Just so I understand, on your pfsense box do you have 4 NICs and only two are in use (lan and wan)?
I have 6 NICs. 1 is WAN and 1 is LAN, giving me 4 that are free
Cool. If you can get it to work by changing your DMZ set up to point to the IP of thenps4 rather than the whole subnet that will be much easier to set up, but when I get home I'll go though how to set it up with a DMZ ssid
Honestly if it would be easier for you you could probably remote access in. I could just watch or something and make sure you aren't downloading random crap
If you like, but I won't be home for a few hours
Its 11 PM here so it probably wont happen tonight. Ill just hop on here around 6 (PM) my time and see if you are on.
I'll be at work. I'll write out the instructions when I get home. Either that or you can open the pfsense gui to the internet and pm me the ip and login.
But that won't really work anyway as there's some physical stuff which needs to happen too.
I can do that as long as im there. How do you prefer to remote access?
Yeah but you're going to be asleep by the time I'm home and I'll be at work when you're back
Actually if I do it remotely then you shouldn't have to do anything physical. So if you want to do that then open port TCP 443 on wan (from any to wan address) and pm me your public IP and login details, I'll close it again when I'm done.
Ok. You should probably know ive had really bad luck opening ports but ill try. I think it might be my ISP but I could be wrong. If that doesn't work I have good luck with team viewer. Ill let you know or you will find out though, i guess.
If you give me like 2 days I will be home all day on Friday, saturday, and hopefully all of sunday. If you want to wait until then and then I can plug stuff into other stuff for you.
Sure, whatever works. I'll write up the instructions anyway if you want to have a go at it otherwise I can do it remotely.
You won't have to set up a port forward or anything, just make a firewall rule on the wan interface that will allow TCP 443 from any to wan address. But if your IP is blocking that port then nevermind, well just do it with team viewer or something later.
Ok sounds good. Ill message you on here when im free and see if you are up for it. Thanks for all your help. I know a little about pfsense but im still learning
1 Like
These are instructions for setting it up so that you have a second SSID which will be the DMZ network. I'm assuming you've already configured a DMZ interface but if not then you'll need to do that after setting this up.
First go to system > advanced > system tunables in pfsense. Find net.link.bridge.pfil_bridge and net.link.bridge.pfil_member and toggle them, so member should be set to 0 and bridge should be set to 1. This will make it so you only configure firewall rules for the bridge interface and not the member interfaces.
I'm going to make up some NIC names for the purposes of this, you should substitute your real ones, I would suggest writing down what you currently have configured and what new ones you configure to make it easier.
WAN = eth0
LAN = eth1
Go to Interfaces > assign > VLAN and create a new VLAN interface. Set the parent interface to the NIC which you will connect the AP to, one of the unused ones, I'm going to call it eth2. Set the VLAN tag to 2 and leave the VLAN priority at 0. Add a description if you want, call it DMZ or something, or leave it blank.
Go back to the interfaces > assign tab and add a new interface on the same NIC as you set the VLAN on (eth2). This new interface will be called opt1 (or something like that) you can rename it later but for now that's what I'll call it.
Create another interface using any of the unused ports (this will just be a place holder so it doesn't matter, I'll say it's eth3)
So in the interfaces assign page you should have:
WAN = eth0
LAN = eth1
OPT1 = eth2
OPT3 = eth3
In the VLAN tab you should have an interface on eth2 tagged for VLAN2
Go to interfaces > OPT1 and check the enable box to enable it. Set the IPv4 (and IPv6) connection type to none and make sure the two boxes for reserved networks are unchecked. Save this and do the same for OPT2.
Go to Interfaces > assign > bridges and create a new bridge interface. For the member interfaces choose OPT1 and OPT2 and for the description call it LAN. You can leave the advanced options as they are.
Go back to the Interfaces > assign page and change LAN to bridge0 (or whatever the bridge is called) and change OPT2 to the NIC that used to be set for LAN (make sure you do both of these before applying, otherwise you'll get locked out)
Now you should have
WAN = eth0
LAN = bridge0
OPT1 = eth2
OPT2 = eth1
if that's right hit apply and if it works then you should still be able to use the pfsense gui, if there's an error you're going to be locked out and you may need to log in to pfsense physically and reassign the interfaces back to the default.
Once the bridge is working go back to interfaces > assign. If you already have a DMZ interface set up just change it to use the VLAN2 interface you made earlier. Otherwise create a new interface using VLAN2 and set this up as the DMZ interface.
Connect the AP to eth2 (or whichever port you configured earlier) and you should be able to log in, once you've logged in create a new SSID for the DMZ and tag it in VLAN2.
That should be it, assuming your DMZ is configured properly.
OK thanks. I will let you know if I have any issues