How to block the webgui for an AP from clients on same vlan



  • Hi there,

    I have a setup with multiple vlans, and pfsense acting in router on stick mode.
    One of these vlans have a wireless AP plugged into it to service wireless clients.
    How can I block the clients from accessing the webgui of the AP (besides passwording it).

    I originally had a block rule in pfsense but realized this does not work as traffic from wireless clients to AP will not go thru the firewall but be handled instead by the switch.



  • You can't.
    You can use VLANS though…
    Put AP on its own VLAN.

    Make sure that the AP and the rest of your stuff don't share VPIDs EXCEPT for pfsense.

    So, lets say you have a 8 port switch and 6 things connected to it you want to be able to talk + 1 AP you want to isolate from the other clients.  Set the ports you connect all the other things to untagged VPID 50 (or whatever).  Set the port you connect your AP to untagged VPID 60 (or whatever).  The port that connects to pfsense should be a trunk connecting tagged 60 and 50 and probably 1.

    You will need to set up VLANs inside pfsense for each of those.

    Then, you can set firewall rules.  It will keep them separate.



  • @kejianshi:

    You can't.
    You can use VLANS though…
    Put AP on its own VLAN.

    Make sure that the AP and the rest of your stuff don't share VPIDs EXCEPT for pfsense.

    So, lets say you have a 8 port switch and 6 things connected to it you want to be able to talk + 1 AP you want to isolate from the other clients.  Set the ports you connect all the other things to untagged VPID 50 (or whatever).  Set the port you connect your AP to untagged VPID 60 (or whatever).  The port that connects to pfsense should be a trunk connecting tagged 60 and 50 and probably 1.

    You will need to set up VLANs inside pfsense for each of those.

    Then, you can set firewall rules.  It will keep them separate.

    Yes this is my setup.  The AP is on it's own VLAN but while this is so, I don't want the wireless clients having the functionality to being able to telnet or http into the AP.

    The AP it self has a firewall so I am messing around there to see if I can use IPtables on there to get a reasonable result, but no luck so far.


  • Banned

    Considering this to be fairly frequent request… this is doable with lighttpd configuration, however requires whitelisting individual IPs with IPv6 enabled (no subnet support), or disabling IPv6 there.



  • @doktornotor:

    Considering this to be fairly frequent request… this is doable with lighttpd configuration, however requires whitelisting individual IPs with IPv6 enabled (no subnet support), or disabling IPv6 there.

    I was able to update the iptables of the AP itself to block telnet, http, and https when the src address is in the wlan client range and the destination was the ip of the AP.  This seems to do what I wanted.



  • Thats cool.  But if the AP was on its own subnet and own VLAN, you shouldn't have needed to do it on the AP.  Pfsense firewall should have taken care of that fine.


  • Banned

    @pfsenseboonie:

    I was able to update the iptables of the AP itself to block telnet, http, and https when the src address is in the wlan client range and the destination was the ip of the AP.  This seems to do what I wanted.

    Certainly an option as well if messing with lighttpd (or whatever other webserver) config is not an option… though people just usually turn any firewall completely off on the AP.



  • @kejianshi:

    Thats cool.  But if the AP was on its own subnet and own VLAN, you shouldn't have needed to do it on the AP.  Pfsense firewall should have taken care of that fine.

    Can you elaborate?
    The AP is on it's own subnet and own vlan.  So when clients connect they are part of that vlan with ips in the subnet range of the AP.



  • haha - Ohhhhh.  I thought it was the clients on the other VLAN you wanted to keep off the interface.
    Now I see what you mean.    :P


Log in to reply