Lan Wifi Bridge Initial Protection? (NEWB help)
-
Long time DD-WRT, new PFSENSS user (SG-2440 with Wireless add-on).
LAN & Wireless bridged to share the same LAN network as per https://forum.pfsense.org/index.php?topic=20917.0
Default Firewall Setting on WAN and LAN.Do I need to setup the same firewall settings on the Wireless and/or the Bridge to protect my network with this setup?
Thank you
-
Bump: This is my one holdup in regards to going live. Any feedback would be greatly appreciated.
Under Assign Ports I have:- LAN - Bridge0
- WLAN - ath0 MAC
- OPT - Lan1 MAC
- WAN - Lan0 MAC
Under System Tunables I have
- net.link.brdige.pfil_member = 0
- net.link.bridge.pfil_bridge = 1
Under firewall I have the default settings for WAN and LAN.
Do I need to take any other steps to ensure that my shared LAN/WLAN are correctly behind the firewall?Thanks
-
Why don't you just put wifi on its own segment/vlan – I just don't understand the fascination with bridging wifi to wired??
-
A good portion of my house would require extensive EXPENSIVE work to run LAN cables, but requires access to the central NAS.
Without this access, no ability for my wife to access her work files in her office, no ability to stream movies from the Kaleidescape to the living room, no ability for the NAS to backup to NAS2, etc.
Essentially, the WiFi and Wired connections all need to operate on the same local network.
This setup works fine, I just need to know that the firewall is covering both the WiFi and Wired equally or as one.
If my understanding screams of ignorance, please educate me. However when I initially set up the Wired and WiFi without a bridge while devices on both could see the internet, they could not see each other.
Thanks
-
Rules on WAN protect your network from outside threats. The default is to allow no inbound connections.
Rules on LAN allow traffic from LAN.
If you created a bridge consisting of WLAN and OPT1, assigned LAN to BRIDGE0, and put the necessary rules on LAN, you should be good to go.
-
"Essentially, the WiFi and Wired connections all need to operate on the same local network. "
BS other than stuff that might require broadcast name resolution.. There is no reason to put everything on the same segment. And if that is the way you want to go about it - then again its a no brainer $20 solution get a new wifi router and use as AP.. Or better yet use the OLD device you used before you went to pfsense as just an AP.. And plug it into your network.
For example to easy allow my ipad to find my printer via airprint which uses mdns, etc. And bit of PITA to go across segments with - I just put my printer on the wireless segment. Since normal PCs and such have no issues just accessing the printer via IP or fqdn, etc.
"without a bridge while devices on both could see the internet"
Could not see each other in what sense - network browsing in windows? The only thing that would prevent devices in different segments talking to each other would be your firewall rules. So here I just fired up my old xp vm that is in my dmz segment… My box in my lan 192.168.1.0/24 can ping it by name, since I have my dns setup correctly it resolves even with just host name not fqdn - but see how it comes back fully qualified to my local.lan domain. I can view and access any shares on the box using just hostname, etc.
Now boxes in the dmz can not access my box, because I don't allow it via firewall rules.. So what exactly is it that you feel you need to bridge for? Other than allowing for "broadcasts" why do your machines need to be in the same segment via a bridge?
-
Why don't you just put wifi on its own segment/vlan – I just don't understand the fascination with bridging wifi to wired??
OP: I am not trying to incite a urination competition.
I see it, too. I think it has to do with
A. A general lack of understanding of what a firewall is designed to do.
B. A general lack of understanding of basic network security
C. The now deceased consumer router did it (this is an ex ROUTER!)
D. Geeky friend with no knowledge of security says "you need to bridge your wifi with your wired so we can play %whatever_online_game%"EDIT:
@Chris.Kemper
JohnPoz knows what he is talking about. He is giving you excellent, FREE, advice. You're replacing your firewall with a VERY powerful product that allows you to secure your network properly. Use the product to increase your network security.I segment my network among the kids, the NAS, and the wife and me. All can communicate, all have different security settings…All thanks to pfSense.
-
Thanks crew - I GREATLY appreciate the help.
Lots of great info here ;D
I will give the Johnpoz method another go.We keep a great deal of sensitive business documents, personal documents, family files, etc on a NAS. My paranoia for protecting the data grows by the minute.
My goal is to
1 - replace my dying dd-wrt router/laughable firewall with
2 - a much more secure router/firewall then
3 - make it even more robust via SNORT and maybe even SquidGuard -
In regards to network.
I currently have everything setup via SMB
Everything being a mix of different Linux Distros, Macs, Windows, and Android devices. -
Bridging a Wi-Fi adapter with a LAN port is a reasonable way to go on a small network if you MUST use an internal Wi-Fi adapter.
Far too many things use broadcasts or multicasts for zeroconf. Yes, you can get them mostly working anyway but why hassle it?
Set a strong WPA2 password and roll with it.
I understand the aversion to bridges. I also understand the thought process behind segmenting Wi-Fi from the rest of the network. But if a user just ends up with pass any any on the Wi-Fi interface because they got sick and tired of things not working what's to gain?
-
Setting LAN to 192.168.1.1/24, WiFi to 192.168.2.1/24, DHCP server on both…
I can access via a browser PFSENSE on 192.168.1.1 and TOWER on 192.168.1.122 from a WiFi Laptop.
...however...
SMB/Network browsing/mapping does not work so the crucial access to files is not available!Setting a BRIDGE so both LAN and WiFi both are on the 192.168.1.10-245 SMB/Network browsing/mapping works fine.
So it sounds like I have 3 options
- Use the $75 PFSENSE Store wireless in bridge mode - why is a bridge bad if the LAN firewall rules are applied to it?
- Use the $75 PFSENSE Store wireless in segmented mode - and get SMB browsing/mapping working - help?
- Buy a new wireless router and plug in the WAN of the Wireless router into a switch downstream of the PFSENSE LAN.
-
https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131
-
Why don't you just put wifi on its own segment/vlan – I just don't understand the fascination with bridging wifi to wired??
If you're using Windows in a home enviornment, the Windows firewall blocks certain aspects if it's not on the same subnet.
Since you can't expect to control every machine in a home network (to make the appropriate config changes to the windows firewall) as you could in an enterprise one, if you have Wired and Wifi on separate vlans, you prevent things such as ping/filesharing/etc between machines.I am currently using a bridge in this way for this reason, though, what I'll be doing as soon as I get my new switch (out of ports) is just moving my access point to a port off the main switch on my wired network and killing the bridge completely.
-
Thanks Derelict…
I guess I am still a bit unclear on what is the best route...
Johnpoz frowns upon bridging internal wireless and lan (why?)
Setting up SMB across a segmented network appears to be a PITAIf using an external wifi router will keep me on the same segment, fine. A bit of a shame to waste the $75 for the pfsensestore wifi card AND a chunk on a dd-wrt wifi router... BUT if this is the preferred method, fine.
any final words of wisdom before I pull the trigger on an external wifi router for wireless access to my LAN?
-
@Trell - I use a STRONG WPA password and do not give it out freely.
I need filesharing between a mix of LAN and WIFI devices in my home: MAC, Windows, Linux, and Android!
-
@Trell - I use a STRONG WPA password and do not give it out freely.
I need filesharing between a mix of LAN and WIFI devices in my home: MAC, Windows, Linux, and Android!
I was saying the same thing you were because I had to do the same setup, though I'd prefer just having my access point going off my switch, I was limited by ports during my initial setup.
-
If it were my network, I'd stick an external AP in for the family wireless stuff, and locate it where I got the best signal coverage. Then use the built-in wifi in the pfSense box for untrusted "guest" access.
You'd get the single broadcast domain wired/wireless family stuff you want, and if there's an occasion where you have someone over that needs wifi you give the the pfSense AP password.
Simple and clean.
-
If the bridged interfaces are working for you why are we still talking about it?
Your original question was if you needed to do anything other than rules on LAN. That answer is no.
-
I must have missed that. Oops.
Opinions on network designs are like as*holes. We all got em.Glad its working.
-
"Setting up SMB across a segmented network appears to be a PITA"
What.. I just showed you accessing a smb share over a segment.. There is NOTING too it.. open up tcp 445 is such a PITA..
