Questions about security over wifi



  • Hello,

    I've installed pfsense 2.1 on my server. I have 2 ports wan and lan. Wan have public ip and lan is in private. I've enabled dhcp service in pfsense on lan side and connected AP's on it (aps addresses are from 192.168.1.2 -1.50 and dhcp pool is from 100-254). AP's have ip addresses from lan subnet and dhcp is desabled on them. They r configured as layer 2 devices. Captive portal is up with vouchers. Everything works fine but question is:

    How to separate clients whos getting ip from dhcp pool that they cant see my AP's? I want to make them transparent for clients who r using my wifi.
    Also how i can access to my ap's from wan side?


  • Rebel Alliance Global Moderator

    Most APs will not allow you to access their gui's over wifi anyway - look to its settings.  You mention you disabled dhcp on them, so I take it they are re-purposed wireless routers and not true AP?

    But look to your AP security settings to block access to them via wireless.

    Talk about lack of security why would you want to access AP from internet?  I would suggest you vpn into your network to access stuff like AP.  But if you want to its a simple port foward to their IPs




  • @johnpoz:

    I take it they are re-purposed wireless routers and not true AP?

    Yes they are. They are dlink dir-615 but i doubt that they have option to restrict wireless access to gui.


  • Rebel Alliance Global Moderator

    just looked at the emulator for that – didn't see it.. So another option.. change their lan IP to not be on your network.

    So your network is 192.168.1.0/24 -- just plug in a wire to your APs and make them on network say 172.16.1.0/24  -- Now the only way you can access them is if you put a client on that 172.16.1.0/24  -- your clients wired and wireless clients that get 192.168.1.0/24 address will not be able to talk to them.



  • I see that dd-wrt works on that routerts. Do u think that is worth to put dd-wrt on them for wifi restrict option?



  • What if i make alias for lan network.

    Ill have 192.168.1.0/24 for dhcp, and 192.168.2.0/24 for AP's. So the WIFI clients wont know the ip address from AP's. Is it something like that possible in pfsense?


  • Rebel Alliance Global Moderator

    ^ did you not read my post, that is exactly what I said you could do ;) What does it have to do with pfsense?  The IP address on an AP is used for nothing but to access its gui.. It really has no use after you have setup the wireless how you want it.  and psfsense does not need an IP on that network.

    When you need to connect to it AP to change something  - just plug in a box on your network with its IP set to be in that network.


  • Netgate

    This is what management VLANs are for.  But the DIR-615 won't do that.  Are you really saying you're trying to deploy a Wi-Fi network using 50(!) DIR-615s?

    Even if the APs don't allow management connections over Wi-Fi, that won't stop people from connecting to every AP but the one they're connecting to.

    If wireless clients need to be able to talk to each other, I don't know how to solve your problem with other than another IP network scheme on the same layer 2 segment for just the APs, as has been mentioned.  Anyone could then statically assign an IP address on that network and access them.  That they exist will be plain to anyone with wireshark.  Maybe dd-wrt or tomato can solve your problems.

    If clients do not need to talk to each other, then you need to isolate the switchports going to the APs with a managed switch and asymmetric VLANs, Private VLAN edge, or full Private VLANs. and turn on wireless isolation in all the APs.

    Not a pfSense problem.  You have a Management VLAN/layer 2 isolation problem.  When you use the cheapest gear possible, that's what you get.


  • Rebel Alliance Global Moderator

    to deploy a Wi-Fi network using 50(!) DIR-615s?

    Where did you get that idea from?  From this " (aps addresses are from 192.168.1.2 -1.50 and" ??  Hmm I read it that he a couple in that range - but sure if this is some type of business deployment and your using repurposed home soho routers, cheap ones at that and 50 of them are deployed your out of your mind!!!

    But why would he have 50 AP, and then only a 150 some clients?  and dhcp pool is from 100-254).

    That makes no sense ;)


  • Netgate

    "aps addresses are from 192.168.1.2 -1.50"  More than one AP, between .2 and .50.  That's where I got it.  It'd be nice to get some details.  All the isolation techniques I mentioned are the same for 2 or 200 APs.

    But why would he have 50 AP, and then only a 150 some clients?  and dhcp pool is from 100-254).

    That's a direct correlation to the density of associations vs the area covered.  Good luck getting more than about 15 simultaneous associations on a DIR-615.  Then again, I've never tried it.  People pay good money for the Wi-Fi I run so I would never try that on a home router (not even really an AP.)

    I have a DIR-615 behind my TV in my bedroom.  That's what they're designed to do.


  • Rebel Alliance Global Moderator

    Yeah I am with yeah, would never use a 615 in a commercial setup.

    So Las Vegas huh, where abouts?  I grew up there - left in 83, graduated from Western HS.  Alta & Decatur was decent sized intersection.