Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions about security over wifi

    Scheduled Pinned Locked Moved Wireless
    11 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doole
      last edited by

      Hello,

      I've installed pfsense 2.1 on my server. I have 2 ports wan and lan. Wan have public ip and lan is in private. I've enabled dhcp service in pfsense on lan side and connected AP's on it (aps addresses are from 192.168.1.2 -1.50 and dhcp pool is from 100-254). AP's have ip addresses from lan subnet and dhcp is desabled on them. They r configured as layer 2 devices. Captive portal is up with vouchers. Everything works fine but question is:

      How to separate clients whos getting ip from dhcp pool that they cant see my AP's? I want to make them transparent for clients who r using my wifi.
      Also how i can access to my ap's from wan side?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Most APs will not allow you to access their gui's over wifi anyway - look to its settings.  You mention you disabled dhcp on them, so I take it they are re-purposed wireless routers and not true AP?

        But look to your AP security settings to block access to them via wireless.

        Talk about lack of security why would you want to access AP from internet?  I would suggest you vpn into your network to access stuff like AP.  But if you want to its a simple port foward to their IPs

        wirelessaccess.png
        wirelessaccess.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          doole
          last edited by

          @johnpoz:

          I take it they are re-purposed wireless routers and not true AP?

          Yes they are. They are dlink dir-615 but i doubt that they have option to restrict wireless access to gui.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            just looked at the emulator for that – didn't see it.. So another option.. change their lan IP to not be on your network.

            So your network is 192.168.1.0/24 -- just plug in a wire to your APs and make them on network say 172.16.1.0/24  -- Now the only way you can access them is if you put a client on that 172.16.1.0/24  -- your clients wired and wireless clients that get 192.168.1.0/24 address will not be able to talk to them.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              doole
              last edited by

              I see that dd-wrt works on that routerts. Do u think that is worth to put dd-wrt on them for wifi restrict option?

              1 Reply Last reply Reply Quote 0
              • D
                doole
                last edited by

                What if i make alias for lan network.

                Ill have 192.168.1.0/24 for dhcp, and 192.168.2.0/24 for AP's. So the WIFI clients wont know the ip address from AP's. Is it something like that possible in pfsense?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  ^ did you not read my post, that is exactly what I said you could do ;) What does it have to do with pfsense?  The IP address on an AP is used for nothing but to access its gui.. It really has no use after you have setup the wireless how you want it.  and psfsense does not need an IP on that network.

                  When you need to connect to it AP to change something  - just plug in a box on your network with its IP set to be in that network.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    This is what management VLANs are for.  But the DIR-615 won't do that.  Are you really saying you're trying to deploy a Wi-Fi network using 50(!) DIR-615s?

                    Even if the APs don't allow management connections over Wi-Fi, that won't stop people from connecting to every AP but the one they're connecting to.

                    If wireless clients need to be able to talk to each other, I don't know how to solve your problem with other than another IP network scheme on the same layer 2 segment for just the APs, as has been mentioned.  Anyone could then statically assign an IP address on that network and access them.  That they exist will be plain to anyone with wireshark.  Maybe dd-wrt or tomato can solve your problems.

                    If clients do not need to talk to each other, then you need to isolate the switchports going to the APs with a managed switch and asymmetric VLANs, Private VLAN edge, or full Private VLANs. and turn on wireless isolation in all the APs.

                    Not a pfSense problem.  You have a Management VLAN/layer 2 isolation problem.  When you use the cheapest gear possible, that's what you get.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      to deploy a Wi-Fi network using 50(!) DIR-615s?

                      Where did you get that idea from?  From this " (aps addresses are from 192.168.1.2 -1.50 and" ??  Hmm I read it that he a couple in that range - but sure if this is some type of business deployment and your using repurposed home soho routers, cheap ones at that and 50 of them are deployed your out of your mind!!!

                      But why would he have 50 AP, and then only a 150 some clients?  and dhcp pool is from 100-254).

                      That makes no sense ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        "aps addresses are from 192.168.1.2 -1.50"  More than one AP, between .2 and .50.  That's where I got it.  It'd be nice to get some details.  All the isolation techniques I mentioned are the same for 2 or 200 APs.

                        But why would he have 50 AP, and then only a 150 some clients?  and dhcp pool is from 100-254).

                        That's a direct correlation to the density of associations vs the area covered.  Good luck getting more than about 15 simultaneous associations on a DIR-615.  Then again, I've never tried it.  People pay good money for the Wi-Fi I run so I would never try that on a home router (not even really an AP.)

                        I have a DIR-615 behind my TV in my bedroom.  That's what they're designed to do.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Yeah I am with yeah, would never use a 615 in a commercial setup.

                          So Las Vegas huh, where abouts?  I grew up there - left in 83, graduated from Western HS.  Alta & Decatur was decent sized intersection.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.