How to secure network from other users

luke240778 · Mar 22, 2012, 5:45 PM

Hi all, i have a WiSP so all my cliente are connected via antenna to my LAN interface, i control them using Captive Portal and a radius server. My question is this:

I noticed that when i was at 1 clients doing an install, i could see Shared drives and other users computers when i looked at the network through windows explorer. This is very bad and insecure. So, what do i have to do in my pfsense box so that each user has the normal access to internet but cannot see anything else on the network?

wm408 · Mar 22, 2012, 7:07 PM

Make an alias for the networks that you want to not talk to each other but only access the Internet. And try something like this:

https://docs.google.com/open?id=0B_a0y09o6CjhdkNVMVNoWjdTd1NuVVE0M0FVZVlDUQ

@luke240778:

Hi all, i have a WiSP so all my cliente are connected via antenna to my LAN interface, i control them using Captive Portal and a radius server. My question is this:

I noticed that when i was at 1 clients doing an install, i could see Shared drives and other users computers when i looked at the network through windows explorer. This is very bad and insecure. So, what do i have to do in my pfsense box so that each user has the normal access to internet but cannot see anything else on the network?

luke240778 · Mar 22, 2012, 7:14 PM

Not so sure i understand that. I only have 1 network.. 10.0.0.0/18. I just don't want people being able to see other peoples machines or shares that are also connected on that subnet.

So for example my pc is 10.0.0.10 and i dont want to be able to see any other pc's on my network when i go to Netowks in Internet explorer. understand what i mean?

i believe this can be done with PPPoE, but i don't want to use that.

wm408 · Mar 22, 2012, 7:26 PM

So please clarify:

You don't want them to be able to talk to each other AT ALL but only access the Internet

or

You don't want them to be able to specifically and only, "able to see other peoples machines or shares", and also access the Internet

(for example, maybe they could print to each other, or access a service like SSH or Remote desktop instead still to each other…)

@luke240778:

Not so sure i understand that. I only have 1 network.. 10.0.0.0/18. I just don't want people being able to see other peoples machines or shares that are also connected on that subnet.

So for example my pc is 10.0.0.10 and i dont want to be able to see any other pc's on my network when i go to Netowks in Internet explorer. understand what i mean?

i believe this can be done with PPPoE, but i don't want to use that.

dhatz · Mar 22, 2012, 7:26 PM

Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

Pfsense is not involved (if I understood your topology correctly)

luke240778 · Mar 22, 2012, 7:35 PM

@wm408:

So please clarify:

You don't want them to be able to talk to each other AT ALL but only access the Internet

or

You don't want them to be able to specifically and only, "able to see other peoples machines or shares", and also access the Internet

(for example, maybe they could print to each other, or access a service like SSH or Remote desktop instead still to each other…)

@luke240778:

Not so sure i understand that. I only have 1 network.. 10.0.0.0/18. I just don't want people being able to see other peoples machines or shares that are also connected on that subnet.

So for example my pc is 10.0.0.10 and i dont want to be able to see any other pc's on my network when i go to Netowks in Internet explorer. understand what i mean?

i believe this can be done with PPPoE, but i don't want to use that.

I dont want them to be able to talk to eachother at all. These are clients, all different housees. I jsut want them to have internet but no connection at all to eachother.

luke240778 · Mar 22, 2012, 7:37 PM

@dhatz:

Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

Pfsense is not involved (if I understood your topology correctly)

Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..

chpalmer · Mar 22, 2012, 7:43 PM

but my AP's are all in Bridge mode

What is the make and model of your AP's?

wm408 · Mar 22, 2012, 8:14 PM

Are all your clients on the LAN subnet?

In the picture I provided, set the type on both source and destination to "LAN Subnet".

Make sure the Destination section has the "NOT" checked.

The rule basically says this:

This source subnet can talk to anything EXCEPT (NOT) the LAN Subnet. Which in your case is effectively the Internet.

If you had multiple subnets, make an Alias to include all of your defined subnets. And replace the type like my original Rule.jpg.

You may need to make a second rule to still allow clients to talk to the gateway IP/LAN ip

@luke240778:

@dhatz:

Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

Pfsense is not involved (if I understood your topology correctly)

Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..

Nachtfalke · Mar 22, 2012, 8:06 PM

@wm408:

Are all your clients on the LAN subnet?

In the picture I provided, set the type on both source and destination to "LAN Subnet".

Make sure the Destination section has the "NOT" checked.

The rule basically says this:

This source subnet can talk to anything EXCEPT (NOT) the LAN Subnet. Which in your case is effectively the Internet.

If you had multiple subnets, make an Alias to include all of your defined subnets. And replace the type like my original Rule.jpg.

@luke240778:

@dhatz:

Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

Pfsense is not involved (if I understood your topology correctly)

Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..

Again:
Read the post dhatz wrote:
That is the only solution. pfsense is not involved. There are no different subnets. The isolation needs to be on the AP on layer 2.

Cisco for example is calling this a "Protected port" or a "Private VLAN Edge":

Protected Port—Select to make this a protected port. (A protected port is
also referred as a Private VLAN Edge (PVE).) The features of a protected port
are as follows:
- Protected Ports provide Layer 2 isolation between interfaces (Ethernet
ports and LAGs) that share the same VLAN.
- Packets received from protected ports can be forwarded only to
unprotected egress ports. Protected port filtering rules are also applied
to packets that are forwarded by software, such as snooping
applications.
Port Management
Configuring Link Aggregation

- Port protection is not subject to VLAN membership. Devices connected
to protected ports are not allowed to communicate with each other, even
if they are members of the same VLAN.
- Both ports and LAGs can be defined as protected or unprotected.
Protected LAGs are described in the Configuring Link Aggregation
section.

@luke240778
Check your WLAN hardware for such features. That's your only chance.

Gertjan · Mar 23, 2012, 7:22 AM

More details: http://forum.pfsense.org/index.php/topic,22367.0.html

Think about it:
You have an (one) AP.
Clients connect to this AP can see each other.
You could even take out the network cable that links up the AP to pfSEnse: clients can still see each other.
Conclusion: this is not an pfSense question, this issue must be treated in your AP. It's being called Client Isolation.

Now, thing about the fact that you have more then one AP.
I have 5 AP's.
My pfsense LAN (OPT1 - with captive portal function: 192.168.2.1
AP1: 192.168.2.2
AP2: 192.168.2.3
AP3: 192.168.2.4
AP4: 192.168.2.5
AP5: 192.168.2.6

Now, AP Client Isolation mode will NOT work - to protect clients connected on AP1 tio 'see' clients connected to AP2.
See the link I posted above for more information and the solution.

dhatz · Mar 23, 2012, 4:16 PM

Right, there are basically two ways:

One way would be to do it in the WAPs as Gertjan suggests (assuming your APs have the capability to do L2/L3 filtering – many don't).

Another way would be to do some filtering on the managed switch to which your APs are connected.

luke240778 · Mar 26, 2012, 1:45 AM

@wm408:

Are all your clients on the LAN subnet?

In the picture I provided, set the type on both source and destination to "LAN Subnet".

Make sure the Destination section has the "NOT" checked.

The rule basically says this:

This source subnet can talk to anything EXCEPT (NOT) the LAN Subnet. Which in your case is effectively the Internet.

If you had multiple subnets, make an Alias to include all of your defined subnets. And replace the type like my original Rule.jpg.

You may need to make a second rule to still allow clients to talk to the gateway IP/LAN ip

@luke240778:

@dhatz:

Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

Pfsense is not involved (if I understood your topology correctly)

Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..

Yes, all cleints are on my LAN, my office is also on LAN. My pfSense is running in a Dell Poweredge 2950 which only has 2 NIC's, so i just have WAN and LAN

luke240778 · Mar 26, 2012, 1:47 AM

@chpalmer:

but my AP's are all in Bridge mode

What is the make and model of your AP's?

Have a mix of:

Ruckus ZF2741
Ubiquiti Rocket M5

luke240778 · Mar 26, 2012, 1:48 AM

Thanks for all the support on this issue guys. I am going to look into what i can do on the AP's about this, because it really is not a good thing having users being able to see eachothers computers and stuff.

biggsy · Mar 26, 2012, 7:41 AM

Luke,

This is what's in the Ubiquiti APs"

Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also.

I can't see anything equivalent for the Ruckus.

Biggsy

luke240778 · Mar 26, 2012, 4:00 PM

@mofbineefolve:

Can you provide me information on how can I purchase your product through internet. I been looking since earlier on your wiki page on how to purchase it but I dont see any information.

Say what?

wm408 · Mar 26, 2012, 5:28 PM

Cool Luke.

I kept thinking that pfSense was also your AP and that you could control it on the interface itself. Everyone here is correct to say that you need to manage the filtering at the switch itself, or in your case, AP.

@luke240778:

Thanks for all the support on this issue guys. I am going to look into what i can do on the AP's about this, because it really is not a good thing having users being able to see eachothers computers and stuff.

wm408 · Mar 26, 2012, 5:30 PM

Ruckus should have these features.

I've tested Ruckus zf7343 and they are capable to isolate this way.

@biggsy:

Luke,

This is what's in the Ubiquiti APs"

Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also.

I can't see anything equivalent for the Ruckus.

Biggsy

luke240778 · Mar 27, 2012, 2:01 AM

Thanks again. I have found the CLient Isolation on the Ubiquiti AP's but not on the Ruckus AP's yet. Will take a look at their Manuals when i arrive in the office tomorrow. Hopefully it will work. I am hopefully getting a managed switch soon so maybe in the end i can do it all on there.. ?