Quick and dirty rule for isolate a wifi access point from LAN + allow Internet



  • I setup a VLAN to serve a wifi AP for my guests. I need to separate their traffic from my internal LAN so, basically, I want to allow these users to connect to the Internet an NOT see my LAN.

    conf:

    Internet: PPP WAN Interface
    LAN: 192.168.1.0/24
    VLAN: 192.168.10.0/24 (DHCP server enabled).

    firewall rule:

    action: allow
    interface: VLAN10
    protocol: all
    source: VLAN10 subnet
    destination: WAN interface OR WAN subnet?

    Do I need to setup an Advanced option for Gateway?


  • LAYER 8 Global Moderator

    Just create rule that says !lan net,

    example




  • What John said… An inverse (not) firewall rule on the WAP interface will allow all traffic heading to any network/host that isn't your LAN net.



  • Could someone attack the pfSense box from the AP/WLAN interface? That rule protects the LAN; what about the firewall itself?



  • It can be easiest and clearest to put some block rules first on your VLAN10-WLAN interface.
    0) Pass protocol TCP/UDP source all, destination VLAN10address port DNS (53) - let the VLAN10 users get DNS from pfSense

    1. Block protocol all, source all, destination VLAN10address - block any attempt to connect to stuff on the firewall (webGUI, ssh…)
    2. Block protocol all, source all, destination LANnet - block connects to LAN devices, including pfSense LANaddress
    3. Pass whatever you like - e.g. a general pass all rule - pass protocol all, source all, destination all
      Note: You can use source VLAN10net in the rules, it really amounts to the same thing as source all in this case, since anything arriving on VLAN10 interface will have a VLAN10net IP. That would be different if you had other subnets on other routers behind VLAN10, but you don't.

    Edit: 3 Jan 2014, add rule 0 - thanks Derelict, I keep forgetting little bits like when posting!!!


  • LAYER 8 Netgate

    I sometimes just create an rfc1918 alias containing 192.168.0.0/16 172.16.0.0/12 and 10.0.0.0/8.  Then:

    pass icmp echo req from lan net to lan address
    pass dns from lan net to dns_server_ip
    pass from lan net to ! rfc1918
    (default deny any any)

    If I have lots of different guest interfaces I might use floating rules for DNS traffic, etc.

    Then guests can ping the gateway should they need to but can't get to any other private LANs I might have configured be they OpenVPN, test, whatever.  Nor can they get at the webConfigurator or ssh port for pfSense on LAN address.

    This works as long as I don't have public IPs on the private side of the firewall.  IPv6 is, of course, a different subject.



  • Hi phil.davis,

    your # 1) rule correctly blocks the WebGUI, but also blocks Internet access. This AP is needed to allow my guests to access Internet (and only Internet; not my LAN, not the WebGUI, not the pfsense machine). This thing is drivin' me crazy  :'(  ;)


  • LAYER 8 Netgate

    @panz:

    Hi phil.davis,

    your # 1) rule correctly blocks the WebGUI, but also blocks Internet access.

    If the LAN you're looking to isolate is using pfSense as its DNS forwarder, you'll need to add:

    Pass TCP/UDP source * * dest VLAN10 Address DNS (53)

    Before the "1) Block protocol all, source all, destination VLAN10address - block any attempt to connect to stuff on the firewall (webGUI, ssh…)" rule.



  • If the LAN you're looking to isolate is using pfSense as its DNS forwarder, you'll need to add:

    Pass TCP/UDP source * * dest VLAN10 Address DNS (53)

    Before the "1) Block protocol all, source all, destination VLAN10address - block any attempt to connect to stuff on the firewall (webGUI, ssh…)" rule.

    Post updated - thanks for pointing out my overzealous blocking advice.


Log in to reply