WiFi - specific user authentication to use lan resources.

  • I have a pfsense box with 3 nics in it.

    nic 1. wan
    nic 2. lan - Wired connections
    nic 3. opt1 - Wireless connections (hooked to netgear n600 with dhcp disabled and using 2 wireless modes, private and public.

    What I would like to do is make it possible for people to connect to the private wifi connection and have access to the lan servers, and have people that connect to the public (free wifi) to not have any access to files or folders on the lan.
    I know that everything coming in on opt1 is just the same connection and pfsense does not see the difference between the 2 connections that the wireless AP is using, but is there someway to either use mac filtering, user authentication or something I can use to allow specific people to use lan resources and still be completely unaccessible to public wifi connections?

  • Way over my head but you might search for vlan or virtual lan and see if that might be what you want.

  • You'll need to configure your wireless AP to tag traffic from each SSID (private/public) to a VLAN (and create respective VLANs on pfsense). As long as it's only one AP you may not even need a VLAN-aware switch.

    If the stock firmware doesn't allow you to configure VLANs, you'd have to try one of the *WRT distros, however a quick googling suggests the device isn't supported (yet).

  • Yeah ddwrt is not an option as of yet, I know the n600 has vlan support but I am not sure how much I can configure it, right now it is set to isolate the public network on 2.4 and 5ghz from the private network on 2.4 and 5ghz. But when they come down the line to the pfsense box it just sees everything as one connection with no difference, I will check later to see if separating them is possible. If this is not an option, is there a different way to accomplish this? Such as radius authentication or something? I am willing to explore all options, even install a seperate box to handle user authentication or something, I have computers to spare for open source stuff, and windows 2008 r2 if needed ( id rather not go down that road yet its time consuming).

  • So I have discovered after a few test, that the wireless AP n600 separated the connections physically when I enable wireless isolation on the guest network. When I enable this, all lan traffic is routed through the lan ports and wan and the guest network is routed only through the WAN port. Being that the WAN port is unplugged because pfsense is handing out the DHCP to the router, the wireless will connect to the network but will not get any internet, it is a dead connection. When I plug the pfsense into the wan port while keeping the current connection in port 1 on the n600 my whole network went down. I think I created a broadcast storm or something. Anyway after restarting everything unplugging the connection from the n600 wan port, all was good again, but not if I disable wireless isolation on my n600 it will use the regular lan ports on the n600 and it will have a connection this is good but, I can access my lan server and other lan stuff which is what I still don't want on the public connection.

    I thought about denying unknown connection but this defeats the purpose of public wifi. So my next option is to install another nic card in the pfsense box, add another wifi AP and make that strictly for guest and completely isolate it from my lan network. I really would like to know if there is a way around this with out spending money, my budget is next to nothing as in on the negative side of things so any other suggestions would be good.

  • Thought: I can add a nic card to the pfsense box itself… :) I will need a SFF card to fit. I think I will research this option.

Log in to reply