Re: [pfSense] Access Point config: separating guest from permissible users

2018-03-10 Thread jmitchel

On 2018-03-10 18:54, Antonio wrote:

Hi pfSense experts,

I was hoping you could help me with a config questions. I have pfSense
configured as main routed for my network. The WAN is connected to DSL
modem, one LAN on a ethernet switch and another LAN port on a Netgear
R8000 with dd-wrt installed. One of the cool features of the R8000 is
that it has two seperate wireless networks: 2.4GHz and 5GHz.

I wanted to use one for guest and only allow access to internet while
the other for permitted users (family members) that would also have
access to the local network. How am I going to achieve this on pfSense
though? is it a matter of closing access to local network for all IPs
coming from the AP except those I want to permit (family devices) or is
there a simpler way of doing this i.e. VLANs?

I look forward to your reponse.

Thank you

Hello,

The simple answer is to configure the dd-wrt box to give different IP 
addresses to the two separate wireless bands. Let's say you make the 
2.4Ghz band 192.168.24.0/24 and the 5Ghz band 192.168.5.0/24. (I'm 
assuming you'll use the 5Ghz band for family members, just to make 
things easy for me). You then write firewall rules that allow 
192.168.5.0/24 to access the LAN and WAN while 192.168.24.0/24 can only 
access the WAN. The easiest way for the first set of rules is to block 
access to 192.168.24.0/24 from 192.168.5.0/24 (your trusted users). And 
the easiest way for the second set of rules is to block all traffic to 
RFC 1918 address. So block all access to 10.0.0.0/8, 172.16.0.0/22, & 
192.168.0.0/16. You could be specific, but if you don't want the guests 
to be able to access anything but the Internet, then it's easier just to 
block all private address. That way if you change something elsewhere on 
your network, you won't have to mess with the firewall rules for the 
wireless.


Of course dd-wrt can do firewalling on its own, so (assuming you could 
assign different IP ranges to the different wireless networks) you could 
do the firewalling there. And in my example it's important for dd-wrt to 
act as a bridge. If it's a router, you would have to set up firewalling 
there to prevent your guests from connecting to trusted computers 
(prevent the two wireless networks from talking to each other). If you 
can't get dd-wrt to do that, I'd do the firewalling there.


Hope this helps.

Jason M.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Strange problems with pfSense 2.1.4

2014-08-10 Thread jmitchel
Hello,
Jason M. wrote:
I'm using the PFW201 hardware from Tranquilnet

 According to Tranquilnet:

  *Note: These units may run hot to the touch and we recommend eith a wall
 mount or to place them on a cool, dry and hard surface with proper air
 flow

 I can build systems that are much faster and more powerful for less than
 half the price so I've never used a PFW201, but I have seen it mentioned
 that units like them often have a cpu heat sink that makes contact with
 the
 case. Or, that they have a metal shim that connects the heat sink to the
 case.

 Heat transfer for these systems is often critical. Is yours overheating?
 Are
 you testing with one of the Tranquilnet units, or one of the units you got
 direct from the supplier?

One, the problem first appeared with the Tranquilnet unit. Two, I forgot
to mention that I noticed that the heat problem (it's hard to miss if you
don't read the directions -- the units are almost hot enough to burn skin
:) and am using a laptop cooler for now. I'm trying out USB powered fans
as a better long term solution, but the units are very cool with the
laptop cooler.



 Now my question is, what is going wrong? I've tried the same
config on multiple devices, so I don't think it's hardware. Could
my config have become corrupted?

 I don't follow your logic about it not being the hardware, but yes, your
 config could have become corrupted. Try another CF card? Try installing
 from
 scratch and restoring a backup xml file?
Well, pfSense recommends the Tranquilnet hardware and the problem occurs
with that. The problem also occurs with the units from the manufacturer
which have the same part number and look identical. These units have a
backup XML file restored to a fresh CF card. Sorry for not mentioning this
in my first message -- I was kind of tired.

I was trying to say that maybe something in the .xml config might have
become corrupted, but I took a look at the .xml file and it doesn't look
like there's room for corruption. The only thing strange is this:

revision
time1407542644/time
description![CDATA[admin@192.168.182.10: 
/system_usermanager.php made
unknown change]]/description
usernameadmin@192.168.182.10/username
/revision

Do have any other ideas?



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


Thanks for the help,

Jason M.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] Strange problems with pfSense 2.1.4

2014-08-09 Thread jmitchel
Hello,

I have a project with a looming deadline that involves installing 15
pfSense firewalls at hotels to provide firewall and Captive portal
services. I'm using the PFW201 hardware from Tranquilnet with the Intel
NIC's (the first unit was from Tranquilnet, but when they stopped selling
the units with the Intel NIC's I found the supplier and ordered direct
from them. Here's what features the units are configured for (apologies
for miswordings -- I don't have access to a device in front of me):

Firewall rules to allow remote maintenance from specific IP addresses
Gateway Groups
Captive Portal

After what I thought was thorough testing, I tried to deploy a unit last
night at 4am. Here's what happened:

At first I had a bad connection to one of my WAN connections and so
Internet was slow. I fixed the cabling issue and rebooted, so far so good.

Then I replaced a switch that was defective. Now things started getting
strange. First the Captive Gateway stopped redirecting users. In other
words if you knew the gateway's address and browsed to http://a.b.c.d:8000
and entered the password you could access the Internet

So I turned off the Captive Portal. Now I later realized this deleted the
captive gateway redirect page and the incorrect password page. I don't
know if this is the design or not, but it seems strange. Anyway, I
rebooted.

For twenty minutes Internet access worked, then it stopped working
entirely. I tried browsing to the admin page. I logged in and got to the
main page, but it took forever to get to another page. I was accessing
wirelessly, so this could have been part of the issue.

Anyway, given that Internet access stopped working after 20 minutes under
very light load (there were four users on the Captive gateway when I
disabled it), I bailed on the install and put the old gateway back in
place.

Now my question is, what is going wrong? I've tried the same config on
multiple devices, so I don't think it's hardware. Could my config have
become corrupted? Or could there be some issue with my config and 2.1.4 (I
tested things extensively with 2.0.3 and then upgraded to 2.1.3. But when
2.1.4 came around I didn't test.

Also, when I started to duplicate flash cards on Tuesday I experienced the
same issue with the captive gateway (redirects not working, browsing to
http://a.b.c.d:8000 and authenticating allowed access to the Internet). I
hadn't gotten much sleep, and when I got back to this on Thursday the
problem went away.

Final crazy thought. One of the last changes I made after testing the
gateway but before deployment was to change the name and the domain name.
Any chance changing the domain name could have anything to do this?

Please let me know if there's any information I can add. Also, thanks in
advance for any insight provided.

Jason M.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list