What is the best option??



  • Hi, I am running a small ISP like network in my building. I was using simple router as DHCP server and several Access points in this network. Now I replaced router with pfsense.
    Earlier users were less so I was able to manage every user just putting mac filtering … but now users have increased and the network is getting messed up and pfsense has no simple mac filtering options like other routers but I really like the other features of pfsense its comprehensive...
    My setup:
    pfsense (as DHCP server)--->>>> switch --->>> accesspoints (20+)--->>>> users (Wifi + Wired)

    5*WAN -->>>1 LAN (gigabit)

    I am using DHCP server with static ARP to manage this network.
    Now I just read about the freeradius and other services which pfsense can manage so can you please suggest about freeradius etc...
    I just want it to be simple, easy to setup because I don't have 24 hr access to all the room where access points are located and really hard to change settings for every user...
    This network is only used for Internet!!



  • You can MAC filter with captive portal. Then unauthorized devices can get a page showing why they can't get to the Internet, and you can more easily have specific bandwidth limits for each device. Static ARP is an ok way too.



  • thanks for the feedback … I checked out captive portal ...
    so I just need to specify the per user bandwidth and pass through MACs ?
    But I have a doubt if I set Pass through MACs will the those MACs skip the captive portal or there bandwidth will also be restricted too??
    and if the above is all working ... can I just disable the static ARP ??



  • @rohbawa:

    thanks for the feedback … I checked out captive portal ...
    so I just need to specify the per user bandwidth and pass through MACs ?

    Yes

    @rohbawa:

    But I have a doubt if I set Pass through MACs will the those MACs skip the captive portal or there bandwidth will also be restricted too??

    They skip the CaptivePortal Page so they do not have to enter any username/password but as far as I know they do not bypass the bandwidth limits.

    @rohbawa:

    and if the above is all working … can I just disable the static ARP ??

    Yes

    freeradius package and manage user account there. It is not too hard to configure but from what you told Mac-Passthrough solution is the easiest and fastest one.

    PS: Are your APs running ind bridge mode or do they routing/NAT ? If they do routing/NAT there will be probably a problem with CP and MAC Passthropugh but in bridge mode - no problem :-)



  • a bit of more expansion on Nachfalke statement

    "PS: Are your APs running ind bridge mode or do they routing/NAT ? If they do routing/NAT there will be probably a problem with CP and MAC Passthropugh but in bridge mode - no problem :-) "

    depends on APs if single point then fine mac will pass through but if you have  a bridge in between such a wireless backhaul  depending on the radio it may or may not pass the mac through example: engenius will by default  but ubnt radios you have to set them to WDS mode



  • All my Access points are not routing/NAT … actually the network comprise of some router which are converted to Access points eg. Dlink DIR 300 or Tplink routers ...
    and some normal access points ... in all of them DHCP server is disabled and ips of all these APs are in same subnet ... I guess in this mode I need to define only the MACs of users???



  • depends  log on with different wireless devices into your system onto the same access point at the same time and see if they come up with the same mac on both of thier ip is so then most like they will not work that way. you could  could make sure they it is set in bridge mode. otherwise you can simply only use  port 1234 and not use  wan/internet port and turn off dhcp as you already did .  that an easy  work around. if you having your mac stripped by the router.

    does not really matter if the AP are on the same subnet I usually put mine on a different one so that user can not accidentally locate them and fudge around with them



  • thanks guys … Everything up and running ... finally i can breath easy))


Log in to reply