I recently upgraded my AP’s Firmware and while doing that I considered enabling the Guest mode for some devices. I did not proceed since I am concerned about CPU/RAM load on the AP and perhaps this should be done in IPFire instead, since that machine has plenty CPU/RAM.
The AP is connected to Green via Patch panel and Switch. I have no Blue configured, nor anything connected to a NIC that could adopt the Blue role.
Looking through IPFire system I see no obvious way to enable any Wifi Guest functionality, which I guess is fine since I have no Blue configured.
What I believe I should do, from reading threads here and the wiki, is:
Connect the AP to a NIC on my IPFire computer and configure Blue to that NIC, which is perfectly possible. That raises additional questions.
How do I then create a Guest network for untrusted Wifi connected devices? A vlan? On Blue? How?
How do I configure Blue so trusted Wifi devices can access the rest of the trusted Lan network, that being 192.168.1.1/24?
So I was pondering the effects of this implementation - yes. sorry I do ponder a lot and am sometimes a slow learner. Then again I hardly ever have system crashes or stuff that keeps breaking randomly.
Nothing done yet, only checked that I have the cabling in place so far.
An example: I have some Aqara sensors to measure electricity consumption and temperature. They are connected to an Aqara Hub and that Hub is connected to my WiFi - which is still on the Green network, thus have internet. These are IoT devices and a standing recommendation among a lot of people is to deny them Internet access.
If I put them on Blue and do not add pinhole to that, will I not be able to access them from devices with pinhole?
Another thing.
I run SuperMicro IPMI from my smartphone. I do many things from my smartphone and the Green network. So when I add that to Blue, I assume from the Pinhole guide I will have to open up all relevant protocols via Pinholes, not just TCP but RDP, SSH and some more. OR, I set the phones MAC to access everything?
If you don’t add a pinhole for them to access devices on your green lan then they will not be able to access green which is probably what you want. If you want to access the Aqara sensors from devices in green, to read some data etc, then you can do that as the default rules setup allow green to access blue.
If your smartphone gets connected to the blue network but needs to access devices in the green network then you will need to create a pinhole.
You could set the phone’s mac to access everything but I would suggest creating a group called say smartphone and in that you create a list of all the protocols you need to use in connections to the green network from your smartphone.
Then you create a single rule that opens a pinhole for the smartphone (source either IP or MAC) and apply the group of protocols to that rule.
If you find you forgot something or a new protocol needs to be accessed then you can add that to the group very easily.
Then you can create the protocol in that list and it will then be available to select in the Service Groups section.
Then when you make your firewall rule for the pinhole, in the protocol section select preset and you have two radio buttons. select the Service Groups one and you can then select your smartphone group from that.
Here is an example from my system with a qbittorrent gtroup covering both the tcp and udp ports for qbittorrent.
ok, not what i thought it would be. I have three smartphones that should have pinholes from blue to green, I thought I would be able to add them to group “Smartphone” with their respective Mac address (since I have collected those), but I don’t see how.
Sorry, I thought you only had one smartphone being used. If you have three then you need to create a host for each one using the Hosts entry in the Firewall Groups WUI page. In there you can specify either the IP or the MAC address.
Then create a host group where you now select the three Hosts with their MAC addresses.
Then the service group for the different protocols, presuming that all three smartphones will use the same protocols, as you have shown in your screenshot.
Then create a new firewall rule for the pinhole that uses the host group of three smartphones for the source and the protocol group for the Protocol Service Group selection and the destination will be an IP on the green network or it can be the whole green network or you can create a group of clients on the green network that those smartphones are allowed to access. Just bear in mind that for the destination only IP addresses can be used, not MAC addresses.
I just entered a single IP in the destination but that section would be where you could also use a group if it was a subset of all clients in the green network.
Apple platforms also use a randomized MAC address when conducting enhanced Preferred Network Offload (ePNO) scans when a device isn’t associated with a Wi-Fi network or its processor is asleep.
This feature can be disabled either by the user or using a new option in the Wi-Fi payload. Under certain circumstances, the device will fall back to the actual MAC address.