Access point and clients which can only use the internet



  • Hi,

    i have a pfsense router (ip 192.168.0.254, works as internet router over DSL). Works great. Now i want to integrate a little buyed access point (edimax) to access the internet (ip 192.168.0.2).
    With this access point i want, that the clients can get an ip adress from the dhcp-server (win 2003, ip 192.168.0.1) and that they can connect the internet.
    I don't want the clients of the access point to use the local network, only internet over the pfsense router is allowed.

    Which rules must i integrate in the firewall, that the clients connected via 192.168.0.2 can get a dhcp-adress from the windows server and can connect the internet.

    Or is it better to connect the access point to the second lan port of my pfsense alix and make an own dhcp-server with this port? How must i configure the lan port to reach my task?

    Thank you.

    Arti.



  • Or is it better to connect the access point to the second lan port of my pfsense alix and make an own dhcp-server with this port?

    Yes - you cannot stop the WiFi AP clients from trying to access hard-wired LAN devices if they are on the same physical network.

    How must i configure the lan port to reach my task?

    Interfaces->Assign vr2 to OPT1.
    Interfaces->OPT1 - give it a static IP in a different private address space e.g. 192.168.42.1/24
    Enable DHCP Server on OPT1 with some range of addresses in 192.168.42.n
    Add rules on OPT1 to do what you want. Most likely you want OPT1 devices to access internet, but not pfSense webGUI or LAN - something like:

    • Pass IPv4 protocol TCP/UDP source OPT1net destination OPT1 address port 53 (DNS)
    • Block IPv4 protocol any source any destination OPT1 address (stop other access to OPT1 address - webGUI…)
    • Block IPv4 protocol any source any destination LAN net (stop access to LAN)
    • Pass IPv4 protocol any source OPT1net destination any (allow everything else - the public internet)

    Set the WiFi AP to an IP address in OPT1net so you can manage it (192.168.42.2) and plug a cable from it into OPT1.

    Connect a client to WiFi AP - it should get an IP address from pfSense OPT1 and work.



  • Phil, thank you.

    Arti.


Log in to reply