Rules to secure WLAN?

Doufer · Apr 9, 2008, 2:59 AM

What kind of rules should I apply to secure WLAN? WLAN and LAN are not bridged and I'm running openvpn server on pfsense.

WLAN = 10.10.85.0 /24
LAN = 10.10.79.0 /24
OPENVPN SERVER = 10.10.79.1 W/ address pool 192.168.128.0/24

I'm very new at it…any feedbacks would be greatly appreciated

thanks

Cry Havok · Apr 9, 2008, 7:40 AM

Whatever rules you feel are needed - it's your network after all!

Maybe if you explained a little more of what's behind your question?

Doufer · Apr 9, 2008, 12:09 PM

1. No access to LAN from WLAN
2. Only allow openvpn traffic on WLAN subnet to connect to LAN for internet usage, SMB, etc.

Guest · Apr 9, 2008, 12:15 PM

not quite sure what you want exactly but wouldent just allowing openvpn traffic to you wlan gw interface be enuf

ofcourse you still need to make apropriate changes to the rule ipsec tab

/F

GruensFroeschli · Apr 9, 2008, 12:30 PM

of course you still need to make apropriate changes to the rule ipsec tab

OpenVPN does not get filtered by the IPSEC rules.
In fact OpenVPN does not get filtered at all.

I assume Doufer want that everything on WLAN is blocked.
–> remove all rules on the WLAN tab.
--> pfSense blocks everything if there are no rules.
Then allow only OpenVPN clients to access the OpenVPN server.

--> create a single rule with
protocol: UDP
source: wlan-subnet,
destination: wlan-address,
sourceport: any,
destination port: 1194

Doufer do you have the OpenVPN ono the WLAN already running?

Guest · Apr 9, 2008, 12:33 PM

@GruensFroeschli:

of course you still need to make apropriate changes to the rule ipsec tab

OpenVPN does not get filtered by the IPSEC rules.
In fact OpenVPN does not get filtered at all.

I assume Doufer want that everything on WLAN is blocked.
–> remove all rules on the WLAN tab.
--> pfSense blocks everything if there are no rules.
Then allow only OpenVPN clients to access the OpenVPN server.

--> create a single rule with
protocol: UDP
source: wlan-subnet,
destination: wlan-address,
sourceport: any,
destination port: 1194

Doufer do you have the OpenVPN ono the WLAN already running?

damn..missed that..close enuf on the rest though;)
"but wouldent just allowing openvpn traffic to you wlan gw interface"

Doufer · Apr 9, 2008, 8:19 PM

@GruensFroeschli:

of course you still need to make apropriate changes to the rule ipsec tab

OpenVPN does not get filtered by the IPSEC rules.
In fact OpenVPN does not get filtered at all.

I assume Doufer want that everything on WLAN is blocked.
–> remove all rules on the WLAN tab.
--> pfSense blocks everything if there are no rules.
Then allow only OpenVPN clients to access the OpenVPN server.

--> create a single rule with
protocol: UDP
source: wlan-subnet,
destination: wlan-address,
sourceport: any,
destination port: 1194

Doufer do you have the OpenVPN ono the WLAN already running?

thanks so much I'll give it a try! Openvpn isnt bridged with LAN or WLAN.. i pushed a route "10.10.79.0/24" (LAN SUBNET) so i could access to LAN network while connected via Openvpn

Doufer · Apr 9, 2008, 9:05 PM

ok its working for me.. when i'm connected via openvpn i cannot access to LAN or surf on the internet

i enabled push "redirect-gateway def1" and push "route 10.10.79.0 255.255.255.0" (LAN SUBNET) that didnt go so well :(

GruensFroeschli · Apr 9, 2008, 11:14 PM

You really should take a look at the man pages of openVPN
–> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html
search for the "redirect" option. You're missing the local flag.

Also search the forum for OpenVPN and AoN.
You need to create an AoN rule to be able to surf the net from the OpenVPN subnet.

Also you dont seem to push a DNS.

Doufer · Apr 9, 2008, 11:49 PM

whoa it's working!! you are the man!! I feel so much safer on WLAN