I try to realize a setup in which I can have a wifi
AP that offers the possibility to limit the access for some clients untrusted to the green network. Untrusted clients should not be able to communicate with each other also. It is my understanding, that untrusted clients must be separated in another subnet, otherwise they can communicate directly, bypassing the ipfire.
I assume using Vlans are a way to achieve this regarding these references:
On the APU the first NIC is assigned to red which connects to the cable router, second to orange and third to green. At the green nic, there is a Fritzbox attached in IP-Client mode that provides a wifi and a switch to green.
The hosts on blue shall have connections to red but not to green without a pinhole. If possible, also there are no connections possible between each hosts in blue (client isolation).
I was able to get the blue0@green0 assignment as described it the guide and DHCP server could be configured for green and blue. Devices can connect to 192.168.4.0 (green interface) and 192.168.3.0 (Blue interface) over the fritzbox AP. However, when they connected to the subnet of the blue interface they had no connection to the internet (Mac filter was disabled for blue as the wiki describes). Also, devices could not access the webgui, although there was a rule created to allow access to the green interface (firewall) from blue.
I am wondering: Is there a general flaw with my thinking and is the Fritzbox attached to green nic not able to mange this scenario with blue in a vlan? Are there any special NAT rules necessary to make this work?
This sounds wrong.
IPFire will need to do DHCP and routing.
Fritzbox would be setup in AP mode
And need AP setup with 2 networks /SSIDâs
Green âuntaggedâ and blue on vlan
Not sure if this is possible with Fritzbox.
As I understand it, only one ssid is possible with my Fritzbox. There is also the option to have a guest ssid, but when I tried to connect to it prior while Fritzbox in ipclient mode attached to green nic, there was no internet, even without any blue Vlan involved.
The fact that I could connect to the blue subnet by the Fritzbox does not matter here? When the client receives the correct IP this is no indication that the routing is working as intended?
So, when I use the Fritzbox in Router Mode, there is internet in the guest network, but the Ipfire will not assign the IP-adress, so this whole approach does not makes sense. It has the be in client mode.
I own the Fritzbox 7580 and I canât find any Vlan functionality here.
I was looking for router with that and I found this qnap boxâs QHora-301W:
Do you think this will work.with the Vlan of the ipfire?
It has to be a small design with not external antennas so everything can fit in a 10 inch server cabinet like here:
Metal and glass can strongly attenuate the radio signal propagation, so fit inside this kind of enclosure a wireless propagation device and expect good performances is like heat a room with a space heater with a thermal insulated box around the heater.
Also.
vLAN is a way to multiply networks without multiply devices (and power consumption, and heatâŚ)
Some consumer/home grade routers have something similar with guest network, however for combine âmore wireless networksâ with IPfire you need business/enterprise grade access points supporting multi ssid and vLAN, then a vLAN capable switch.
On IPFire, vLAN is not mandatory, but help reduce necessary ports. Donât forget that with vLANS the throughtput is shared between network, so maximum achievable speed will be limited by the slowest connection shared on vLANs. For instance.
â----â â ) â ) vLan1 â ) â ) Client A
IPFire == vLAN 1 and 2 == Switch === â AP â
â----â â ) â ) vLan2 â ) â ) Client B
Sorry for crappy execution.
Maximum concurrent bandwith of all clients (A + B) canât exceed the maximum bandwith of the slowest ethernet connection from AP to iPFire.
So. Iâm assuming you are connection your Fritzbox wan port to the IPFire green or blue port.
If so Fritzbox wan sould connect to
Assuming it is using DHCP.
The clients on the Fritzbox LAN
Will get ip from Fritzbox and be in a double NAT. And it should work.
You will only have control of the connection from the Fritzbox WAN.
It will have no control of Fritzbox LAN.
If the Fritzbox WAN can connect to a vlan
Then you can connect it to a vlan switch to the IPFire. It will still be the same situation.
Double NAT.
You are right regarding signal propagation. Still, my build of the 10 inch enclosure is slightly different, the whole backplate is missing, enabling signal to get in and out as for air circulation.
Regarding your network sketch:
Assuming I have the ipfire, and having the green nic assigned as native and the blue nic assigned as Vlan with Id 2, than canât I go directly to the Wifi router from that. You have an additional switch here, but I assume this functionality is already integrated in a device like the QHora-301W which has 6 Ethernet ports?
I assume that for answering to this question you should verify in the switch documentation, i have no experience about these kinde of QNAP products.
Moreover.
Iâd would not use a router for play the multiSSID/vLAN capable AP, mostly because⌠the router firmwar/software usually do not suppor that thing, or at least itâs only âinsideâ the device and cannot be used for a connection from a lan port.
For the switch: is actually necessary?
Depend on the network design and the IPfire port availability and setup. Thereâs no unambiguos answer.
Well, I also have a compex 600 VE wifi Card installed as a wifi card which could act as a direct AP at the Ipfire. But usually these cards are inferior in terms of transmitting power, Mimo connections and more parameters in comparison to modern routers. For example also, the compex card needs two big antennas while a Fritzbox or the qnap router does have the antennas installed in the case and therefore has a better space footprint.
I used the qnap router for example, because in comparison to other routers like Asus and TP-Link it would fit in the 10 inch enclosure. An it is VLAN capable according to the manual:
Iâd have quite few (to me) good reccomendations about hardware I think interesting, worth buying and that could fit your 10" rack. However, itâs not the point here, IMVHO.
Itâs IPfire community, not network design on line consultant time.
The second one will require (at least, by my experience) time to know you, your needs, your setup, the phisical environments, the plausible growing paths for your network. Phisical and functional. However⌠you may not willing to tell me, because (of course) iâm a stranger and maybe you want to keep for yourself some âsecretsâ about what you want to do with your network. While not always the best idea, security through obscurity is a safe decision, and not sharing the network structure can reduce attack footprint.
Moreover: using the provided network card in your hardware can help you to achieve something (full control of wireless network via IPfire interface) that allows you to have one place to control more things, but giving you a costrain: if youâre willing to add more APs into your system, most of the setup will be thrown away while repurposing your hardware for newer needs.
If youâre willing to buy new hardware, go for it. I hope youâll find the right one for your needs at first shot. 10" racks are not that common so a âout of the boxâ device maybe wonât have the right ears to connect bolt on rails. On that case, check out the maker world to look for eventual project for custom 3d-printed rack adapters before buy anything.
Hey, I came across multiple devices. I think the Lancom GS-3510XP and the Ubiquity Unifi 6 will do.
I was looking for passively cooled, 10 inch, managed switches with 801.Q functionality and a Low power consumption. The switch is rated at 15 watt idle and the AP at 13.5 Watt peak.
I will let you know afterwards if I could finally realize the functionality I was hoping to achieve and also send you a picture of.my build.
