Not able to block PING to an AP



  • Hi All,
    I connected under the OPT1 interface an AP (working in Bridged mode) and on it running a CP.
    However, I don't want users connected at this interface (OPT1) to be able to ping the AP or remotely connect to it to manage any services running on it.
    Which rule should I create for that please ?
    The AP has the IP 192.168.2.11.
    But when I block any traffic to it from the OPT1 Network, I'm still able to ping the AP and connect remotely to it from the OPT1 network :(
    ![2014-08-13 15_18_56blockingAP.jpg](/public/imported_attachments/1/2014-08-13 15_18_56blockingAP.jpg)
    ![2014-08-13 15_18_56blockingAP.jpg_thumb](/public/imported_attachments/1/2014-08-13 15_18_56blockingAP.jpg_thumb)



  • Do I understand correctly that you're trying to use firewall rules to prevent users on LAN OPT1 from accessing the AP on OPT1?  If they are on the same subnet, then they don't go through the gateway which means the firewall isn't in the middle to process those rules.



  • I don't agree completely with you on this.
    As far as I know, it's possible to create rules to block access to certain ports in the same subnet as well as in other other subnets.
    A good scenario is a CP. where you prevent or better said, you prevent them to use other ressources than services using port 80 and 4423, and passes the rest of the traffic to WAN.
    So why should this not work when preventing to IPs addresses in the same subnet ?
    You can also prevent access to the webGUI from the OPT1 interface right ?



  • As far as I know, it's possible to create rules to block access to certain ports in the same subnet as well as in other other subnets.

    You can create any rule you want but that doesn't mean it will take effect or even work as you expect.

    A good scenario is a CP. where you prevent or better said, you prevent them to use other ressources than services using port 80 and 4423, and passes the rest of the traffic to WAN.

    But there you are going from LAN to WAN, so the firewall is in the middle.

    So why should this not work when preventing to IPs addresses in the same subnet ?

    The entire point of a gateway router is to connect different networks and handle traffic not on the local network.  When you have nodes on the same network, they do not need to pass their traffic through the gateway and go direct instead.

    You can also prevent access to the webGUI from the OPT1 interface right ?

    This case is different in that the target is the gateway.  And again, you're dealing with passing traffic from OPT1 to LAN which is not on the same network so the firewall is in the middle.



  • Thanks @KOM for those details.
    I understand very well now :)

    Based on what you said, I got a new idea.
    May be create an IPtable rule on the IP table itself to reject all PINGs and all attemps to connect to the Ports 80 (HTTP)  and 3389 (RDP) ?
    If Yes, can someone help to write this rule ? I'm not experimented with iptables in linux. THanks for your great support !!



  • If it's simply a matter of not being able to ping the AP from all the clients why don't you just add a second subnet to the OPT interface and have the AP in this second subnet?



  • Ohh Great Idea but not sure to understand how to do this on Pfsense..
    Could you please guide me ?
    the AP is working in bridged mode, connected to OPT1 which is running CP.
    So how to implement here please the second subnet ?



  • I found the following instructions
    https://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf
    I followed them adding abobe the line
    <shellcmd>ifconfig re2 inet 192.16.3.1 netmask 255.255.255.0 alias</shellcmd>

    where re2 is the interface associated to OP1 on which the AP is connected and on which CP is enabled for Guests.

    But now I'm not able to see nowhere the new subnet I set.
    Is something wrong with my file ? (See Screenshot)
    And how to enable DHCP to this subnet ?
    Thanks !






  • This is a really old document for pre 1.2.x
    In 2.x you go simply in the GUI to
    Firewall –> Virtual IPs
    and add the additional IPs as "IP Alias" type VIP.

    You don't want to enable DHCP to this additional subnet. Only to communicate with the AP.
    --> Give the AP a static IP in this additional subnet.

    Please keep in mind that this does not stop anyone from changing their IP address manually and still be able to access the AP.



  • @GruensFroeschli:

    Please keep in mind that this does not stop anyone from changing their IP address manually and still be able to access the AP.

    Please could you explain what you mean here ? Thanks !
    Because, as I understand, I should put the AP in the separate Subnet, and then create Firewall rules to block access to it.
    They will still be able to access the AP ?



  • Moving the AP to another subnet only forces the clients to go over the firewall because they don't "know" the direct path to the AP.
    If someone sniffes traffic and see that the AP is on a different subnet, there is no stopping them from changing their IP into the subnet of the AP and access it.



  • Ohh ok I see, except I create a Subnet just with two hosts possible :)
    There were are discussing about, is there a way on Psense to force the clients to retrieve their IPs over the DHCP sothat no one can add manually an IP?



  • That's not possible in networking.
    You can not control the computer of anyone connecting to your wireless network.


  • Netgate

    There are switches that can snoop DHCP and will drop traffic from any IPs not leased from a trusted DHCP server.

    Everything OP is talking about is better accomplished at layer 2 (ie not in pfSense).


  • Rebel Alliance Global Moderator

    are you wanting to stop people from the wired network the ap is connected to or the wireless network if they connect to the AP wireless network?  With a real AP the management interface would be on different network that the wireless ssids.  Be it the management is the native vlan without tagging, and ssids tagged or with management and ssids all in their own tagged vlans.

    This would allow you to prevent access to the AP management interface be it a gui, ssh, ping etc..

    From the wired side nobody should be able to access this wired network that would not be authed either with 802.1x or just physical security to the network were no ports on that network are in open areas, etc.



  • Thanks,
    but you are talking about a "a real AP the management interface".
    For now, I'm just using a self-made-AP with Raspiberry. Also I'm not familar with creating VLANs within Pfsense. can someone guide me please ?


  • Rebel Alliance Global Moderator

    your AP is a raspberryPI?  What wireless did you connect to it?  What OS are you running?  Why would you do that?  When you could use any wireless router as an AP.  They can be had for 20$ that I would have to assume would blow away the usb wireless that you could add to a raspberryPI box..

    I can understand not having the budget/money for an enterprise class AP..  Can your home made pi AP do vlans, what OS is is running Raspbian, Pidora, Risc, Arch, other??

    Enable firewall and block it on the AP would be your other option.



  • Yes RaspberryPI. It's for home and also for a miniproject at the school. So we need to do it byself :)
    Raspbian is running on.
    So you mean create rules in Raspbian right ? I though also about it, but I don't which rule to write or which rule will correspond to that ? Meaning blocking Pings etc.. to the AP. on this Raspi, I have also apache server.


  • Rebel Alliance Global Moderator

    here is simple guide on setting up firewall on raspbian

    http://www.heystephenwood.com/2013/06/setting-up-firewall-on-your-raspberry-pi.html

    Setup rule to only allow your management IP to ping (icmp) to ssh and if your serving up the gui for the AP in apache then block all but your IP, etc.



  • A good login/Pass on the AP would do the trick ? :)

    Seriously, while in the same subnet (thus not firewalled) everything happens locally into that subnet. You should protect your AP with its built-in options : AN option like "block admin / management from Wireless side" "Block wireless management" often populate APs for that reason.

    And yes, you should concider a dedicated subnet for your WLAN subnet. Do not bridge it if you want to use PFSense features.



  • Hi Guys,Thanks for your advice !