Securely allow single wireless client access to QNAP Time Machine on LAN
I have a pfsense setup with three interfaces - WAN, LAN and Wireless.
The LAN can access only WAN and the WIRELESS can access only WAN. Rules forbid any traffic going between Lan and Wireless.
I have the Time Machine application running on QNAP, and want a single Wireless client to be able to access it.
I tried to set it up so that the wireless client could access the QNAP ip and only port 548 (ARP port) and this works great. The problem is the Wireless Client also has access to the QNAP file server which I don't want.
I have the rule locked down to the wireless client static ip and I could also use MAC Address to lock down rule further, but I am wondering are there any reasonably secure ways to allow a single wireless client (and only that client) to access a file server on another subnet? Or is this dangerous and only complete airgaps are the way to go?
I could set up authentication for the folders on the QNAP, but I would rather not as this complicates matters on my LAN. Or should I just trust in WPA and assume if someone breaks that they will probably break across the subnet to my LAN eventually anyway?
The only other setup I can think of is plugging in my wireless client to the LAN from time to time to do backups.
I hope this makes sense, and any ideas or discussion are much appreciated!
Unless you can trust your IP and MAC addresses, you cannot "Securely" limit access to the QNAP via just the firewall rules. Your best bet is to setup a VPN, so the client must log in and authenticate, so you KNOW it's the correct user, then allow access from the VPN to the QNAP.
548 TCP = Apple Filing Protocol (AFP) over TCP so not sure where you go the ARP from?
If you give it access to AFP, then yeah would have access to AFP ;) What are you wanting it to access but not your file shares?
As to security - is this a DOD facility and your storing launch codes on this file share ;) Or is this a home setup.. WPA2 if used with secure PSK is more than secure enough for what it sounds like your doing. Keeping your guest or other wireless devices you allow on to your wireless network.. This firewall rule would keep those out.. If you want to get anal about it - setup static arp and if some unwanted device got on your wlan, to get to your share they would have to have the IP you allow and the mac..