New to PFSense…couple of questions



  • So, I just got PFSense up and running at home.  I have a few questions about how to be best accomplish what I'm trying to do.

    I have 3 Unifi Wireless AP's that will be here on Tuesday.  My ultimate setup goal is this:

    Have my own wireless network, that has full network access.  I will not broadcast this SSID, and the network will be secure.  Only mine and my families devices will connect to it.

    I want a publicly broadcast and UNSECURE SSID for guests to access.  When a guest logs in, I want them to be prompted to identify themselves with a username or something, and have the system issue the a certificate that is good for 6 hours.  After 6 hours, they need to repeat the process.  The devices that connect to the guest wifi, should have be able to see anything else on the network…only the internet.  Furthermore, if possible, I'd like to log the sites they visit.

    Now, with regard to the devices that are connected to the main network, I want to create a whitelist of websites that my kids iPad's are allowed to go to.  My two oldest boys (ages 5 and 6) are getting iPads for christmas and I only want them to be able to visit certain sites, and only allow traffic from certain places (IE: I want them to be able to access the app store).  When they try to go to a site that isn't "white listed", it will either redirect them, or tell them it's not an approved site.  I do want to allow them to be able to use Facetime and what not as well.

    I don't know if that stuff is elementary or not, but I've not really got any clue where to start.  I'm a fast learner and follow directions well, but this is all new to me.  If someone could give me instruction on how to accomplish this, or point me to a tutorial, it would much appreciated.

    Thanks in advance!


  • Netgate Administrator

    You want both wireless networks on all three APs? You can do that using VLANs. The Unifi APs can host multiple SSIDs and tag them to different VLANs, then the pfSense box can de-tag them and assign each to different interfaces. You'll need a VLAN compatible switch to connect these or a standard switch that doesn't strip tags.

    On the guest network you can use the captive portal to create a sign in system and then use Squid to proxy the traffic and log it.

    On the main wifi network you can also run Squid and Squidguard to filter traffic. Add exceptions to what ever IPs you don't want filtered or configure it the other way around so only the iPads are filtered. You'll have to add static DHCP mappings for the iPads and obviously that's not great security but at 5 and 6 it should be good enough, for now.  ;)

    There are some good walk throughs for a load of stuff here: http://pfsensesetup.com/ (not connected to the project AFAIK) but the best source of information, by far, will be the new pfSense book when it's released imminently.

    Steve



  • I use a Dell PowerConnect switch…I'm pretty sure it supports VLAN's.



  • So, I just double checked and it would appear my switch does support VLAN's, and it also has some options you can check that pertain to tagging.

    I am unfamiliar with that.

    Do you care to go into a little more detail on exactly what my first steps would be when the Unifi units arrive on Tuesday?


  • Netgate Administrator

    Ok, so how many NICs do you have in your pfSense box? Do you need a separate wired LAN?

    Steve



  • Thanks Steve!

    I have two NIC's in my PFSense box.  It's a SuperMicro 1U rackmounted PC.

    One NIC is WAN (Comcast modem) the other is LAN and connects to the Dell PowerConnect switch.

    Currently I'm using a Linksys WRVS4400N as a WAP, and it's just connected to the Dell switch as well.  I may only use one of the Unifi boxes here, depends on the range.  I got a good deal on the 3 pack, so 2 may get resold or used in other places.  My plan at this point, is to simply connect the Unifi to the Dell switch, but I can get a 3rd NIC if necessary.

    I appreciate your help!


  • Netgate Administrator

    Ok so if you are going to be using VLANs, which you'll have to if you want multiple SSIDs on each access point, then there's no point getting extra NICs. You can just use extra VLAN interfaces and switch ports. However you might find that having each wireless network on a dedicated access point gives sufficient coverage. In that case you can avoid VLANs which will make setting up the network much easier. You would need an extra NIC is you want wired traffic separated though.

    Setting up VLANs should be relatively straight forward and it is if you're already familiar with the terminology and user interface used by your switch. If not be prepared to read the manual, repeatedly!

    Does this sound like something you're up for? What is the exact switch model you have?

    Steve



  • I an somewhat familiar with VLAN's, I used them before. I was using the WRVS4400N as my router, and I had another Linksys router connected it on a VLAN to provide isolated guest Wi-Fi that could only see the internet.

    I have a Dell 2724 Power Connect.

    I'll need help setting up the captive portal portion of this as well.

    Also, I'm going to try and just use one WAP. I got a good deal on a 3 pack, but hoping I only need one. The house is about a 5,000 square foot footprint, but is fairly square and the WAP is centrally located.

    Thanks again.


  • Netgate Administrator

    Ah Ok, well that should make things a lot easier. The range on those Unifi APs is supposed to be quite good though I've never used one myself.
    Some things to consider:
    Never use VLAN_1 (packets tagged with VLAN number 1) because that is usually used for the switch gui internally and can be treated differently.
    You should try to avoid have tagged and untagged traffic on the same pfSense interface this can cause problems. That means that your lan side NIC will probably have 3 VLANs on it but not be assigned itself. The 3 VLANs will be: main wireless, guest wireless and wired.

    The biggest issue here will be configuring the switch. It's easy to end up locking yourself out of the switch webgui during configuration. If you can do it via a serial console you can't get locked out but it's usually more difficult, requires special incantations!
    I'm not familiar with that particular switch, let me read the manual.

    Steve


  • Netgate Administrator

    Hmm, just Googling this switch it appears there is potentially some complication before we even really get started.  ::)
    Do you have access to the switch management web interface? If not it seems it may present some difficulty but I'm sure it can be overcome.
    http://blogmal.42.org/tidbits/no-dell-2724.story
    It seems like you need to use an old browser or you'll not be able to login.

    Steve



  • I use Chrome browser primarily, and I can login in to the switches web based interface no problem.



  • @stephenw10:

    Ah Ok, well that should make things a lot easier. The range on those Unifi APs is supposed to be quite good though I've never used one myself.
    Some things to consider:
    Never use VLAN_1 (packets tagged with VLAN number 1) because that is usually used for the switch gui internally and can be treated differently.
    You should try to avoid have tagged and untagged traffic on the same pfSense interface this can cause problems. That means that your lan side NIC will probably have 3 VLANs on it but not be assigned itself. The 3 VLANs will be: main wireless, guest wireless and wired.

    The biggest issue here will be configuring the switch. It's easy to end up locking yourself out of the switch webgui during configuration. If you can do it via a serial console you can't get locked out but it's usually more difficult, requires special incantations!
    I'm not familiar with that particular switch, let me read the manual.

    Steve

    I just noticed this post.  I'm fine to configure as many VLAN's as I need to, but I do want to make sure that MY wireless devices, the ones connected to the "main wireless" do have access to all the devices on the network.  I'm sure you realized that, but just clarifying.

    I've got very limited experience in working via serial console, but do follow instructions well assuming they are available somewhere and break it down to an elementary level for my simple mind =)



  • I should add…I really appreciate your help with all this!

    I have an extensive Control4 installation in my home (Home automation system) and I know that a lot of C4 technicians that have advanced networking knowledge will put their Control4 installations on a separate VLAN because the devices are "quite chatty".  I don't really understand what the benefit to that would be, but while we're talking VLAN's I figured I would through that out.

    Thanks again.


  • LAYER 8 Global Moderator

    "I will not broadcast this SSID"

    I want to point out that is not best practice and will do nothing but make your network more complex with lots of complications that can come of it.  There is not one valid reason not to broadcast your SSIDs - be it they are guest or provide access to your normal network or not.  The broadcasting of the ssid has nothing to do with security.

    Just properly secure it, and broadcast it.  Call them something like ssid and then ssid-guest so that your clear which one is guest, etc.


  • Netgate Administrator

    @dhendriksen:

    I know that a lot of C4 technicians that have advanced networking knowledge will put their Control4 installations on a separate VLAN because the devices are "quite chatty".

    Interesting, is that something you are in a position to do? Are your Control4 devices wired in such a way that they can be connected to separate ports?

    If you have your wired and wireless devices on separate VLANs and separate subnets then you can still access one from the other as long as you have firewall rules in place to allow that. However there are some services which do not play nicely across subnets, mostly upnp type media servers/clients. If you need a single subnet then you can always bridge the two VLANs at the pfSense box but that will never be as fast as just one VLAN where traffic just goes through the switch. If you often transfer very large files between wired and wireless devices it might be worth not bothering with a separate VLAN for wired devices.

    The 2724 does not have a serial console from what I can see so no worries there.  ;)

    Steve



  • @dhendriksen:

    … a lot of C4 technicians ... put their Control4 installations on a separate VLAN because the devices are "quite chatty".  I don't really understand what the benefit to that ...

    This means that they separate the C4 gear from the rest of your LAN. They don't use a separate switch for this but divide-off a portion from your existing one.
    I'm a Crestron guy so I know this kind of installs.
    Assuming you have wireless touchpanels with access to your C4 gear, where are they routed between your subnets?
    (That's where I regularly use a pfSense in my Crestron installs!  ;-)


  • Netgate Administrator

    Is this done for security? reliability? manageability? all three?  ;)

    Steve



  • @stephenw10:

    Is this done for security? reliability? manageability? all three?

    This gear tends to generate quite some traffic, sometimes even broadcasts.
    You don't want that in your LAN and you don't want your media devices to slow down action triggers from a touchpanel.
    (Just read about a client complaining about 9s to flip to the AM/FM page. This delay had other reasons, though.)



  • In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.

    Let's stick to the initial questions/needs for now I guess.

    Again, those are setting up the two wifi networks on Unifi.  One for me that accesses everything, and one for guests that ONLY accesses the internet.

    I also want to leave the guest one unsecured, and use a captive portal to allow people on and monitor what they do while they're on.  I want their authentication to be good for 6 hours, and then have to re-authenticate.  In an ideal world, there would just be one password for every user and that password would change every 24 hours (and be emailed to my wife and I every day).

    I really appreciate the help from everyone!  The Unifi will be here tomorrow, and I'm excited to things back up and running.



  • @dhendriksen:

    In talking to others, I don't think I'm needing to put the Control4 gear on separate VLAN.

    I thought you had your C4 gear on a VLAN already. Leave it like it is.

    My intention was more: If there's a VLAN already then take care about the ID in use and the routing between subnets.



  • UniFi units just showed up.  I'll have some time to play with this tonight.  Any pointers I can get between now and then on getting this setup would be great.

    I'm mostly needing help on getting the Guest Wifi and Captive portal setup as described in my previous post.

    Thanks so much!

    Dan


  • Netgate Administrator

    Ok, as I'm sure you'll be aware the secret to doing anything like this is to do it one step at a time and test at each stage.

    The problem you are going to have here is that as you configure the VLAN ports on the switch and the interfaces on the pfSense box you could easily end up loosing connectivity to the webgui of both. Although I said earlier you should avoid having tagged and untagged traffic on the same NIC I'm now thinking it will be much easier to configure that way. If you do have problems you can always switch to a two VLAN setup.
    So your network will remain the same but you will add a VLAN that connects your guest wireless network to a new interface in the pfSense box.
    I will assume your pfSense box is connected to port 1 on your switch. Connect the Unifi AP to a spare port on the switch, say port 24. This should be all that is necessary to start setting up the AP. I'm not familiar with the Unifi setup so refer to the manual. If it is set to receive an IP via DHCP by default you can check the pfSense DHCP leases to find it and connect  right away, other wise you will have have to manually configure a machine to connect to whatever IP it's using. Either way go ahead and set it up, set a password set an SSID etc, check that you can connect to it and that wireless clients can connect to it and receive a DHCP lease from pfSense. Check they have internet access and can see other machines on the lan. You may want to disable 'wireless client separation' in the AP. Once you have that all confirmed move on.
    Now you can start at either end setting up the VLAN. In pfSense go to Interfaces: (assign): and go to the VLANs tab. Click the + to add a VLAN. Select your LAN interface as the parent. Choose a VLAN number other than 1, say 100. Enter a description.
    Now go back to Interfaces: (assign): you will see a + has appeared, click it. You should now have a new interface, OPT1, that has 'VLAN 100 on ***' assigned to it. Go to Interfaces: OPT1: and enable the new interface, set its IP (maybe use 192.168.100.1) and remember to change the subnet to /24. Now go to Services: DHCP server: and eneble DHCP server on OPT1. At this point anything connecting the LAN NIC with VLAN 100 tagged packets should receive an IP. You still need to add firewall rules to OPT1 to allow any traffic.

    In the Unifi AP configure a secondary SSID and set it to use VLAN_100. I'm not sure of the specifics here so refer to the manual!

    In the switch configuration add ports 1 and 24 to VLAN 100.

    Done.  :) Clients connecting to the guest SSID should now receive an IP from pfSense in the OPT1 DHCP server range.

    That last step I can easily see giving headaches though.

    Steve



  • In the Dell switch interface for VLAN 2 (the new one I just made) do I want to TAG or UNTAG egress packets?

    Setup was easy, but it may not be correct as devices trying to connect to the guest network never get assigned an IP address…

    Under interfaces I have enabled the new interface (VLAN2GuestWireless) and under IPv4 configuration type I put DHCP.

    I left everything else blank, except under DHCP client configuration, in the Alias IPv4 address field I put 192.168.2.1/24



  • One thing that is interesting is when I go to Services, and select DHCP Server I only see a tab for LAN, I don't see a tab for VLAN2GuestWireless like I would expect…I wonder why?

    EDIT: So I changed the IPv4 Configuration type to Static IPv4.  Now, when I got Services: DHCP server there is a tab for VLAN2GUESTWIRELESS.  I checked the box to "Enable DHCP server on VLANGUESTWIRELESS interface".

    The subnet is listed as 192.168.2.0, the subnet mask is 255.255.255.0 and the available range is 192.168.2.1 - 192.168.2.254.

    I set the range to 192.168.2.1 to 192.168.2.254.

    However, when I try to connect the devices is never issued an IP address.  I have the Dell switch setup to UNTAG the egress packets.  I'll change that to TAG and see if it affects things.



  • Okay…so I changed the switch to TAG, and now devices are able to connect and are issued IP addresses in the 192.168.2.x range.

    The only problem...they're not able to access the internet.

    I did setup a rule in the firewall under VLAN2GUESTWIRELESS.  In the rule I have Action set to Pass.  The Interface is VLAN2GUESTWIRELESS.  TCP/IP version is IPv4.  Protocol is TCP (also tried ANY).  I don't have any source, destination or port range selected.

    I'm guessing my problem is here somewhere?


  • Netgate Administrator

    To just get internet access for guest clients you can copy the default LAN rule, just change the source from LAN net to VLAN2GUESTWIRELESS net. That should allow out all traffic, you can always tighten up the rules later. Are you seeing anything in the firewall logs to suggest traffic is being blocked?

    The default dhcp range for LAN starts at 192.168.1.10 leaving some addresses at the low end free for adding static leases for servers, switches etc. You have started your DHCP range for VLAN2GUESTWIRELESS at 192.168.2.1. There are two potential problems with that. The interface address itself is 192.168.2.1. The default address of the switch webgui is 192.168.2.1.
    I suggest you change the subnet of VLAN2GUESTWIRELESS to something other than 192.168.2.X. You could change the switch address but if you have to reset it ever you'll have problems again.

    Steve



  • Thanks Steve. I changes the DHCP range to start at .100.

    I had to change it from VLAN address to VLAN subnet and now it works.



  • Okay…so I setup a guest user and got the captive portal figured out...IT WORKS!  I modified/personalized the HMTL files for login and login error.  I may tweak them more later, but they work good for now.

    I just noticed though...I am now able to access all the stuff I don't want guests to be able to access.  For example, I pinged one of my NAS drives that is at IP 192.168.1.210 and was prompted for the NAS credentials, and was able to pull it up.

    I verified the device connected IP is 192.168.2.100.

    So...I wonder why it's now able to see the 192.168.1.xxx network?



  • I know I'm generating a lot of posts here, and I'm sorry about that.

    So, I edited the VLAN2GUESTWIRELESS Firewall rule and under Destination, I checked the NOT box, and selected the type "LAN Subnet".

    This has appeared to effectively block being able to pull up any 192.168.1.xxx stuff.  When you try to hit an IP on the 192.168.1.xxx LAN it eventually pops up with a page that says "This page cannot be loaded via this proxy.".

    Is this the proper way to handle it?

    EDIT: I was thinking about this as I drove in to work and I realized the better way may be to ONLY allow traffic to the WAN (as opposed to allowing all traffic that's NOT "LAN Subnet").  Would that be better?



  • The principle is good - you want to allow only the traffic that is wanted, and let the default block action drop everything else, whatever it is. The problem with that going out WAN is that actually you want VLAN2GUESTWIRELESS to be allowed to all public IPs out there on the internet - it is more difficult to specify all the possible public IPs than to specify "not the private IP subnet/s on your other LANs".
    Your rule as-is does the job nicely. If you make more LANs in future, then you can make an alias containing all the LAN subnets you want blocked off - call it, say, ProtectedSubnets, then put !ProtectedSubnets in the destination of your general pass rule.
    Or you can put a block rule before the pass rule. Make it block destination "LAN subnet" / "ProtectedSubnets".
    More than 1 way to skin a cat.


  • Netgate Administrator

    Yes, I agree. What you have done is good.
    One thing to be aware of is that you may (though it's not really a problem) not want wireless guests to be able to access the pfSense webgui. You can block access to it on the VLAN2GUESTWIRELESS interface easily enough but guests will still be able to access it on the WAN interface. That caught me out before I realised what was happening. Like I say though it's not much of a risk.

    Steve



  • @stephenw10:

    Yes, I agree. What you have done is good.
    One thing to be aware of is that you may (though it's not really a problem) not want wireless guests to be able to access the pfSense webgui. You can block access to it on the VLAN2GUESTWIRELESS interface easily enough but guests will still be able to access it on the WAN interface. That caught me out before I realised what was happening. Like I say though it's not much of a risk.

    Steve

    So you're saying I should also create a rule NOT allowing access to 192.168.2.1?  Or anything on that subnet probably, right?  I just want anyone connected to that to see the internet, and not be able to see each other.


  • Netgate Administrator

    Yes you probably want people on the guest wireless to access the public internet only. However they will need access to the dns forwarder at 192.168.2.1. Personally I have a rule that allows only traffic to !192.168.1.0/16 plus a rule to access the dns forwarder and a block rule to prevent access to the wan address.

    Steve



  • @stephenw10:

    Yes you probably want people on the guest wireless to access the public internet only. However they will need access to the dns forwarder at 192.168.2.1. Personally I have a rule that allows only traffic to !192.168.1.0/16 plus a rule to access the dns forwarder and a block rule to prevent access to the wan address.

    Steve

    Can you elaborate a little more please, especially on the last two?  Maybe show me a screengrab of the rules?  This is all new to me, including the terminology.

    Thanks,

    Dan


  • Netgate Administrator

    See attached screen shot of my firewall rules for the WIFI2 interface, which I use for guest wireless.
    I have an alias setup that contains a list of my local subnets named LOCAL. In fact it just contains 192.168.0.0/16 because I was lazy creating it.  ::) Looking at it again now I'm wondering if I could add the WAN address aliases to it. Hmm. Also I have two WAN interfaces so the loadbalanced gateway is specified in the allow rule.

    Steve




  • This is all really over my head…LOL.

    So, I edited the "no GUI" rule and just blocked all traffic on the guest WiFi VLAN that was going to 192.168.2.1.  Works great.  I still access if it I want to (why would I?) from the main network, but you can't access it from the guest network.

    Next goal, and maybe you can help me with this, is to somehow restrict the websites my kids can go to on their new iPads (Christmas gift).

    My initial thought is that I create a 3rd WiFi network for them.  Currently I have HH-Secure and HH_Guest.  I'm thinking of adding HH-Kids.  Is there an easier way though?

    What I want to do is whitelist a small group of websites that they're allowed to go to.  Ideally if the try to go a website that IS NOT on the whitelist, they will be prompted for a username/password to add that site to the whitelist.  This way when my wife realizes they want to go to "CoolNewCartoon.com" and she determines it's safe, she can quickly just give them access on their device without me having to edit the firewall rules.  Is that even possible?

    I think I'll start a new thread for that, as it may be relevant to others as well.


  • Netgate Administrator

    You would usually do that with Squid and Squidguard (or Dansguardian) but if you have sufficiently small number of sites you might just do it with firewall rules or some sort of captive portal exceptions list. To be honest it might be easiest to do it directly on the iPad, I'm sure there are any number of parental restriction apps available (there are for Android certainly).

    Interesting what you say about your firewall rule. So you have blocked access to the host interface completely but DNS queries are still getting through? Hmm, been a while since I set mine up. Might have been under pfSense 1.2.3 and a lot has changed since then.

    Steve



  • I'm going to be honest Stephen.  I have no idea what the last paragraph/sentence of your post means.

    I don't know how long the list of sites will be, or end up being.  I'm most interested in the ability for the kids to try and view and site for the first time, IE: disney.com, and it prompting for a username/password.  My wife can then decide if she wants that be a site they can access, and if so…she can fill out whatever credentials are required (on the device, in this case, the kids ipad) and they will be allowed to access that site from that point forward.

    Does that make sense?


  • Netgate Administrator

    Ah, sorry about that.  :)
    It's often a delicate balancing act, here on the forum, between coming across incredibly patronising or spouting indecipherable code. Either one can be insulting or confusing or both!

    Can you show us a screen shot of your firewall rule?
    If it's working OK for you then don't worry about it.

    I'm not sure any of the filtering solutions in pfSense will meet your requirements as you have described. All of them would require logging into pfSense and manually making changes, some admin work. I have almost no experience with on device content filtering, none at all on the iPad, but it seems more likely to work in your scenario.

    Steve


Log in to reply