Access to LAN from OPT1 for 1 client only

  • I recently set up a friend's small business network with pfSense as firewall and internet gateway.  His server (which I manage) and office PC's are on the LAN and the OPT1 port has a WAP plugged into it for guest wifi.  The guest wifi has no access to the LAN.  Can I configure it so that when 1 specific laptop connects wirelessly, it will get an address on the LAN instead of OPT1 and have access to the server?  When I have to do admin work on the server, I would prefer to do it wirelessly.  Even if I have to get an address on the OPT1 network, as long as I can access resources on the LAN segment, I'll be happy.


  • I may not be of much help, but on my WAP, I plug it directly into my switch, which is directly plugged into the Pfsense LAN network interface card.  WAP as far as I know is just a wireless link and cannot assign IP's for hosts on it's own.  WAP must be connected to a network which assigns IP's.

    If your WAP plugs into another OPT1 NIC card, and I'm taking a WILD guess here, you need to setup your OPT1 interface to issue IP's or somehow link the OP1 interface to your LAN (same subnet???) and restrict the users that WAP will allow.

    I don't understand why you are plugging the WAP into another OPT1 NIC, rather than plugging directly into the existing LAN and obtain IP that way?  You can restrict users to yourself only for server administration.

  • you can't assign an IP on the LAN on a different network. You can assign a specific IP on the wifi subnet and allow that through via firewall rules. Generally better to just VPN in instead given there isn't any real security being offered by doing that, protection from users who don't know they're being malicious (infected hosts) at best.

  • So if I go the route of setting up a DHCP reservation for my laptop on the guest LAN and then create a rule that allows me to poke through into the main LAN, what are the security risks?  What is a better option?

  • Anyone on that network could see you're doing that, assign your IP to themselves (and MAC if needed), and get through to the LAN. Would have to be a network that's at risk from such things, most people wouldn't have to worry about that.

  • OK, the risk should be negligible then.  The wifi is only used by a couple of visitors a month during meetings.  Even if someone poked through, all file shares require user authentication and the server itself is only accessible through SSH with key-based authentication.  In fact, I may just eliminate all risk and disable the rule that lets me through and only re-enable it when absolutely needed.  Thanks for all the input.