Enabling Guest Network on AP - or in IPFire?

I recently upgraded my AP’s Firmware and while doing that I considered enabling the Guest mode for some devices. I did not proceed since I am concerned about CPU/RAM load on the AP and perhaps this should be done in IPFire instead, since that machine has plenty CPU/RAM.

The AP is connected to Green via Patch panel and Switch. I have no Blue configured, nor anything connected to a NIC that could adopt the Blue role.

It is not a Wifi NIC as stated here: wiki.ipfire.org - Wireless Access Point
I do not think hostapd is relevant for my scenario…

Looking through IPFire system I see no obvious way to enable any Wifi Guest functionality, which I guess is fine since I have no Blue configured.

What I believe I should do, from reading threads here and the wiki, is:
Connect the AP to a NIC on my IPFire computer and configure Blue to that NIC, which is perfectly possible. That raises additional questions.

1. How do I then create a Guest network for untrusted Wifi connected devices? A vlan? On Blue? How?
2. How do I configure Blue so trusted Wifi devices can access the rest of the trusted Lan network, that being 192.168.1.1/24?

I hope the following links will be helpful:

Regards

Pinhole seems additionally relevant, missed that. Thanks…

So I was pondering the effects of this implementation - yes. sorry I do ponder a lot and am sometimes a slow learner. Then again I hardly ever have system crashes or stuff that keeps breaking randomly.

Nothing done yet, only checked that I have the cabling in place so far.

An example: I have some Aqara sensors to measure electricity consumption and temperature. They are connected to an Aqara Hub and that Hub is connected to my WiFi - which is still on the Green network, thus have internet. These are IoT devices and a standing recommendation among a lot of people is to deny them Internet access.

If I put them on Blue and do not add pinhole to that, will I not be able to access them from devices with pinhole?

Another thing.
I run SuperMicro IPMI from my smartphone. I do many things from my smartphone and the Green network. So when I add that to Blue, I assume from the Pinhole guide I will have to open up all relevant protocols via Pinholes, not just TCP but RDP, SSH and some more. OR, I set the phones MAC to access everything?

If you don’t add a pinhole for them to access devices on your green lan then they will not be able to access green which is probably what you want. If you want to access the Aqara sensors from devices in green, to read some data etc, then you can do that as the default rules setup allow green to access blue.

If your smartphone gets connected to the blue network but needs to access devices in the green network then you will need to create a pinhole.

You could set the phone’s mac to access everything but I would suggest creating a group called say smartphone and in that you create a list of all the protocols you need to use in connections to the green network from your smartphone.
Then you create a single rule that opens a pinhole for the smartphone (source either IP or MAC) and apply the group of protocols to that rule.

If you find you forgot something or a new protocol needs to be accessed then you can add that to the group very easily.

Add Smartphone Group >

?

Just checking, it seems the functionality is correct. Add devices to that group with MAC or IP to access other Networks

That is for making a group of multiple clients to be able to access a specific machine, protocol etc.

It is in the right area but it is the Service Groups section you need.

https://wiki.ipfire.org/configuration/firewall/fwgroups/servicegroups

In that page in place of the title Examplegroup1 you would use smartphone and you would then select any of the existing protocols in the IPFire list.

If you find that you need a protocol that is not listed in the IPFire protocol list then follow the Services page

https://wiki.ipfire.org/configuration/firewall/fwgroups/service

Then you can create the protocol in that list and it will then be available to select in the Service Groups section.

Then when you make your firewall rule for the pinhole, in the protocol section select preset and you have two radio buttons. select the Service Groups one and you can then select your smartphone group from that.

Here is an example from my system with a qbittorrent gtroup covering both the tcp and udp ports for qbittorrent.

Screenshot_2023-01-30_15-09-301004×139 7.36 KB

ok, not what i thought it would be. I have three smartphones that should have pinholes from blue to green, I thought I would be able to add them to group “Smartphone” with their respective Mac address (since I have collected those), but I don’t see how.

Then the Smartphone group handles the protocols.

image1211×684 29.3 KB

How do I add those MAC’s?

Sorry, I thought you only had one smartphone being used. If you have three then you need to create a host for each one using the Hosts entry in the Firewall Groups WUI page. In there you can specify either the IP or the MAC address.
Then create a host group where you now select the three Hosts with their MAC addresses.

Then the service group for the different protocols, presuming that all three smartphones will use the same protocols, as you have shown in your screenshot.

Then create a new firewall rule for the pinhole that uses the host group of three smartphones for the source and the protocol group for the Protocol Service Group selection and the destination will be an IP on the green network or it can be the whole green network or you can create a group of clients on the green network that those smartphones are allowed to access. Just bear in mind that for the destination only IP addresses can be used, not MAC addresses.

Hope that helps.

3 smartphones, 4 laptops, 3 tablets, aside from previously mentioned IoT devices.

Once I secured that maybe i add my washing machine and dryer as well…

To make it clearer than lots of words I have set some groups up and created a rule and taken screen shots.

First from the Hosts section of the Firewall Groups page

Screenshot_2023-01-30_17-35-28959×79 4.47 KB

Then from the Network/Hosts Groups section

Screenshot_2023-01-30_17-37-11960×136 11.3 KB

Then from the Services Group section

Screenshot_2023-01-30_17-40-20957×218 11.7 KB

Then using the two groups created the entries in the Firewall Ruls page

Screenshot_2023-01-30_17-45-34970×819 49.7 KB

I just entered a single IP in the destination but that section would be where you could also use a group if it was a subset of all clients in the green network.

Good Luck. Come back if you have any issues.

A small addition.

Apple platforms also use a randomized MAC address when conducting enhanced Preferred Network Offload (ePNO) scans when a device isn’t associated with a Wi-Fi network or its processor is asleep.

This feature can be disabled either by the user or using a new option in the Wi-Fi payload. Under certain circumstances, the device will fall back to the actual MAC address.

Wi-Fi privacy - Wsparcie Apple (PL)

On some Android smartphones, mac address randomisation can also be blocked.

https://www.youtube.com/watch?v=XJyFLzOtA9M

So if these are your smartphones, you can turn off randomisation for your wifi network on them.

I hope I have written this understandably

Best.

I see no reason why I should be using that on my own network, wanting to access its resources, but good to know. Thanks.

So lets see if I was able to understand anything at all of what was posted previously. Doing a review below, have not yet implemented BLUE but if nothing is very wrong below I may do that in a day or so.

Been prepping this slowly and following this sequence, pretty much as @bonnietwin laid out.

1. Add Hosts to Firewall Group > Host with Name+MAC+Remark:

image1158×524 23.6 KB

2. Make a Firewall Network/ Host Group, in my case “Trusted Devices”

3. Add the hosts from step 1 in to the group created in step 2:

image1164×354 17.4 KB

4. Add a Firewall Group > Service Group with a relevant name, and to that adding the protocols that may be needed for the Trusted Devices group (to communicate between Blue and Green - next steps).

image1183×380 14.3 KB

5. Tie the knot together in a Firewall Rule:

SOURCE which would be the WiFi devices on the BLUE network in the group named Trusted Devices.

DESTINATION which is from where you want them to be able to access resources: the BLUE network.

PROTOCOLS should be selected in appropriate dropdown list Service group, as named, Trusted Devices.

image1220×1320 68.1 KB

I apologize for procrastinating and perhaps going a bit over the top on this, but I will also use this documentation - if correct - on my Confluence to keep everything in order with screenshots and everything. Once implemented I will make new screenshots of the rules as they look in the interface.

Also hope it will help others.

Changing the cables.

Oh, wait I have to enable BLUE in the setup…
There seems to be no way to do it in the WUI, only other option would seem to be SSH.

Below is done via IPMI running the “setup” cmd

Using 192.168.1.10/24 as IP range

Follow the Manual, but adapt for additional BLUE interface:

Restart the Wifi AP… does it get any IP? Yes. 192.168.10.2 and defining that as default for that device.

After the basic setup I still have to assign the intended IP span to the DHCP page in IPFire. Which was done in the setup. So again? With Scope though, that was not defined in the setup…

…and then I have to manually add all Wifi devices on Blue to Wireless Configuration page in the IPFire WUI? OK, I see DHCP host list is getting some population. Adding them is not a huge deal, but how does that work with the pinhole?

As for the pinhole, that started this thread, struggling with this. The basic test I would consider to check if anything goes through from my “Trusted Devices” to file share on GREEN would be a simple PING command, but in the Service section of Firewall Groups > Edit Group > Add Services ICMP is not available. So that is a new question.

Other than that just fiddling with it to see If I can get something to work. Maybe just testing with one device like in the Wiki: wiki.ipfire.org - Creating a Blue to Green Pinhole and see if i can get that to work.

Ehm… MAC addresses are not case sensitive I hope?

This is my test of a single device rule. The device is a laptop, connected via Wifi on BLUE and needing access to a file share on GREEN.

image724×1117 42.1 KB

It works. Also Ping works with this.

But why does it say that GREEN is blocked:

image1184×193 10 KB

The other FW rule is currently disabled as I test this and the laptops IP/MAC is listed in the BLUE DHCP.

So another question.

What functionality has Firewall > BLUE Access > Add list
compared to
Network > DHCP > Dynamic leases (BLUE IP’s) > Add?

this is the MAC filter

Ok, yeah I figured, had to add my work laptop there as well now coming Monday morning. That dialogue in the WUI could perhaps be better explained.

Adding the MAC/IP combination do not seem to affect DHCP leases, as in creating a static IP entry, but to my understanding it should.

I would wish for

Devices on Blue

not popping up again on

Current DHCP leases on BLUE

I do understand why but it makes it a bit confusing keeping tabs on what you already added.

My biggest problem with the MAC filter I
devices that use random MAC addresses.
Everytime they connect to WiFi they use a different MAC address.
Your expired DHCP list gets real long.
I have my MAC filter off.
WiFi is innatley insecure and broken.
The Alltimate in insecurity.
And we love it. ?
.

Yeah, that is a potential issue.

It is protection when on unknown WiFi’s but on a network that is safe, well safe-r, how das fu do you assign the MAC to allowed devices if it generates new sequences? There must be a way.

@hvacguy I do not love WiFi, but sadly, my phones and tablets come without RJ45. Can ofc be fixed though:

image1500×1500 79.6 KB

Bit much cables?

And the two corp phones we have at home should not be tampered with…on the other hand I see now I can disable that on my crappy work iphone. So they did not bother to configure the security policy for that setting. Buggers.

For now confing the phones to use hw mac