How to secure network from other users

dhatz

Right, there are basically two ways:

One way would be to do it in the WAPs as Gertjan suggests (assuming your APs have the capability to do L2/L3 filtering – many don't).

Another way would be to do some filtering on the managed switch to which your APs are connected.

luke240778

@wm408:

Are all your clients on the LAN subnet?

In the picture I provided, set the type on both source and destination to "LAN Subnet".

Make sure the Destination section has the "NOT" checked.

The rule basically says this:

This source subnet can talk to anything EXCEPT (NOT) the LAN Subnet.  Which in your case is effectively the Internet.

If you had multiple subnets, make an Alias to include all of your defined subnets.  And replace the type like my original Rule.jpg.

You may need to make a second rule to still allow clients to talk to the gateway IP/LAN ip

@luke240778:

@dhatz:

Enable "client isolation" in the AP (might go by different name, depending on AP manufacturer).

Pfsense is not involved (if I understood your topology correctly)

Hum i was thinking this.. but my AP's are all in Bridge mode.. Layer 2 bridging i believe its called..

Yes, all cleints are on my LAN, my office is also on LAN.  My pfSense is running in a Dell Poweredge 2950 which only has 2 NIC's, so i just have WAN and LAN

luke240778

@chpalmer:

but my AP's are all in Bridge mode

What is the make and model of your AP's?

Have a mix of:

Ruckus ZF2741
Ubiquiti Rocket M5

luke240778

Thanks for all the support on this issue guys. I am going to look into what i can do on the AP's about this, because it really is not a good thing having users being able to see eachothers computers and stuff.

biggsy

Luke,

This is what's in the Ubiquiti APs"

Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also.

I can't see anything equivalent for the Ruckus.

Biggsy

luke240778

@mofbineefolve:

Can you provide me information on how can I purchase your product through internet. I been looking since earlier on your wiki page on how to purchase it but I dont see any information.

Say what?

wm408

Cool Luke.

I kept thinking that pfSense was also your AP and that you could control it on the interface itself.  Everyone here is correct to say that you need to manage the filtering at the switch itself, or in your case, AP.

@luke240778:

Thanks for all the support on this issue guys. I am going to look into what i can do on the AP's about this, because it really is not a good thing having users being able to see eachothers computers and stuff.

wm408

Ruckus should have these features.

I've tested Ruckus zf7343 and they are capable to isolate this way.

@biggsy:

Luke,

This is what's in the Ubiquiti APs"

Enable Client Isolation: This option allows packets only to be sent from the external network to the CPE and vice verse (applicable for AP/AP WDS mode only). If the Client Isolation is enabled wireless stations connected to the same AP will not be able to interconnect on both layer 2 (MAC) and layer 3 (IP) level. This is effective for the associated stations and WDS peers also.

I can't see anything equivalent for the Ruckus.

Biggsy

luke240778

Thanks again. I have found the CLient Isolation on the Ubiquiti AP's but not on the Ruckus AP's yet. Will take a look at their Manuals when i arrive in the office tomorrow.  Hopefully it will work.  I am hopefully getting a managed switch soon so maybe in the end i can do it all on there.. ?

Nachtfalke

@luke240778:

Thanks again. I have found the CLient Isolation on the Ubiquiti AP's but not on the Ruckus AP's yet. Will take a look at their Manuals when i arrive in the office tomorrow.  Hopefully it will work.  I am hopefully getting a managed switch soon so maybe in the end i can do it all on there.. ?

If the customers connect directly to your WLAN AP then you must configure that on the AP. The switch behind the AP does not really help because all clients connected to the same WLAN AP will continue to talk to each other.

Example:
customer–----
customer ------ AP -----
customer------/
Isolation on AP needed do block connection between clients.

customer------
customer ------ AP1--------
customer------/               
                                        Switch
customer------\                  /
customer ------ AP2 --------/
customer------/

If isolation can only be done on the switch than there is no communication possible between customers on AP1 and customers on AP2 but the customers on the same AP can still communicate.