Netgate SG-1000 microFirewall

Author Topic: Configuring pfSense WiFi using an OpenWRT AP, 802.1X, and dynamic VLANs  (Read 196 times)

0 Members and 1 Guest are viewing this topic.

Offline stilez

  • Full Member
  • ***
  • Posts: 104
  • Karma: +4/-2
    • View Profile
NOTE - I'm aware this question is a bit of an extreme setup, so please no "why would you want this". The answer is, I don't yet know if I want it all long term, but I might well do so, and I'd like to know how, so I can have that option and can experiment or "pick and choose" what I use in the end :)    Please be gentle!


** Scenario **
For about 10 years now, I've had Wifi security managed by connecting an (insecure/cheap) old 802.11g Wifi router acting as a simple bridge, to a dedicated pfSense NIC, with firewall rules blocking all LAN/router access other than ICMP ECHO REQUEST to the dedicated interface IP for connectivity. It works but I've wanted to move on from it for a long time. I've had a lot to learn (I like to run my network rather secure if I can but lack much of the in-depth technical background), and where I've come to is probably a bit extreme, but it's what I'd like to know how to do, at least, for my own enjoyment.

So I will be moving to an OpenWRT 15.x 5GHz router I've already bought and flashed, as my new AP.  I can locate it where I like (as opposed to a card), it gets me 802.11ac (not yet complete in FreeBSD), has multiple good radios, and gives me much better signal power than a card would, without needing a repeater (many brick walls in this house so it's very helpful). The use of OpenWRT means it can work with pfSense and my LAN in a number of ways - from a dumb bridge through to a full 802.1X authenticator + firewall in its own right. This flexibility might help me get it up and working.


** Physical and logical LAN layout **

The router will probably stay where it is, next to the fibre modem.   If the AP ends up physically near the router, then I can connect it directly to a dedicated NIC on pfSense.  But that probably won't be the case.  If not, then I will directly connect it to a dedicated port on a NetGEAR managed switch that has 802.1X, TACACS+, full IP/port based ACLs and VLAN + dynamic/private VLAN + port authentication functionality. (Of course OpenWRT has probably got all of those functions as well)

I'll be using IPv4 only for a while - everything is IPv6 capable but so far I don't seem to have any issues leaving IPv6 turned off everywhere and it simplifies things a bit while I experiment. There is no AD/LDAP or directory service; the main network services are DHCP server + resolver, both provided by pfSense. DHCP is used to pass some params to LAN devices and might need to do so for this, I guess.  There isn't an existing FreeRADIUS use or config so the things in this question are a "clean setup".

The AP will use multiple BSID/SSIDs to create >1 virtual AP. Their security and firewall rules will differ (guest Wifi, more trusted device Wifi, etc). But I want to centralise the config that covers Wifi device authentication and access rights in pfSense, as much as I can, with most of the AP settings not changed very often, so that I don't have to update multiple GUIs when a new device is permitted or a cert changes.  I might want to apply firewall rules on pfSense to the Wifi->LAN traffic at some point, so I might want Wifi to route via pfSense even after authentication - not sure on that point yet.

For now, I plan to leave a lot of the eventual configuration points, such as final choice of authentication method (cert, 2F, token, whatever) and EAP method/protocol, physical access considerations, and basic verification that WiFi security is functioning as expected, etc. Just getting it working will be good. Once it works smoothly at a basic level on a test network, I can figure how to refine the setup to cover these and probe for security.


** Knowledge and questions I'm stuck on, help very appreciated :) **

There are a few points where I feel I need a bit more understanding, to get my WiFi moved over:

    1. The setup I'd like to use is 802.1X certificate based, but most of the docs describing how to set up 802.1X base it on an inbuilt card, not an external AP or switch that can act as a FreeRADIUS authenticator in its own right. There are a few guides about setting up this kind of setup so I can probably fumble it but a quick overview to act as "sanity check" would be appreciated.

    2. If the AP is connected via the switch, which seems most likely, I'm especially confused about a choice I seem to have to make.

    I could have the AP act as authenticator and pfSense act as authentication server.  *Or* I could have the AP "dumb bridge" WiFi to the managed switch and let the switch act as authenticator with pfSense as authentication server (I'd need to use private VLAN or something to prevent cross-talk between wifi clients?).  *Or* I could have the AP route each connection attempt to pfSense (using separate/dynamic/private VLANs + ACLs to prevent packets jumping between untrusted and trusted devices/pipes) and have pfSense handle both authenticator and authentication server roles.

    PfSense, the OpenWRT AP, and (to a lesser extent) the switch, are all highly capable, so I guess it could be done any number of ways, but I don't really understand the pros and cons of the choices I have in this area.

    3. I like the idea of using dynamic VLANs because then I can centralise all control on the pfSense router. It would mean that I can combine in one place, the settings that determine a device's authentication method and its access rights (or categorising devices into groups of similar kinds), and which VLAN to assign it on the LAN for isolation purposes. That way I don't have to change anything on any device except pfSense, when a new device or a change of AAA, is required.

    But I don't understand how to accomplish this - guidance on correctly using dynamic VLANs in pfSense (or how pfSense should inform the switch/AP of a dynamic VLAN ID if it works that way) is a bit limited.

    4. Once a device is authenticated, can its traffic continue to be routed via pfSense and from there to the LAN or WAN (ie device->AP->(VLAN)->pfSense->LAN/WAN rather than device->AP->LAN/WAN) to apply common firewall controls + logging that I've defined in pfSense, or do I have to define the rules I create in pfSense, a second time, in the AP?

If anything needs doing on OpenWRT, please leave it as a brief "You'll need to do XYZ on OpenWRT" and I can ask on their forum if it isn't clear. This question's focus is much more about the overall setup centred around how to make best use of pfSense and my other devices, and how to make my desired WLAN work with pfSense.


Thanks up front for reading this and helping with explaining these things. I'd like to get onto decent WiFi here!
« Last Edit: December 12, 2017, 10:17:49 am by stilez »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14793
  • Karma: +1374/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Configuring pfSense WiFi using an OpenWRT AP, 802.1X, and dynamic VLANs
« Reply #1 on: December 12, 2017, 12:35:07 pm »
1) I use eap-tls, cert based auth for my clients that support it.. Your typical iot device is more than likely going to be limited to PSK and does not normally support any other type of enterprise level auth.  It would be fantastic if iot makers would get their head out of their ass when it comes to security and support enterprise for wifi.. This would allow for more secure auth and ease of dynamic assigned vlans for such devices.

If your wanting to graduate to better level wifi security you should really think of moving to a better AP then running openwrt or dd-wrt, etc on some old wifi router hardware.  The unifi AP support vlans.. They support up to 8 SSID if not using wireless uplinks.  And yes you can do enterprise... I just point them to pfsense for my eap-tls auth, where everything is done in the freeradius package.

2) Not sure what your asking here.. If your switch allows for radius auth and ease of config sure you could do it on your switch.  But running freeradius on your pfsense box wold allow for any eap you want to use..

3) This would be setup in the freeradius package.. So when your client auths they get put in specific vlan.. Simple enough to do with unifi, but they are going through some growing pains with their attempt at getting MAB to work on the current 5.7.x line of the controller and current beta firmware on the AP.. There is a lengthy thread related to MAB and dynamic vlans over on their forums.

4) Yes pfsense would/could do all the routing/firewalling between your networks/vlans

While openwrt is a great product.. And can squeeze a lot of features out of the cheap typical soho wifi routers - if your looking to take your network to the next level, you prob want to look to more feature reach, entry level enterprise AP..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline stilez

  • Full Member
  • ***
  • Posts: 104
  • Karma: +4/-2
    • View Profile
Re: Configuring pfSense WiFi using an OpenWRT AP, 802.1X, and dynamic VLANs
« Reply #2 on: December 12, 2017, 02:08:11 pm »
1) I use eap-tls, cert based auth for my clients that support it.. Your typical iot device is more than likely going to be limited to PSK and does not normally support any other type of enterprise level auth.  It would be fantastic if iot makers would get their head out of their ass when it comes to security and support enterprise for wifi.. This would allow for more secure auth and ease of dynamic assigned vlans for such devices.

If your wanting to graduate to better level wifi security you should really think of moving to a better AP then running openwrt or dd-wrt, etc on some old wifi router hardware.  The unifi AP support vlans.. They support up to 8 SSID if not using wireless uplinks.  And yes you can do enterprise... I just point them to pfsense for my eap-tls auth, where everything is done in the freeradius package.
This answer seems to just say:
  • "Yes pfSense can do it" (which I know, but my question was how I do it and specific config required/setup advice) and
     
  • "Don't use OpenWRT, use a commercial AP" (without any actual reason to suggest OpenWRT wouldn't do that job well enough).
As it stands these aren't very helpful as they don't give me useful info.  Whatever AP I used I would have to know more about how to connect a wired AP to pfSense and the pfSense config needed. The choice of what product acts as wired AP is irrelevant.

On the other points mentioned, EAP-TLS or something like that is what I meant by 802.1X - it all comes under the heading of enterprise rather than WPA2 wifi security.   I'm not using any IOT which is why I ignored it. It's irrelevant, and I won't be allowing WPA2-PSK for any device on the Wifi once I get EAP + cert (and possibly 2F) set up safely, so WPA2-PSK is irrelevant as well. I keep any uncontrollable networked devices well away from my data and servers, and that includes IOT and WPA2-PSK for all practical purposes.

To explain the choice of AP:  I prefer open source if it'll do the job;  it allows very wide customisation and extension capabilities (similar to pfSense packages);  I don't know of any reason why OpenWRT wouldn't be as secure an AP as any commercial product if it's properly configured;   and, it's not quite "some old wifi router" - it's a tri-band 5+2GHz AC3200 on a fast dual processor, a medium-higher end  NetGEAR R8000 with good build quality and radio signal, and it'll handle VLANs and EAP/802.1X and multiple SSID/BSID, and should give me all the functionality I need for a WiFi AP.  I don't mind if it drops a connection fractionally more than a commercial AP might do, as long as it's secure.  The real issue would be if it won't do the job easily/well in reality, or has real flaws in use compared to a commercial enterprise AP. But I haven't heard that about OpenWRT on good modern hardware.

2) Not sure what your asking here.. If your switch allows for radius auth and ease of config sure you could do it on your switch.  But running freeradius on your pfsense box wold allow for any eap you want to use.
I have 3 devices in the "chain" (AP->switch->pfSense). Each of them is capable of being configured as an EAP/802.1X authenticator, and both the AP and switch can use static, dynamic or private VLANs to safely link an unauthenticated Wifi supplicant's connection to an earlier "link" in that "chain" if they aren't configured as the authenticator. So the AP could authenticate,, but it could also pass the connection as a private or dynamic VLAN through to the switch which could authenticate instead, or it could pass it all the way back to the router and have pfSense authenticate it.

In all cases of course, pfSense would act as the authentication server, and all of these would be secure if correctly configured. But it means I have a choice whether the authenticator runs somewhere close to the wireless device (in the AP or the switch that the AP is connected to), or closer to my overall "control hub" in the pfSense router.

Both *should* be secure, but there may be good reasons to prefer one over the other. For example if the AP acts as EAP authenticator, then *no* client traffic goes beyond the AP until it's authenticated, meaning less surface. But if pfSense authenticates then it's on an integral platform with the auth server (FreeRADIUS 3) and the firewall, and shares the same GUI for management so there's one less device needing a login + config change when wireless devices change, and *that* might make sense for control and management.

So I have choices: and to decide, I need to ask what are their pros and cons?

3) This would be setup in the freeradius package.. So when your client auths they get put in specific vlan.. Simple enough to do with unifi, but they are going through some growing pains with their attempt at getting MAB to work on the current 5.7.x line of the controller and current beta firmware on the AP.. There is a lengthy thread related to MAB and dynamic vlans over on their forums.
If dynamic VLANs can be set in pfSense's FreeRADIUS package along with other auth+config options, that would make sense and be very helpful. Is that correct?  If so I can probably have a go at working it out, or ask later if I get stuck.

4) Yes pfsense would/could do all the routing/firewalling between your networks/vlans While openwrt is a great product.. And can squeeze a lot of features out of the cheap typical soho wifi routers - if your looking to take your network to the next level, you prob want to look to more feature reach, entry level enterprise AP.
See (1) - this is basically repeating "Don't use OpenWRT as an AP, buy a commercial one instead", but not explaining any issue with OpenWRT that would be an issue using it as an AP.  Rewording my question (4) a bit, maybe this will explain better:   

If a standalone EAP/802.1X AP (of whatever kind) has authenticated its supplicant, can I continue to route every client's traffic through pfSense using their dynamic VLAN, so that pfSense remains their gateway to both LAN+WAN? This would let me apply controls and selective rule logging on Wifi->LAN and LAN->Wifi using pfSense's firewall, which is easier.   Or can't I do that, and I must I enter any LAN <--> Wifi rules separately into the AP itself?[/

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14793
  • Karma: +1374/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Configuring pfSense WiFi using an OpenWRT AP, 802.1X, and dynamic VLANs
« Reply #3 on: December 13, 2017, 04:57:20 am »
If you want help with openwrt - go there... Not going to waste my time sorry, its been over 10 years since used it..  Back when put it on a wrt54g... How to setup eap-tls with freerad on pfsense has been gone over multiple times.. I have posted config I use multiple times.. If you want me to post it again sure..

"I need to ask what are their pros and cons?"

Running you authentication on your AP.. Might be fine if you had 1 AP... After that it doesn't scale at all..  Have you run it on your switch?  Its PITA to configure such stuff.. 

Yes pfsense would be your router/firewall - doesn't matter how you get your clients on the network via wire or wireless.. It would route all your traffic.

"Wifi rules separately into the AP itself?[/"

Your confusing what a AP does with some wifi router device - your stuck in the openwrt mindset where everything is done on the little box... a AP does nothing more than bridge the wifi client to the wired network.. It does not route, it does not filter it does not do anything but bridge the wireless devices to the network..

 
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)