Separating traffic from 2 Wifi SSID

  • Hi,

    I wish to create 2 wifi connection modes :
    The "private" SSID (SSID1) will have access to the LAN and the Internet ( access the Internet through the LAN and using the same firewall rules).
    The "guest" SSID (SSID2) will have a direct access to the Internet and must face the WAN FW Rules to access LAN (like any device from the Internet).

    I currently have a pfSense box connecting my LAN to the WAN.
    I have a separate WAP device (Dlink DAP-2553)
    The pfSense's DHCP server is currently assigning addresses to LAN computers.

    I wish some help in designing this, here's the plan :

    • Connect my Wifi Access Point (WAP) on the pfSense box.

    • Configure both SSID on the WAP, each one using its own vlan (I'm ok with auth protocols and servers, I've past last days understanding them and now they work).

    • On pfSense, create 2 interfaces for each vlan (OPT1 => vlan1 => SSID1, OPT2 => vlan2 => SSID2).

    • Create a bridge between OPT1 and LAN

    • Create a firewall rule on OPT2 to redirect traffic from OPT2 to WAN GW

    I'm not sure it will work, particularly on the following points :
    4) will the bridge correctly redirect traffic from OPT1 on LAN and then on the Internet if a wifi device on SSID1 wish to access Internet ?
    5) Will it be possible for a device on SSID2 to go back on the WAN interface if accessing a service like if it is from outside ?

    I know I'm missing basic knowledge on networking, that's why I ask the "way to think it" instead of "how to do it".

    Thanks in advance.

  • I wouldn't use bridges if they are not absolutely needed.

    My approach would be to assign OPT1 and OPT2 as their own interface with their own subnet, DHCP server and their own set of rules.
    This way you have much more control how traffic is allowed to flow.
    This also decouples the rules from the WAN and the public wlan in case you want to run the captive portal.
    You could use the captive portal to display a splash-pop-up telling "don't do nasty things here" with a simple button to allow them further. (I'm not sure if this works with a bridge).

    If you REALLY need a bridge:
    Bridge WAN and OPT2(public)
    Bridge LAN and OPT1(private)
    Assign bridge0(WAN_bridge)
    Assign bridge1(LAN_bridge)
    Set all the configuration from your current WAN interface to the assigned bridge0.
    Set all the configuration from your current LAN interface to the assigned bridge1.
    Disable the WAN and LAN interfaces.
    (the assigning the bridge, and moving the config from the interface to the bridge harbors much possibility to shoot yourself in the foot or blow an arm off ;), be sure to have a backup ready. )

  • Thanks GruensFroeschli !

    Thinking to your answer some questions raised: according to what I read, NetBIOS is a non-routable protocol. But it relies on IP. Then if I use a WINS server, computers should be able to communicate through NetBIOS using NetBIOS names and get through the router (pfSense) isn't it ?

    If I'm using your solution, networks are independent and pfSense should know the routes, even for the gateway. Then I don't need to create any routing rule, I just need firewall rules to allow traffic to pass ?

    If my previous assumption is correct, on OPT2(public) I only need a (couple of) rule(s) on the firewall to deny traffic with internal subnets destination ?

    For OPT2, if I want to contact a service behind the firewall, it will be resolved as my public address (public DNS configured on this subnet). It means that traffic will be redirected to the WAN interface then come back. Does it will be detected as spoofing ?

    I think my setup is pretty common (2 SSIDs: public/private), but I find the configuration complicated. Maybe I'm misleading myself in the way to do it.

  • Is there a reason that the AP can't be just plugged into the LAN switch so you don't have to do anything else to give it access to LAN?

  • Hi kejianshi,

    Yes, there will be traffic shaping on the wifi so I need to separate both networks (LAN and wLAN) by any way. I did not find any secure way to do it except using another interface.

  • For the most part the problems you run into when using separate interfaces for LAN/AP is just that things like MS networking and broadcast traffic gets broken.  If, however you simply address printers, shares etc via IP directly instead of relying on auto-discovery, you have no problems and don't have to do anything at all to make things work well.

  • If you use WINS you won't have any issues with is going accross subnets. Think of WINs just like DNS but a Windows implemntation. You can even specify WINS in PfSense's DHCP Server.

    To your second part a router will route traffic to all interfaces it knows about automatically so you will have to setup a rule not allowing traffic to/from. I suggest that you put the rule closest to the users you want to block. So in this case I would put the rules on your guest WiFi interface blocking traffic to your LAN interface.

    And for your last part if I'm understanding the question, you will not be able to access a service on your LAN by the private IP because you are blocking it, so to get around it you want to access it by it's public IP. You can't do that because traffic going out and then coming back in is blocked (Like you said it's seen as some type of spoofing attack) But what you can do is create a rule just for that specific service and make sure that it be before the block rule.

  • Thank you all for your answers.

    This is far clear in my mind now. I'll see how I can implement this now according to what the devices allows me to do (i.e. firewalling on the AP).

Log in to reply