Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to LAN from OPT1 for 1 client only

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jp0469
      last edited by

      I recently set up a friend's small business network with pfSense as firewall and internet gateway.  His server (which I manage) and office PC's are on the LAN and the OPT1 port has a WAP plugged into it for guest wifi.  The guest wifi has no access to the LAN.  Can I configure it so that when 1 specific laptop connects wirelessly, it will get an address on the LAN instead of OPT1 and have access to the server?  When I have to do admin work on the server, I would prefer to do it wirelessly.  Even if I have to get an address on the OPT1 network, as long as I can access resources on the LAN segment, I'll be happy.

      JP

      1 Reply Last reply Reply Quote 0
      • B
        bjr72
        last edited by

        I may not be of much help, but on my WAP, I plug it directly into my switch, which is directly plugged into the Pfsense LAN network interface card.  WAP as far as I know is just a wireless link and cannot assign IP's for hosts on it's own.  WAP must be connected to a network which assigns IP's.

        If your WAP plugs into another OPT1 NIC card, and I'm taking a WILD guess here, you need to setup your OPT1 interface to issue IP's or somehow link the OP1 interface to your LAN (same subnet???) and restrict the users that WAP will allow.

        I don't understand why you are plugging the WAP into another OPT1 NIC, rather than plugging directly into the existing LAN and obtain IP that way?  You can restrict users to yourself only for server administration.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          you can't assign an IP on the LAN on a different network. You can assign a specific IP on the wifi subnet and allow that through via firewall rules. Generally better to just VPN in instead given there isn't any real security being offered by doing that, protection from users who don't know they're being malicious (infected hosts) at best.

          1 Reply Last reply Reply Quote 0
          • J
            jp0469
            last edited by

            So if I go the route of setting up a DHCP reservation for my laptop on the guest LAN and then create a rule that allows me to poke through into the main LAN, what are the security risks?  What is a better option?

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              Anyone on that network could see you're doing that, assign your IP to themselves (and MAC if needed), and get through to the LAN. Would have to be a network that's at risk from such things, most people wouldn't have to worry about that.

              1 Reply Last reply Reply Quote 0
              • J
                jp0469
                last edited by

                OK, the risk should be negligible then.  The wifi is only used by a couple of visitors a month during meetings.  Even if someone poked through, all file shares require user authentication and the server itself is only accessible through SSH with key-based authentication.  In fact, I may just eliminate all risk and disable the rule that lets me through and only re-enable it when absolutely needed.  Thanks for all the input.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.