct range (192.168.2.100 to 192.168.2.199) and can access the internet but not a LAN system.

    You will need adapt the suggested firewall rule to your particular security policy,


Locked