Re: [pfSense] Access Point config: separating guest from permissible users
On 2018-03-10 18:54, Antonio wrote: Hi pfSense experts, I was hoping you could help me with a config questions. I have pfSense configured as main routed for my network. The WAN is connected to DSL modem, one LAN on a ethernet switch and another LAN port on a Netgear R8000 with dd-wrt installed. One of the cool features of the R8000 is that it has two seperate wireless networks: 2.4GHz and 5GHz. I wanted to use one for guest and only allow access to internet while the other for permitted users (family members) that would also have access to the local network. How am I going to achieve this on pfSense though? is it a matter of closing access to local network for all IPs coming from the AP except those I want to permit (family devices) or is there a simpler way of doing this i.e. VLANs? I look forward to your reponse. Thank you Hello, The simple answer is to configure the dd-wrt box to give different IP addresses to the two separate wireless bands. Let's say you make the 2.4Ghz band 192.168.24.0/24 and the 5Ghz band 192.168.5.0/24. (I'm assuming you'll use the 5Ghz band for family members, just to make things easy for me). You then write firewall rules that allow 192.168.5.0/24 to access the LAN and WAN while 192.168.24.0/24 can only access the WAN. The easiest way for the first set of rules is to block access to 192.168.24.0/24 from 192.168.5.0/24 (your trusted users). And the easiest way for the second set of rules is to block all traffic to RFC 1918 address. So block all access to 10.0.0.0/8, 172.16.0.0/22, & 192.168.0.0/16. You could be specific, but if you don't want the guests to be able to access anything but the Internet, then it's easier just to block all private address. That way if you change something elsewhere on your network, you won't have to mess with the firewall rules for the wireless. Of course dd-wrt can do firewalling on its own, so (assuming you could assign different IP ranges to the different wireless networks) you could do the firewalling there. And in my example it's important for dd-wrt to act as a bridge. If it's a router, you would have to set up firewalling there to prevent your guests from connecting to trusted computers (prevent the two wireless networks from talking to each other). If you can't get dd-wrt to do that, I'd do the firewalling there. Hope this helps. Jason M. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Strange problems with pfSense 2.1.4
Hello, >>Jason M. wrote: >>I'm using the PFW201 hardware from Tranquilnet > > According to Tranquilnet: > > " *Note: These units may run hot to the touch and we recommend eith a wall > mount or to place them on a cool, dry and hard surface with proper air > flow" > > I can build systems that are much faster and more powerful for less than > half the price so I've never used a PFW201, but I have seen it mentioned > that units like them often have a cpu heat sink that makes contact with > the > case. Or, that they have a metal shim that connects the heat sink to the > case. > > Heat transfer for these systems is often critical. Is yours overheating? > Are > you testing with one of the Tranquilnet units, or one of the units you got > direct from the supplier? One, the problem first appeared with the Tranquilnet unit. Two, I forgot to mention that I noticed that the heat problem (it's hard to miss if you don't read the directions -- the units are almost hot enough to burn skin :) and am using a laptop cooler for now. I'm trying out USB powered fans as a better long term solution, but the units are very cool with the laptop cooler. > > > >> Now my question is, what is going wrong? I've tried the same >>config on multiple devices, so I don't think it's hardware. Could >>my config have become corrupted? > > I don't follow your logic about it not being the hardware, but yes, your > config could have become corrupted. Try another CF card? Try installing > from > scratch and restoring a backup xml file? Well, pfSense recommends the Tranquilnet hardware and the problem occurs with that. The problem also occurs with the units from the manufacturer which have the same part number and look identical. These units have a backup XML file restored to a fresh CF card. Sorry for not mentioning this in my first message -- I was kind of tired. I was trying to say that maybe something in the .xml config might have become corrupted, but I took a look at the .xml file and it doesn't look like there's room for corruption. The only thing strange is this: 1407542644 admin@192.168.182.10 Do have any other ideas? > > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > Thanks for the help, Jason M. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Strange problems with pfSense 2.1.4
Hello, I have a project with a looming deadline that involves installing 15 pfSense firewalls at hotels to provide firewall and Captive portal services. I'm using the PFW201 hardware from Tranquilnet with the Intel NIC's (the first unit was from Tranquilnet, but when they stopped selling the units with the Intel NIC's I found the supplier and ordered direct from them. Here's what features the units are configured for (apologies for miswordings -- I don't have access to a device in front of me): Firewall rules to allow remote maintenance from specific IP addresses Gateway Groups Captive Portal After what I thought was thorough testing, I tried to deploy a unit last night at 4am. Here's what happened: At first I had a bad connection to one of my WAN connections and so Internet was slow. I fixed the cabling issue and rebooted, so far so good. Then I replaced a switch that was defective. Now things started getting strange. First the Captive Gateway stopped redirecting users. In other words if you knew the gateway's address and browsed to http://a.b.c.d:8000 and entered the password you could access the Internet So I turned off the Captive Portal. Now I later realized this deleted the captive gateway redirect page and the incorrect password page. I don't know if this is the design or not, but it seems strange. Anyway, I rebooted. For twenty minutes Internet access worked, then it stopped working entirely. I tried browsing to the admin page. I logged in and got to the main page, but it took forever to get to another page. I was accessing wirelessly, so this could have been part of the issue. Anyway, given that Internet access stopped working after 20 minutes under very light load (there were four users on the Captive gateway when I disabled it), I bailed on the install and put the old gateway back in place. Now my question is, what is going wrong? I've tried the same config on multiple devices, so I don't think it's hardware. Could my config have become corrupted? Or could there be some issue with my config and 2.1.4 (I tested things extensively with 2.0.3 and then upgraded to 2.1.3. But when 2.1.4 came around I didn't test. Also, when I started to duplicate flash cards on Tuesday I experienced the same issue with the captive gateway (redirects not working, browsing to http://a.b.c.d:8000 and authenticating allowed access to the Internet). I hadn't gotten much sleep, and when I got back to this on Thursday the problem went away. Final crazy thought. One of the last changes I made after testing the gateway but before deployment was to change the name and the domain name. Any chance changing the domain name could have anything to do this? Please let me know if there's any information I can add. Also, thanks in advance for any insight provided. Jason M. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
