How to secure network from other users



  • Hi all, i have a WiSP so all my cliente are connected via antenna to my LAN interface, i control them using Captive Portal and a radius server.  My question is this:

    I noticed that when i was at 1 clients doing an install, i could see Shared drives and other users computers when i looked at the network through windows explorer.  This is very bad and insecure.  So, what do i have to do in my pfsense box so that each user has the normal access to internet but cannot see anything else on the network?



  • Make an alias for the networks that you want to not talk to each other but only access the Internet.  And try something like this:

    https://docs.google.com/open?id=0B_a0y09o6CjhdkNVMVNoWjdTd1NuVVE0M0FVZVlDUQ

    @luke240778:

    Hi all, i have a WiSP so all my cliente are connected via antenna to my LAN interface, i control them using Captive Portal and a radius server.  My question is this:

    I noticed that when i was at 1 clients doing an install, i could see Shared drives and other users computers when i looked at the network through windows explorer.  This is very bad and insecure.  So, what do i have to do in my pfsense box so that each user has the normal access to internet but cannot see anything else on the network?



  • Not so sure i understand that. I only have 1 network.. 10.0.0.0/18.  I just don't want people being able to see other peoples machines or shares that are also connected on that subnet.

    So for example my pc is 10.0.0.10 and i dont want to be able to see any other pc's on my network when i go to Netowks in Internet explorer.  understand what i mean?

    i believe this can be done with PPPoE, but i don't want to use that.



  • So please clarify:

    You don't want them to be able to talk to each other AT ALL but only access the Internet

    or

    You don't want them to be able to specifically and only, "able to see other peoples machines or shares", and also access the Internet

    (for example, maybe they could print to each other, or access a service like SSH or Remote desktop instead still to each other…)

    @luke240778:

    Not so sure i understand that. I only have 1 network.. 10.0.0.0/18.   I just don't want people being able to see other peoples machines or shares that are also connected on that subnet.

    So for example my pc is 10.0.0.10 and i dont want to be able to see any other pc's on my network when i go to Netowks in Internet explorer.  understand what i mean?

    i believe this can be done with PPPoE, but i don't want to use that.



  • Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

    Pfsense is not involved (if I understood your topology correctly)



  • @wm408:

    So please clarify:

    You don't want them to be able to talk to each other AT ALL but only access the Internet

    or

    You don't want them to be able to specifically and only, "able to see other peoples machines or shares", and also access the Internet

    (for example, maybe they could print to each other, or access a service like SSH or Remote desktop instead still to each other…)

    @luke240778:

    Not so sure i understand that. I only have 1 network.. 10.0.0.0/18.   I just don't want people being able to see other peoples machines or shares that are also connected on that subnet.

    So for example my pc is 10.0.0.10 and i dont want to be able to see any other pc's on my network when i go to Netowks in Internet explorer.  understand what i mean?

    i believe this can be done with PPPoE, but i don't want to use that.

    I dont want them to be able to talk to eachother at all.  These are clients, all different housees.  I jsut want them to have internet but no connection at all to eachother.



  • @dhatz:

    Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

    Pfsense is not involved (if I understood your topology correctly)

    Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..



  • but my AP's are all in Bridge mode

    What is the make and model of your AP's?



  • Are all your clients on the LAN subnet?

    In the picture I provided, set the type on both source and destination to "LAN Subnet".

    Make sure the Destination section has the "NOT" checked.

    The rule basically says this:

    This source subnet can talk to anything EXCEPT (NOT) the LAN Subnet.  Which in your case is effectively the Internet.

    If you had multiple subnets, make an Alias to include all of your defined subnets.  And replace the type like my original Rule.jpg.

    You may need to make a second rule to still allow clients to talk to the gateway IP/LAN ip

    @luke240778:

    @dhatz:

    Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

    Pfsense is not involved (if I understood your topology correctly)

    Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..



  • @wm408:

    Are all your clients on the LAN subnet?

    In the picture I provided, set the type on both source and destination to "LAN Subnet".

    Make sure the Destination section has the "NOT" checked.

    The rule basically says this:

    This source subnet can talk to anything EXCEPT (NOT) the LAN Subnet.  Which in your case is effectively the Internet.

    If you had multiple subnets, make an Alias to include all of your defined subnets.  And replace the type like my original Rule.jpg.

    @luke240778:

    @dhatz:

    Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

    Pfsense is not involved (if I understood your topology correctly)

    Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..

    Again:
    Read the post dhatz wrote:
    That is the only solution. pfsense is not involved. There are no different subnets. The isolation needs to be on the AP on layer 2.

    Cisco for example is calling this a "Protected port" or a "Private VLAN Edge":

    Protected Port—Select to make this a protected port. (A protected port is
    also referred as a Private VLAN Edge (PVE).) The features of a protected port
    are as follows:
    - Protected Ports provide Layer 2 isolation between interfaces (Ethernet
    ports and LAGs) that share the same VLAN.
    - Packets received from protected ports can be forwarded only to
    unprotected egress ports. Protected port filtering rules are also applied
    to packets that are forwarded by software, such as snooping
    applications.
    Port Management
    Configuring Link Aggregation
    
    - Port protection is not subject to VLAN membership. Devices connected
    to protected ports are not allowed to communicate with each other, even
    if they are members of the same VLAN.
    - Both ports and LAGs can be defined as protected or unprotected.
    Protected LAGs are described in the Configuring Link Aggregation
    section.
    

    @luke240778
    Check your WLAN hardware for such features. That's your only chance.



  • More details: http://forum.pfsense.org/index.php/topic,22367.0.html

    Think about it:
    You have an (one) AP.
    Clients connect to this AP can see each other.
    You could even take out the network cable that links up the AP to pfSEnse: clients can still see each other.
    Conclusion: this is not an pfSense question, this issue must be treated in your AP. It's being called Client Isolation.

    Now, thing about the fact that you have more then one AP.
    I have 5 AP's.
    My pfsense LAN (OPT1 - with captive portal function: 192.168.2.1
    AP1: 192.168.2.2
    AP2: 192.168.2.3
    AP3: 192.168.2.4
    AP4: 192.168.2.5
    AP5: 192.168.2.6

    Now, AP Client Isolation mode will NOT work - to protect clients connected on AP1 tio 'see' clients connected to AP2.
    See the link I posted above for more information and the solution.



  • Right, there are basically two ways:

    One way would be to do it in the WAPs as Gertjan suggests (assuming your APs have the capability to do L2/L3 filtering – many don't).

    Another way would be to do some filtering on the managed switch to which your APs are connected.



  • @wm408:

    Are all your clients on the LAN subnet?

    In the picture I provided, set the type on both source and destination to "LAN Subnet".

    Make sure the Destination section has the "NOT" checked.

    The rule basically says this:

    This source subnet can talk to anything EXCEPT (NOT) the LAN Subnet.  Which in your case is effectively the Internet.

    If you had multiple subnets, make an Alias to include all of your defined subnets.  And replace the type like my original Rule.jpg.

    You may need to make a second rule to still allow clients to talk to the gateway IP/LAN ip

    @luke240778:

    @dhatz:

    Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

    Pfsense is not involved (if I understood your topology correctly)

    Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..

    Yes, all cleints are on my LAN, my office is also on LAN.  My pfSense is running in a Dell Poweredge 2950 which only has 2 NIC's, so i just have WAN and LAN



  • @chpalmer:

    but my AP's are all in Bridge mode

    What is the make and model of your AP's?

    Have a mix of:

    Ruckus ZF2741
    Ubiquiti Rocket M5



  • Thanks for all the support on this issue guys. I am going to look into what i can do on the AP's about this, because it really is not a good thing having users being able to see eachothers computers and stuff.



  • Luke,

    This is what's in the Ubiquiti APs"

    Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also.

    I can't see anything equivalent for the Ruckus.

    Biggsy



  • @mofbineefolve:

    Can you provide me information on how can I purchase your product through internet. I been looking since earlier on your wiki page on how to purchase it but I dont see any information.

    Say what?



  • Cool Luke.

    I kept thinking that pfSense was also your AP and that you could control it on the interface itself.  Everyone here is correct to say that you need to manage the filtering at the switch itself, or in your case, AP.

    @luke240778:

    Thanks for all the support on this issue guys. I am going to look into what i can do on the AP's about this, because it really is not a good thing having users being able to see eachothers computers and stuff.



  • Ruckus should have these features.

    I've tested Ruckus zf7343 and they are capable to isolate this way.

    @biggsy:

    Luke,

    This is what's in the Ubiquiti APs"

    Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also.

    I can't see anything equivalent for the Ruckus.

    Biggsy



  • Thanks again. I have found the CLient Isolation on the Ubiquiti AP's but not on the Ruckus AP's yet. Will take a look at their Manuals when i arrive in the office tomorrow.  Hopefully it will work.  I am hopefully getting a managed switch soon so maybe in the end i can do it all on there.. ?



  • @luke240778:

    Thanks again. I have found the CLient Isolation on the Ubiquiti AP's but not on the Ruckus AP's yet. Will take a look at their Manuals when i arrive in the office tomorrow.  Hopefully it will work.  I am hopefully getting a managed switch soon so maybe in the end i can do it all on there.. ?

    If the customers connect directly to your WLAN AP then you must configure that on the AP. The switch behind the AP does not really help because all clients connected to the same WLAN AP will continue to talk to each other.

    Example:
    customer–----
    customer ------ AP -----
    customer------/
    Isolation on AP needed do block connection between clients.

    customer------
    customer ------ AP1--------
    customer------/               
                                            Switch
    customer------\                  /
    customer ------ AP2 --------/
    customer------/

    If isolation can only be done on the switch than there is no communication possible between customers on AP1 and customers on AP2 but the customers on the same AP can still communicate.


Log in to reply