Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help with Wireless Traffic

    Firewalling
    3
    4
    610
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dpas7 last edited by

      I have an access point connected to 1 of 3 interfaces on my PFsense box, along with a WAN and LAN interface. The LAN is split into 3 vlans. Everything is working great. I am new with PFsense and firewalling and I am stuck in the weeds on wireless traffic filtering. The current configuration allows all wireless clients to connect to the access point and go out to the internet with no access to my vlans. So far, so good. That is the desired outcome, however, I would like to have 1 laptop, when connected to the wireless access point, to have access to the vlans, as well as, the wireless side. My problem is that all the wireless traffic, cell phones and laptops, are seen as 1 IP address when it goes through the access point to the interface on the PFsense box. The access point has WAN port connected to the interface on the PFsense box, with a static IP address of 192.168.2.1, and the LAN side of the access point is doing DHCP for the clients using a narrow range of addresses starting at 192.168.1.160 to 170, and the access point LAN management IP address is 192.168.1.140. All of the wireless traffic I see in the log files is from the 192.168.2.1 interface (wireless interface). I tried giving a laptop a static IP address that did not fall in the DHCP range of the access point and created a rule on the wireless interface to allow the 1 laptop access to one of my vlans, but that did not work. Any thoughts on this?

      1 Reply Last reply Reply Quote 0
      • W
        Wolf666 last edited by

        You don't specify what hardware is doing AP.

        I have a same configuration at home, using a Netgear R7000 as AP (DD-WRT firmware allows me to set Router mode and set VLANs, too). I simply disabled NAT/Firewall and DHCP on R7000, connected LAN port on R7000 to LAN port on pfSense. pfSense is doing DHCP. I can track all clients, I can assign rules and control the clients.
        R7000 stays in the same subnet of pfsense LAN.

        Modem Draytek Vigor 130
        pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
        Switch Cisco SG350-10
        AP Netgear R7000 (Stock FW)
        HTPC Intel NUC5i3RYH
        NAS Synology DS1515+
        NAS Synology DS213+

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis last edited by

          The problem is that your access point (AP) is being a lot more than just an AP. It is also being a router, doing NAT and DHCP.
          Make it just an AP

          1. Plug a LAN port of the AP into the pfSense interface.
          2. Turn off DHCP on the AP
          3. Turn on DHCP on the pfSense interface, with some reasonable range of IP pool
          4. Add a static mapping for the laptop that you want to give special treatment
          5. Add rules for that static-mapped laptop IP to allow it to other LAN subnets as needed.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • D
            dpas7 last edited by

            Seen with another set of eyes. That makes perfect sense. Excellent! That works for me.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post