OPNsense Forum

English Forums => General Discussion => Topic started by: manuel on September 09, 2017, 02:17:31 pm

Title: Access Point on third interface
Post by: manuel on September 09, 2017, 02:17:31 pm

Hello
I would like to connect an AP to the third interface on my OPNsense FW. The plan is that some dedicated and authorised WLAN Clients in the office can access everything on the LAN Net (Windows Servers and NAS) and also access the internet. But if a hacker from outside the office gains access through the AP to the net he can do nothing and all traffic to the WAN (Internet) and LAN will be blocked.

How would you do that? Create some MAC based firewall rules? Is that possible? FW rules based on IP doesn't make sense and also MAC addresses could be spoofed. What would be the most secure approach?

Thank you very much for your answer.

Manuel

Title: Re: Access Point on third interface
Post by: fabian on September 09, 2017, 02:36:22 pm

The most secure approach would be allowing a single port to the firewall - the port of an OpenVPN instance. All the traffic to the firewall is encrypted twice (by the WLAN and the VPN) and an attacker in the WLAN see the OpenVPN packets in worst case, but cannot see any content.

Title: Re: Access Point on third interface
Post by: fabian on September 09, 2017, 02:37:39 pm

Additional: On Linux, the NetworkManager supports this setup native.