Adding WAP to Firewall



  • So having jumped on the pfSense bandwagon recently I find I have questions.
    In reading over the forums I am finding many ways to do this but none seem particularly secure.

    I am upgrading my network firewall from a Draytek Vigor 2950 to a Netgate FW-7541/pfSense.
    LAN is a mixture of Win7 and Mac, with occasional Linux.
    Netgate is currently attached to network via Draytek(LAN/VLAN)>Netgate(WAN)
    So the WAN port has Internet connectivity.
    I will be moving the Netgear over to Netgate as soon as I have a plan of attack.

    Current Set-up:

    Netgear WNR3500L(WAN Port) > Draytek(LAN/VLAN) > Uverse RG (LAN/DMZ Mode)
    Netgear is on a different subnet and is using internal DHCP
    Netgear is also on a separate VLAN
    Netgear has no connectivity with internal LAN (Would like to change this)
    Netgate WAN(DHCP), LAN1(172.aa.ff1.1), LAN2(172.aa.ff2.1), WiFi(172.aa.ff3.1).
    I will be enabling VPN access for LAN1 hence the 172 addresses.
    Media devices reside on LAN1 and LAN2.

    Goals:

    Separation of WiFi and LAN
    Place WiFi on separate subnet?
    Currently WiFi 10.10.xxx.xxx, LAN 192.168.xxx.xxx

    Connectivity of designated friendly devices between WiFi and LAN devices and services.
    Roku Products, NAS, Itunes Server, VNC, Airplay
    Preferably full access until I get a handle on what ports are required.
    Currently no such connectivity.
    How would I designate Friendly, Guest, Unknown?

    Secure WiFi against Unknown devices.
    Block Unknowns from LAN/WAN access.
    MAC address filtering? Can be spoofed easily.
    Identify UnFriendly and perma block? How?

    Relative ease of connectivity for Guest devices.
    Easy log on with access limited to Internet only
    Preferably unable to see other devices at all.
    Portal with separate IP pool?
    Portal that generates User Account?
    Portal that can be turned off/on when needed?

    Should IP's for OPT be set differently to achieve goals?
    WAN(DHCP), LAN1(172.aa.ff1.1), LAN2(172.aa.ff2.1), WiFi(198.162.xxx.1). More secure?



  • Wow I read my original post and I cringe. I have been learning a lot thanks to this forum.
    Thank you for not lambasting me with sarcasm.

    So long story short I have a working scenario to begin the pfSense journey.

    AT&T RG DMZ+ > Netgate WAN
    Supporting:
    LAN (Default port. Left this one alone so I could mess with others and not get locked out)
    BRIDGE (LANx3, Separate ports for 2 different physical LAN's and Asus RT-N66U for WiFi)
    LAN (Opt6) is a separate WAP with Internet only access.

    Caveats discovered on this build:
    gettytab is busted. Fix seems to be remove al=root: and change speed from 115200 to 9600.
    minupnpd  seems to dislike BT traffic and starts spamming Routing log. Still researching this one.
    IPsec Mobile is functional but booting with errors. Still researching.
    Various Firewall and Snort alerts that need researching.

    I have a Firewall and functional WAP's, it's a start. Now back to reading forums.