How to segment wireless traffic from LAN traffic?
-
My apologies up front if this has been answered already (it most certainly has, but I couldn't seem to find anything about it myself). I currently have a PFSense box setup like so:
Cable Modem <–> PFSense Box <--> Unmanaged switch <--> Internal Network
|
|-->Wireless APThe wireless AP is UniFi AP (from Ubiquiti Networks, 802.11N). Everything is working just as it should. However, I do not feel comfortable with all the wireless traffic bypassing the PFSense box, and was thinking about adding a 3rd Intel NIC to connect the Wireless AP into so it would look more like this:
Cable Modem <--> PFSense Box <--> Unmanaged switch <--> Internal Network
|
|-->Wireless APMy question is would I have any issues that would prop themselves up, versus the setup that I currently have? The only thing that I worry about is being able to access certain internal resources from my wireless devices. Since I would most likely put the Wireless devices on their own separate VLAN (and by extension their own IP address range) would there be something I would need to implement to ensure security (maybe having RADIUS setup on the PFSense box itself, etc?). Any assistance and suggestions you could bring to the table would be welcomed and appreciated. Thanks again in advance.
-
Why would you put the wireless on a separate vlan (not sure that would even work) in that setup)?
They are on a separate interface and will not be able to talk to each other by default. All you need to do would be set appropriate rules for any traffic you want to be able to cross between wifi <–> lan.
-
didn't you ask this same question here https://forum.pfsense.org/index.php?topic=79678.0
-
I commend you on the subject just to let others know.
-
didn't you ask this same question here https://forum.pfsense.org/index.php?topic=79678.0
You are correct. I was planning on deleting this thread and going off of that other one since I figured more people go to the General Section versus Wireless. But I didn't see an option to delete this thread. For that, you have my apologies. I didn't mean to double post.
-
As said, your suggested setup would work as long as you manually add rules that allow traffic between the vlans. For example if you wanted wireless traffic to be able to reach a certain server on a certain IP but nothing else, you'd simply setup a firewall rule that allows traffic from the wireless interface to that IP. It's as simple as that, really.
You could get another network card for the firewall, or you could exchange the switch for a vlan aware one. Not sure what size of a switch you use, but if it's a small one it might be cheaper.