Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Adding WAP to Firewall

    Wireless
    1
    2
    1228
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RoadGuy last edited by

      So having jumped on the pfSense bandwagon recently I find I have questions.
      In reading over the forums I am finding many ways to do this but none seem particularly secure.

      I am upgrading my network firewall from a Draytek Vigor 2950 to a Netgate FW-7541/pfSense.
      LAN is a mixture of Win7 and Mac, with occasional Linux.
      Netgate is currently attached to network via Draytek(LAN/VLAN)>Netgate(WAN)
      So the WAN port has Internet connectivity.
      I will be moving the Netgear over to Netgate as soon as I have a plan of attack.

      Current Set-up:

      Netgear WNR3500L(WAN Port) > Draytek(LAN/VLAN) > Uverse RG (LAN/DMZ Mode)
      Netgear is on a different subnet and is using internal DHCP
      Netgear is also on a separate VLAN
      Netgear has no connectivity with internal LAN (Would like to change this)
      Netgate WAN(DHCP), LAN1(172.aa.ff1.1), LAN2(172.aa.ff2.1), WiFi(172.aa.ff3.1).
      I will be enabling VPN access for LAN1 hence the 172 addresses.
      Media devices reside on LAN1 and LAN2.

      Goals:

      Separation of WiFi and LAN
      Place WiFi on separate subnet?
      Currently WiFi 10.10.xxx.xxx, LAN 192.168.xxx.xxx

      Connectivity of designated friendly devices between WiFi and LAN devices and services.
      Roku Products, NAS, Itunes Server, VNC, Airplay
      Preferably full access until I get a handle on what ports are required.
      Currently no such connectivity.
      How would I designate Friendly, Guest, Unknown?

      Secure WiFi against Unknown devices.
      Block Unknowns from LAN/WAN access.
      MAC address filtering? Can be spoofed easily.
      Identify UnFriendly and perma block? How?

      Relative ease of connectivity for Guest devices.
      Easy log on with access limited to Internet only
      Preferably unable to see other devices at all.
      Portal with separate IP pool?
      Portal that generates User Account?
      Portal that can be turned off/on when needed?

      Should IP's for OPT be set differently to achieve goals?
      WAN(DHCP), LAN1(172.aa.ff1.1), LAN2(172.aa.ff2.1), WiFi(198.162.xxx.1). More secure?

      Netgate FW-7541, 4GB DDR3, 64GB SSD
      Intel(R) Atom(TM) CPU D525 @ 1.80GHz
      2.1p1-RELEASE (amd64)
      FreeBSD 8.3-RELEASE-p12
      Single WAN, Multi LAN, with Snort

      "Ignorance is not always a curable affliction."
      What the heck am I going to do with 64GB's???

      1 Reply Last reply Reply Quote 0
      • R
        RoadGuy last edited by

        Wow I read my original post and I cringe. I have been learning a lot thanks to this forum.
        Thank you for not lambasting me with sarcasm.

        So long story short I have a working scenario to begin the pfSense journey.

        AT&T RG DMZ+ > Netgate WAN
        Supporting:
        LAN (Default port. Left this one alone so I could mess with others and not get locked out)
        BRIDGE (LANx3, Separate ports for 2 different physical LAN's and Asus RT-N66U for WiFi)
        LAN (Opt6) is a separate WAP with Internet only access.

        Caveats discovered on this build:
        gettytab is busted. Fix seems to be remove al=root: and change speed from 115200 to 9600.
        minupnpd  seems to dislike BT traffic and starts spamming Routing log. Still researching this one.
        IPsec Mobile is functional but booting with errors. Still researching.
        Various Firewall and Snort alerts that need researching.

        I have a Firewall and functional WAP's, it's a start. Now back to reading forums.

        Netgate FW-7541, 4GB DDR3, 64GB SSD
        Intel(R) Atom(TM) CPU D525 @ 1.80GHz
        2.1p1-RELEASE (amd64)
        FreeBSD 8.3-RELEASE-p12
        Single WAN, Multi LAN, with Snort

        "Ignorance is not always a curable affliction."
        What the heck am I going to do with 64GB's???

        1 Reply Last reply Reply Quote 0
        • First post
          Last post