On 2018-03-10 18:54, Antonio wrote:
Hi pfSense experts,
I was hoping you could help me with a config questions. I have pfSense
configured as main routed for my network. The WAN is connected to DSL
modem, one LAN on a ethernet switch and another LAN port on a Netgear
R8000 with dd-wrt installed. One of the cool features of the R8000 is
that it has two seperate wireless networks: 2.4GHz and 5GHz.
I wanted to use one for guest and only allow access to internet while
the other for permitted users (family members) that would also have
access to the local network. How am I going to achieve this on pfSense
though? is it a matter of closing access to local network for all IPs
coming from the AP except those I want to permit (family devices) or is
there a simpler way of doing this i.e. VLANs?
I look forward to your reponse.
Thank you
Hello,
The simple answer is to configure the dd-wrt box to give different IP
addresses to the two separate wireless bands. Let's say you make the
2.4Ghz band 192.168.24.0/24 and the 5Ghz band 192.168.5.0/24. (I'm
assuming you'll use the 5Ghz band for family members, just to make
things easy for me). You then write firewall rules that allow
192.168.5.0/24 to access the LAN and WAN while 192.168.24.0/24 can only
access the WAN. The easiest way for the first set of rules is to block
access to 192.168.24.0/24 from 192.168.5.0/24 (your trusted users). And
the easiest way for the second set of rules is to block all traffic to
RFC 1918 address. So block all access to 10.0.0.0/8, 172.16.0.0/22, &
192.168.0.0/16. You could be specific, but if you don't want the guests
to be able to access anything but the Internet, then it's easier just to
block all private address. That way if you change something elsewhere on
your network, you won't have to mess with the firewall rules for the
wireless.
Of course dd-wrt can do firewalling on its own, so (assuming you could
assign different IP ranges to the different wireless networks) you could
do the firewalling there. And in my example it's important for dd-wrt to
act as a bridge. If it's a router, you would have to set up firewalling
there to prevent your guests from connecting to trusted computers
(prevent the two wireless networks from talking to each other). If you
can't get dd-wrt to do that, I'd do the firewalling there.
Hope this helps.
Jason M.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
