Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Securely allow single wireless client access to QNAP Time Machine on LAN

    Firewalling
    3
    3
    1004
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JimmyJerry last edited by

      Hi,

      I have a pfsense setup with three interfaces - WAN, LAN and Wireless.

      The LAN can access only WAN and the WIRELESS can access only WAN. Rules forbid any traffic going between Lan and Wireless.

      I have the Time Machine application running on QNAP, and want a single Wireless client to be able to access it.

      I tried to set it up so that the wireless client could access the QNAP ip and only port 548 (ARP port) and this works great. The problem is the Wireless Client also has access to the QNAP file server which I don't want.

      I have the rule locked down to the wireless client static ip and I could also use MAC Address to lock down rule further, but I am wondering are there any reasonably secure ways to allow a single wireless client (and only that client) to access a file server on another subnet? Or is this dangerous and only complete airgaps are the way to go?

      I could set up authentication for the folders on the QNAP, but I would rather not as this complicates matters on my LAN. Or should I just trust in WPA and assume if someone breaks that they will probably break across the subnet to my LAN eventually anyway?

      The only other setup I can think of is plugging in my wireless client to the LAN from time to time to do backups.

      I hope this makes sense, and any ideas  or discussion are much appreciated!

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66 last edited by

        Unless you can trust your IP and MAC addresses, you cannot "Securely" limit access to the QNAP via just the firewall rules. Your best bet is to setup a VPN, so the client must log in and authenticate, so you KNOW it's the correct user, then allow access from the VPN to the QNAP.

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          548 TCP = Apple Filing Protocol (AFP) over TCP so not sure where you go the ARP from?

          If you give it access to AFP, then yeah would have access to AFP ;)  What are you wanting it to access but not your file shares?

          As to security - is this a DOD facility and your storing launch codes on this file share ;)  Or is this a home setup..  WPA2 if used with secure PSK is more than secure enough for what it sounds like your doing.  Keeping your guest or other wireless devices you allow on to your wireless network.. This firewall rule would keep those out..  If you want to get anal about it - setup static arp and if some unwanted device got on your wlan, to get to your share they would have to have the IP you allow and the mac..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

          1 Reply Last reply Reply Quote 0
          • First post
            Last post