Blocking off wireless network.



  • My curent setup is my pfsense machine plugged into my powerconnect 2724 and then I've got a wireless router plugged into the switch.

    Im looking for the best way to isolate certain traffic from the WLAN network from hitting things within my LAN network.

    I don't wanna block off WLAN from LAN entirely. But I'm looking for ideas on how to have pretty much just my phone or any other devices I want to add in the future that is connected via WLAN be able to access stuff on my LAN network.

    Router is set up on 192.168.2.x
    pfsense box is set up on 10.0.0.x

    Right now the two can't communicate with anything on eachothers networks period.

    Ultimately I wan't my router to run DHCP leases through my pfsense box, I experimented with that a little bit but ended up having to reset my router about 20 times because I was no longer able to communicate w/ it even after setting my ip as a static on the router.

    Any tips?



  • WTF - You are doing it wrong…

    Make pfsense your sole router - no double NAT.
    Give the WLAN either its own interface and subnet or its own vlan and subnet.

    Then you can control all this as you like.  So, WTF...  Enjoy.



  • The only other way I could add WLAN to my pfsense box is if I did a USB interface.

    Not a horrible idea really.



  • WTF - You can't use a wireless AP plugged into a NIC?  Like all the rest of us?
    Well - maybe not ALL of us, but alot…



  • @kejianshi:

    WTF - You can't use a wireless AP?  Like all the rest of us?

    No, Im complicated :)



  • I do have a 3rd NIC available to me on the pfsense box….

    But how do I still accomplish what it is I'm looking to do?



  • Use that 3rd NIC and put your AP on that - Then you will have very fine control over what can talk to what.
    That sounds good to me.  I say WTF…  Why not try it.

    P.S.  "Ultimately I wan't my router to run DHCP leases through my pfsense box".

    Why wouldn't you have pfsense doing the routing, firewalling, and DHCP?  I read somewhere its pretty good at those things...



  • @kejianshi:

    Use that 3rd NIC and put your AP on that - Then you will have very fine fine control over what can talk to what.
    That sounds good to me.  I say WTF…  Why not try it.

    The only reason I'm hesitant to do that is because its onboard nic, not really a bad thing but wouldn't using onboard use more processing power as compared to using the intel dual gbe nic i'm using now?…

    And lets say theoretically I do take that approach and plug the AP into my 3rd nic,

    How does it have to be set up necessarily ( I R NETWURK NEWB) are we talking about the ap pulling DHCP leases from the pfsense box or what?

    And to block the router from having access to webUI i'd just set up a firewall rule I assume.


  • Banned

    @CaptainWTF:

    I do have a 3rd NIC available to me on the pfsense box….

    But how do I still accomplish what it is I'm looking to do?

    As already said above:

    • Make pfSense your (only) router.
    • On pfSense, create a reserved subnet for the WLAN
    • Disable WAN on the AP, disable everything else (like DHCP server, etc.)
    • Configure purely as AP
    • Plug into the third NIC


  • Onboard isn't necessarily bad. - Onboard NIC might be good.  Depends on the NIC.
    I doubt seriously it will cause any noticeable increase is system overhead.

    WTF - YOLO…  Give it a shot.  You might like it.

    (You are lucky your name isn't CaptainMF)

    "are we talking about the ap pulling DHCP leases from the pfsense box or what?"

    Ahhhhhhhh....  Yeah. ;)
    There are some special APs that will let you do that...  Like - All of them.



  • Alright lets see what I can do here lol.



  • Cool - Do it exactly the way doktornotor  described above - When you add the new interface, don't forget to activate DHCP and to give it a new / unique IP and DHCP range.  Then set firewall rules to allow traffic, similar to what you have on LAN (I hope).
    And WTF, if you have any issues, I'll check back to see if I can help.  Its not difficult.



  • I haven't a clue what the fuck happened but now the machine doesn't work at all. I don't even get video output from it…. -.- Gonna do a bios reset and let it sit for a bit.


  • Banned

    Well, if the machine's hostname is "wtf", that'd kinda explain it…  ;D ;D ;D



  • @doktornotor:

    Well, if the machine's hostname is "wtf", that'd kinda explain it…  ;D ;D ;D

    LOL, Well i've a HDMI, VGA, and DVI port on this beast. I checked DVI/HDMI no go. So I pulled power to PSU, shut off PSU, Pulled CMOS battery. jumped the reset pins on the board. let it sit for 5 min. now it shows me something on the screen. So let me see if I can't get back to breaking stuff. :P



  • So Now i have WAN, LAN, and OPT1 interfaces.

    Renamed OPT1 to AP

    Type should be?…. DHCP or static?

    Should be static...

    Now as far as what kejianshi said about giving it a new IP and DHCP range elaborate further?


  • Banned

    Just set up DHCP server on the AP interface.



  • The OPT1 should have a static IP just like the LAN, but a different subnet.
    Then go to DHCP server and set up DHCP for that interface, just like the LAN (but different subnet).

    WTF - You can do it…

    Purely for instance:

    LAN - Static IP of 10.10.30.1 set up as a /24 and in DHCP range of 10.10.30.50 - 10.10.30.150

    OPT1 - Static IP of 10.10.40.1 set up as a /24 and in DHCP range of 10.10.40.50 - 10.10.40.150

    Just as an example...

    If that doesn't work, I don't know WTF is wrong...  Captain.



  • Okay, theres that.
    http://img38.imageshack.us/img38/2925/ov3c.png

    Finally I got it set up properly.  The pfsense box has assigned the AP an ip of 10.0.1.10, Now on the AP side of things I believe i'm sticking it into straight up AP mode. no DHCP or anything, which should have it pull addresses from the pfsense machine I believe.


  • Banned

    WTF, looks like it works!  :o ;D



  • @doktornotor:

    WTF, looks like it works!  :o ;D

    So far, Only problem is the AP interface doesn't pull WAN connection.

    And how do I get the AP to pull DHCP requests from the PFsense box, Its running DD-WRT

    I tried at one point to have it pull DHCP requests from the pfsense box but it ended up making the AP inaccessible via webgui and telnet so I had to reset it.


  • Banned

    @CaptainWTF:

    So far, Only problem is the AP interface doesn't pull WAN connection.
    And how do I get the AP to pull DHCP requests from the PFsense box, Its running DD-WRT
    I tried at one point to have it pull DHCP requests from the pfsense box but it ended up making the AP inaccessible via webgui and telnet so I had to reset it.

    You should follow the docs:

    http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point#Long_Version



  • Yeah - I have a DDWRT set up as AP like you want - Following that manual will do it.
    Caution - During that whole process, make sure you are SAVING after every step - Not applying.

    Do apply at the very end, then under admin interface in DDWRT, at very end, reboot.
    Make sure you tell the AP to grab a static IP outside the DHCP range on OPT1.

    Should be all good.


  • Banned

    +1, works perfectly fine here.



  • @kejianshi:

    Yeah - I have a DDWRT set up as AP like you want - Following that manual will do it.
    Caution - During that whole process, make sure you are SAVING after every step - Not applying.

    Do apply at the very end, then under admin interface in DDWRT, at very end, reboot.
    Make sure you tell the AP to grab a static IP outside the DHCP range on OPT1.

    Should be all good.

    Followed those instructions SPECIFICALLY. did not work. lol. AP is not assigning ip addresses. nor can I acces web UI anymore.



  • The AP isn't supposed to assign the IPs.
    Pfsense is supposed to handle DHCP for it.
    You should have given your DD-WRT a static IP.
    Trust me when I tell you, you didn't do something EXACTLY as you are supposed to.



  • @kejianshi:

    The AP isn't supposed to assign the IPs.
    Pfsense is supposed to handle DHCP for it.
    You should have given your DD-WRT a static IP.
    Trust me when I tell you, you didn't do something EXACTLY as you are supposed to.

    I did follow the tutorial EXACTLY as I was supposed to.

    AP is set to assign out IP at 10.0.1.10-245 and I set the IP of the AP static @ 10.0.1.5 so shut your face sir :P

    I followed that tutorial EXACTLY word for fucking word.

    3 times.


  • Banned

    @CaptainWTF:

    AP is set to assign out IP at 10.0.1.10-245 and I set the IP of the AP static @ 10.0.1.5 so shut your face sir :P
    I followed that tutorial EXACTLY word for fucking word.

    Uh, WTF!

    Open the Setup -> Basic Setup tab
    WAN Connection Type : Disabled
    Local IP Address: 192.168.1.2 (i.e. different from primary router and out of primary router's DHCP pool)
    Subnet Mask: 255.255.255.0 (i.e. same as primary router)
    DHCP Server: Disable (also uncheck DNSmasq options)
    (Recommended) Gateway/Local DNS: IP address of primary router (many things will fail without this)
    (Optional) Assign WAN Port to Switch (visible only with WAN Connection Type set to disabled): Enable this if you want to use WAN port as a switch port
    (Optional) NTP Client: Enable/Disable (if Enabled, specify Gateway/Local DNS above)
    Save



  • Its ok.  You know what they say. 
    If at first you don't succeed - WTF - Try, Try again.  And again. And sometimes again.
    You will get it right.
    BTW - All of the things they list as "Optional" and "recommended" in that how-to aren't optional.
    Disable all the optional stuff as well and take all the optional steps.
    (Sorry if I didn't mention that before - Shutting face now  :P)



  • @kejianshi:

    Its ok.  You know what they say. 
    If at first you don't succeed - WTF - Try, Try again.  And again. And sometimes again.
    You will get it right.
    BTW - All of the things they list as "Optional" and "recommended" in that how-to aren't optional.
    Disable all the optional stuff as well and take all the optional steps.
    (Sorry if I didn't mention that before - Shutting face now  :P)

    BLAHHHHHH, Okay. I'll give it another shot :) thanks lol.



  • O Captain! My Captain! WTF not I say.  Good luck.



  • Still doesn't seem to work. what the hell am I doing wrong lol



  • What version of DD-WRT are you using?  What build number?  (upper right hand corner of screen).
    Also, what type of router?  Lets start there.

    Also, if you remove DD-WRT router and you plug a computer into the new OPT1 interface, does that work?



  • before I do the transition itl assign the router an IP from the AP interface. usually 10.0.1.10

    Buffalo and a buffalo WZR-HP-n450.

    Build v24sp2



  • I'm not sure I understand this:

    "before I do the transition itl assign the router an IP from the AP interface. usually 10.0.1.10"

    Lets take baby steps then.  1st.  Lets make sure that both your LAN and your OPT1 work, have separate IPs and dish out DHCP as expected and that the firewall rules allow traffic.

    Could you plug a computer into both of those and test make sure they are up and can access internet.  Then start in on DD-WRT again.



  • @kejianshi:

    I'm not sure I understand this:

    "before I do the transition itl assign the router an IP from the AP interface. usually 10.0.1.10"

    Lets take baby steps then.  1st.  Lets make sure that both your LAN and your OPT1 work, have separate IPs and dish out DHCP as expected and that the firewall rules allow traffic.

    Could you plug a computer into both of those and test make sure they are up and can access internet.  Then start in on DD-WRT again.

    What I do know is when I have router plugged into AP interface, no WAN connectivity.



  • Thats not what I asked about.

    I want to know if the LAN and the OPT1 work and provide internet to a computer if one is plugged directly into it.

    Once I know pfsense is working as advertised, then it will be easy to focus on DD-WRT, confident that any problems encountered are DD-WRT and not pfsense.



  • @kejianshi:

    Thats not what I asked about.

    I want to know if the LAN and the OPT1 work and provide internet to a computer if one is plugged directly into it.

    Once I know pfsense is working as advertised, then it will be easy to focus on DD-WRT, confident that any problems encountered are DD-WRT and not pfsense.

    Nah thatd be a big fat negatory, nothing if I plug it into my computer.

    Lan yes, OPT1, no.

    OPT1 assigned IP, No internet.



  • OK - Do you know how to take snapshots and post to forum?

    Go to Interfaces > OPT1

    Post whats there.

    Then go to Firewall > Rules >OPT1 and then post that here.

    We will need to fix this 1st and DD-WRT second.  It will work.

    (My guess is that you need to create a firewall rule on OPT1 to allow ALL to ANY)



  • Here they are, and you're probably right I imagine the rules should be similar to how the rules in LAN are set up.





Log in to reply