• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Rules to secure WLAN?

Scheduled Pinned Locked Moved Wireless
10 Posts 4 Posters 4.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Doufer
    last edited by Apr 9, 2008, 2:59 AM

    What kind of rules should I apply to secure WLAN? WLAN and LAN are not bridged and I'm running openvpn server on pfsense.

    WLAN = 10.10.85.0 /24
    LAN = 10.10.79.0 /24
    OPENVPN SERVER = 10.10.79.1 W/ address pool 192.168.128.0/24

    I'm very new at it…any feedbacks would be greatly appreciated

    thanks

    1 Reply Last reply Reply Quote 0
    • C
      Cry Havok
      last edited by Apr 9, 2008, 7:40 AM

      Whatever rules you feel are needed - it's your network after all!

      Maybe if you explained a little more of what's behind your question?

      1 Reply Last reply Reply Quote 0
      • D
        Doufer
        last edited by Apr 9, 2008, 12:09 PM

        1. No access to LAN from WLAN
        2. Only allow openvpn traffic on WLAN subnet to connect to LAN for internet usage, SMB, etc.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by Apr 9, 2008, 12:15 PM

          not quite sure what you want exactly but wouldent just allowing openvpn traffic to you wlan gw interface be enuf

          ofcourse you still need to make apropriate changes to the rule ipsec tab

          /F

          1 Reply Last reply Reply Quote 0
          • G
            GruensFroeschli
            last edited by Apr 9, 2008, 12:30 PM

            of course you still need to make apropriate changes to the rule ipsec tab

            OpenVPN does not get filtered by the IPSEC rules.
            In fact OpenVPN does not get filtered at all.

            I assume Doufer want that everything on WLAN is blocked.
            –> remove all rules on the WLAN tab.
            --> pfSense blocks everything if there are no rules.
            Then allow only OpenVPN clients to access the OpenVPN server.

            --> create a single rule with
            protocol: UDP
            source: wlan-subnet,
            destination: wlan-address,
            sourceport: any,
            destination port: 1194

            Doufer do you have the OpenVPN ono the WLAN already running?

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by Apr 9, 2008, 12:33 PM

              @GruensFroeschli:

              of course you still need to make apropriate changes to the rule ipsec tab

              OpenVPN does not get filtered by the IPSEC rules.
              In fact OpenVPN does not get filtered at all.

              I assume Doufer want that everything on WLAN is blocked.
              –> remove all rules on the WLAN tab.
              --> pfSense blocks everything if there are no rules.
              Then allow only OpenVPN clients to access the OpenVPN server.

              --> create a single rule with
              protocol: UDP
              source: wlan-subnet,
              destination: wlan-address,
              sourceport: any,
              destination port: 1194

              Doufer do you have the OpenVPN ono the WLAN already running?

              damn..missed that..close enuf on the rest though;)
              "but wouldent just allowing openvpn traffic to you wlan gw interface"

              1 Reply Last reply Reply Quote 0
              • D
                Doufer
                last edited by Apr 9, 2008, 8:19 PM Apr 9, 2008, 8:15 PM

                @GruensFroeschli:

                of course you still need to make apropriate changes to the rule ipsec tab

                OpenVPN does not get filtered by the IPSEC rules.
                In fact OpenVPN does not get filtered at all.

                I assume Doufer want that everything on WLAN is blocked.
                –> remove all rules on the WLAN tab.
                --> pfSense blocks everything if there are no rules.
                Then allow only OpenVPN clients to access the OpenVPN server.

                --> create a single rule with
                protocol: UDP
                source: wlan-subnet,
                destination: wlan-address,
                sourceport: any,
                destination port: 1194

                Doufer do you have the OpenVPN ono the WLAN already running?

                thanks so much I'll give it a try! Openvpn isnt bridged with LAN or WLAN.. i pushed a route "10.10.79.0/24" (LAN SUBNET) so i could access to LAN network while connected via Openvpn

                1 Reply Last reply Reply Quote 0
                • D
                  Doufer
                  last edited by Apr 9, 2008, 9:05 PM

                  ok its working for me.. when i'm connected via openvpn i cannot access to LAN or surf on the internet

                  i enabled push "redirect-gateway def1" and push "route 10.10.79.0 255.255.255.0" (LAN SUBNET)  that didnt go so well :(

                  1 Reply Last reply Reply Quote 0
                  • G
                    GruensFroeschli
                    last edited by Apr 9, 2008, 11:14 PM

                    You really should take a look at the man pages of openVPN
                    –> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html
                    search for the "redirect" option. You're missing the local flag.

                    Also search the forum for OpenVPN and AoN.
                    You need to create an AoN rule to be able to surf the net from the OpenVPN subnet.

                    Also you dont seem to push a DNS.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • D
                      Doufer
                      last edited by Apr 9, 2008, 11:49 PM

                      whoa it's working!! you are the man!! I feel so much safer on WLAN

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received