pfSense English Support > Firewalling

Create a guest network with VLAN tag 1003

(1/8) > >>

Michel-angelo:
Hello. This is part of my learning process since my recent purchase of a SG-1000 firewall. Please be patient with me !

At my home, as indicated on the attached schematic,

1 - A Zyxel modem-router located in the basement creates a first LAN on the 192.168.0.1/24 address field, whose sole client is the SG-1000 pfSense firewall router.

2 - A SG-1000 pfSense firewall router also located in the basement is connected to it. Its WAN address is currently 192.168.0.33 (it can change since it is obtained by DHCP from the Zyxel modem router). It delivers my Main Network on the 192.168.1.1/24 address field, on my home ethernet backbone. Its current configuration is the default configuration (which mainly blocks all [inbound] packets on the WAN side [except of course those that are replies to outbound requests] and allow all [outbound] packets on the LAN side). Among other devices, three wifi devices are connected to this ethernet backbone:

2.1 A Time Capsule for computers' backups on the top floor, where the main computers are located;

2.2 An Aiport Extreme base station on the 1st floor which is a living area;

2.3 An Airport Express base station on the ground floor which is where the TV set resides.

All three wifi devices are configured the same and deliver (a roaming arrangement) the above Main Network under the name of "Internet de Bianca" (same password).

Now, I want to add to my Main Network a second network reserved for guests (Guests Network). the Guest Network would distribute access to internet to guests but would provide no access whatsoever to any element of the Main Network (no access to connected computers, which includes no access to printer scanner, no access to configuration of wifi devices, no access to configuration of SG-1000 main router, no access to configuration of Zyxel external modem router). The Guest Network would be accessible on the home ethernet backbone.

Since I have one and only one home ethernet backbone, I would like the Guest Network to be characterized by VLAN tagging, some thing I believe the pfSense router is able to do.

To distribute the Guest Network to users, I would like to use a Guest wifi network, separate from Internet de Bianca. I would call it "Invites de Bianca" and both devices would use the same password for guests. Both devices (Airport Extreme and Airport Express) are capable of distributing a guest network as long as they are created by VLAN tagging using the VLAN tag 1003.

I read that on Darko Krisik's techblog at <http://tech.krizic.net/2013/09/apple-airport-extreme-guest-mode-with.html> and I want to do the same.

The SG-1000 pfSense router is presently configured with the default configuration with two interfaces only:

WAN 192.168.0.33

LAN 192.168.1.1

I believe, based on Darko Krizic's blog, that I need to do the following;


1 - Add a second assignable LAN interface by

Interfaces > assignments > VLANs

To create a third interface called INVITES 192.168.2.1

Click + to add an interface. Then on the assignment window:

Parent interface: Select the LAN interface

VLAN tag: 1003

VLAN priority: 7 (lowest possible priority)

Description: LAN_Invites_de_Bianca

Click: Save


2 - Assign this second LAN interface to INVITES

Interfaces > Interfaces assignment > Available networks ports > Add

The interface has been added, it is called by pfSense OPT1 by default. I change the name to INVITES for guests

The interfaces menu changes automagically:

Interfaces / OPT1 => Interfaces / INVITES 

Click: Enable interface

IPv4 configuration type: Static IPv4

IPv6 configuration type: None

IPv4 Address 192.168.2.1 / 24

I call the main network 192.168.1.1 / 24

I call the guest network 192.168.2.1 / 24

IPv4 upstream gateway: None (because this is a local area network)

Click: Save

Apply changes


3 - Create the new DHCP server that the INVITES network needs

Services > DHCP server > INVITES

Enable DHCP server on INVITES interface

Range: from 192.168.2.100 to 192.168.2.199

Click Save


4 - Have a look at rules on the LAN interface (that is to be able to copy them)

Firewall > Rules > LAN

First rule is anti-lockout rule

Second rule for IPv4

Action : Pass

Interface: LAN

Address family: IPv4

Protocol: Any

Source: LAN net

Destination: Any

Third rule for IPv6

Action : Pass

Interface: LAN

Address family: IPv6

Protocol: Any

Source: LAN net

Destination: Any


5 - Add to the INVITES interface a rule similar to the default LAN rule, to allow access to the internet, at least in the IPv4 address family (addressing IPv6 could be another layer of complexity)

Firewall > Rules > INVITES

One and only one rule:

Action: Pass

Interface: INVITES

Address family: IPv4

Protocol: Any

Source: INVITES net 

Destination: Any

Save

Apply


6 - Backup configuration


7 - Test

It continues to work on its original LAN Internet de Bianca

I then configured the Airport Extreme and the Airport Express as bridges and added the guest network.

I tried it on the guest network "Invites de Bianca". IT WORKED !!! (thanks to Darko Krizik)

Now what do my tests report:

When I connect my mac to the guest network Invites de Bianca, I can access to:

The internet at large (so it appears);
The configuration interface of my SG-1000 pfSense router;
The configuration interface of my Zyxel modem router;

But I do not find access (according to my attempts) to:
My printer, my scanner (located on the main network;
The configuration interfaces of my Apple wifi devices;
Other computers on my network.

Can anyone explain (this is a learning experiment) the following:

1 - My unique rule on the new INVITES interface states (among others): "Protocol: Any; Source: INVITES net; Destination: Any". I believed "destination: Any" would allow packets originating on the INVITES side (INVITES net) to go to my main network and to any of its guests (such as my printer). Why is my belief wrong ?

2 - I thought I would need two rules on my INVITES interface: The last rule would block any and all traffic originating from INVITES; the first rule would specifically allow any and all traffic originating from INVITES to the interface that is the internet connection (the WAN interface). Why is it that I do not seem to need to create the block-all last rule on the INVITES interface ?

3 - I wanted to block access to the SG-1000 pfSense firewall router interface. How can I do that ?

4 - I wanted to block access to the Zyxel modem router interface. How can I do that ?

Many thanks in advance.

Michel-angelo:
Hello. No replies so far. I tried, without certainty, the part that looked more secure: to reply to my questions 1 and 2

Q1 - "My unique rule on the new INVITES interface states (among others): "Protocol: Any; Source: INVITES net; Destination: Any". I believed "destination: Any" would allow packets originating on the INVITES side (INVITES net) to go to my main network and to any of its guests (such as my printer). Why is my belief wrong ?"

I performed additional tests. They indicated that my belief is true: "destination: any;" is too wide. To carve out of it the LAN destinations, I changed the rule on the INVITES interface by specifying that this "Allow" rule is exclusive of packets to my internet gateway, as Darko Krizic had specified in his post. This time, the new rule seems to work.

Before, I could no longer access the printer with "Bonjour" but I had not realised that I could access it by its IP address (a fixed address 192.168.1.10). After, even at its IP address, I cannot access the printer.

To allow access to the printer, I subsequently added a first "Allow" rule, using its IP address as destination. Then I could access the printer using its IP address, but still not benefitting from the comfort of "Bonjour".

Q2 - "I thought I would need two rules on my INVITES interface: The last rule would block any and all traffic originating from INVITES; the first rule would specifically allow any and all traffic originating from INVITES to the interface that is the internet connection (the WAN interface). Why is it that I do not seem to create the block-all last rule on the INVITES interface ?"

I created this "Block" rule as rule #3 in INVITES. I then tested it. This rule does not seem to be needed. It seems it is implicit in pfSense.

The three rules (third one, apparently useless, not active) are in the photo below.

Can anyone confirm ?

Questions 3 and 4 remain mysterious and dangerous to me, mainly #3 as I need to use the console to reset the SG-1000 firewall to default in case a disaster occurs.

3 - I wanted to block access to the SG-1000 pfSense firewall router interface. How can I do that ?

4 - I wanted to block access to the Zyxel modem router interface. How can I do that ?

Any help will be appreciated. Many thanks in advance.

johnpoz:
2 - because all interfaces have a default deny rule.. If a rule does not trigger that either allows or blocks the traffic then the default is deny.  So unless you want to do something specific with block rule on the end like only log syn traffic or something as you have turned off logging of the default rule.  No that is not needed.

3 - with a rule, either block it to the specific interface you concerned with.  Or use the built in alias "this firewall" which is all IPs on the firewall, wan, lan, opt, etc.

4 - Same thing with a rule to its IP. 

BTW your rule forces traffic out your wan gateway.  Keep in mind that if that gateway is down that rule is created minus the gateway so it would then because a any any rule..  And traffic from your invites to your whole lan would be allowed..  You need to check this box in advanced, misc..

If possible I would tend from creating rules that prevent the traffic your trying to stop via forcing out a gateway that you believe does not have access to that network.  Better to block it directly or create a rule that does not allow it via ! (not rule) and allows out vs forcing out a gateway that shouldn't have access..  For all you know the downstream network could send them back to the network your trying to stop access too, etc.

Michel-angelo:
Thanks johnpoz, this is immensely useful.

2 - OK. Thanks a lot. It helps to know this deny all rule is there by default.

3 - I created a rule "Block packets to all IPs on the firewall, wan, lan, opt, etc. (this SG-1000)". I tried it, it seems to work. Access is allowed when I am on the LAN and access seems denied when I am on the INVITES network.

4 - I created a rule "Block packets to IP 192.168.0.1 (the Zyxel modem-router)". Similarly, I tried it and it seems to work.

Then on System / Advanced      Miscellaneous

Gateway monitoring       I have Ticked   "Skip rules when gateway is down"

If I understand your two last suggestions well,

I would create either one of the two following additional rules on INVITES gateway (created for the photo below but not active yet):

Either: as a first rule "Block all packets from INVITES to LAN" (not active)

Or as a last rule "And allow all INVITES' packets except to LAN addresses" (not active).

More precisely, I would create either one of these two rules and remove the rule "And allow INVITES to internet gateway only" and remove the "Skip rules when gateway is down" instruction.

I am writing this with the pfSense definitive guide (the book) open in front of me and I do not even find there (nor in the pfsense Book on the web) the definitions of the default aliases (like This Firewall, LAN net, INVITES net).

Is my understanding correct ? TIA

Michel-angelo:
Hello, johnpoz. I had not tested enough. With my new ruleset, the INVITES (guests) were denied access to the internet. By trial and error, I found the culprit: "Block packets to this Firewall (all IPs on the firewall, wan, lan, opt, etc.) (this SG-1000)"

I replaced it by

Block packets to IP 192.168.1.1 (this SG-1000)

There it works. So the second option of your suggestion, instead of blocking access to IP 192.168.1.1 (the SG-1000 Web interface), of "either block it to the specific interface you concerned with ; Or use the built in alias "this firewall" which is all IPs on the firewall, wan, lan, opt, etc." was, apparently, too broad. It blocked internet access.

I attach a picture of the current ruleset I now use.

TIA for any comment.

Navigation

[0] Message Index

[#] Next page

Go to full version