Firewall guest wifi in AP mode

[Rimsim]

Hey everyone,

I operate my AC68 in AP mode behind pfSense firewall and I needed to prevent guest wifi clients from accessing network services or other devices on the network. In the past, I used to run a separate wireless router for guests that made isolation super easy because of NAT but I decided against it to cut my energy consumption and be more environmentally friendly. There are no firewall rules in AP mode and interfaces are simply bridged. I did not see any prior example of this being done so I came with the following for services-start shell script:

#!/bin/sh

/usr/sbin/ebtables -t filter -N LANDROP
/usr/sbin/ebtables -t filter -P LANDROP DROP

/usr/sbin/ebtables -t filter -P FORWARD DROP
/usr/sbin/ebtables -t filter -A FORWARD -j LANDROP

/usr/sbin/ebtables -t filter -A LANDROP -p arp -i wl0.1 --arp-ip-dst 192.168.0.1 -j ACCEPT
/usr/sbin/ebtables -t filter -A LANDROP -p arp -i wl1.1 --arp-ip-dst 192.168.0.1 -j ACCEPT
/usr/sbin/ebtables -t filter -A LANDROP -p ipv4 -i wl0.1 --ip-dst ! 192.168.0.0/16 -j ACCEPT
/usr/sbin/ebtables -t filter -A LANDROP -p ipv4 -i wl1.1 --ip-dst ! 192.168.0.0/16 -j ACCEPT
/usr/sbin/ebtables -t filter -A LANDROP -p ipv4 -i wl0.1 --ip-proto udp --ip-dport 67 -j ACCEPT
/usr/sbin/ebtables -t filter -A LANDROP -p ipv4 -i wl1.1 --ip-proto udp --ip-dport 67 -j ACCEPT
/usr/sbin/ebtables -t filter -A LANDROP -i wl0.1 -j RETURN
/usr/sbin/ebtables -t filter -A LANDROP -i wl1.1 -j RETURN

/usr/sbin/ebtables -t filter -A LANDROP -j ACCEPT

/usr/sbin/ebtables -t filter -A INPUT -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t filter -A INPUT -p ipv4 -i wl1.1 -j DROP



Now, it is working as expected and network access is severely restricted for guest wifi clients, but, one issue is because these clients are on the same subnet as other devices and being served by the same pfSense device, I am unable to limit access to pfSense device from these guest clients. pfSense IP is 192.168.0.1 and if I try to limit access to it then packet routing is impacted. Is there some approach to tackle this issue? Also, any flaws in my approach to limit guest wifi clients? Sorry for not commenting the script.

Thanks
Ron

 

[john9527]

Do a forum search on how to define VLANs for the AP wireless. Then set up a pfSense with a separate interface/rules for those VLANs.

 

[Rimsim]

Thank for your suggestion John. I had never used VLANs and it did not occur me to take that approach. Thankfully, my switch is managed and supports VLANs quite well. I have managed to get it going using VLAN and the following script https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187 as my guide.

Thanks again John for nudge in the right direction.

Ron

 

[john9527]

Just a timely question.....I went through the same setup a couple of weeks ago

 

[keshavdaboss]

Just a timely question.....I went through the same setup a couple of weeks ago

Hi @john9527 , have you been able to get the ssid to vlan script working on your fork of merlin FW? I've been trying for the past week to no avail.