Results 1 to 4 of 4

Thread: Securing wireless access point

  1. #1
    Join Date
    Feb 2019
    Location
    Virginia
    Beans
    56
    Distro
    Ubuntu 18.04 Bionic Beaver

    Securing wireless access point

    At home I have 3 subnets:

    1- LAN with PC & Server
    2- Wireless Access Point dedicated for IoT devices to get out to the internet. (Crap devices like game consoles, microwave, etc.)
    3- Wireless Access Point for only internal access to the LAN via wireless laptops in the home.

    All 3 subnets are behind a pfSense router. Currently router blocks all inbound traffic on the WAN side. Eventually, I’ll have to open a port for remote SSH.

    Concern now is how to protect the LAN from attacks on #3 above. The router should stop inbound traffic but just in case the AP was hacked somehow is my concern. Wondering if I need some type of internal tunnel between the wireless laptops on the #3 subnet and the LAN? Trying to figure out how to do this the right way.

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Securing wireless access point

    I use the ISP's gateway for all wifi networking and have it in bridge mode to pass the public IPs directly to my pfSense router. All wifi is outside the pfSense and untrusted. I don't trust any wifi security.

    I keep my wifi AP separate from my WAN router.
    Code:
    ISP-GW
    ├── pfSense-router
    │** ├── Wired-Desktops-LAN
    │** │** └── 172.22.21.x
    │** └── Wired-Service-LAN
    │**     └── 172.22.22.x
    └── WiFi-Guests
        └── 10.1.10.x
    Wifi guests have to use a VPN to gain access to the internal networks.

  3. #3
    Join Date
    Feb 2019
    Location
    Virginia
    Beans
    56
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Securing wireless access point

    Would the VPN from guest wireless into the LAN be configured as a remote access VPN or a site to site?

    I would set up OpenVPN on the pfSense router. I’ll need to change a few things but I could use my ISP gateway the same. Currently pfSense is my edge router/firewall.

  4. #4
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Securing wireless access point

    I run openvpn on a VM on the Server LAN. Site-to-site? From android systems? Nope. I don't believe in having WAN routers do anything other than firewall and routing. Plus, any system inside the protected LAN can directly access the wifi LAN. The ISP-GW does that automatically. The ISP-GW is a small-biz Cisco router. Only my public IP subnet is passed through. Everything else about it seems to work like any other wifi router.

    I use both my own VPN and a paid VPN from different devices for different reasons. Just depends where I am in the world.

    Complex code leads to configuration mistakes and bugs. I spent too many years as a software developer and Unix admin and remote access "guy" to do anything different.

    There are lots of other things that people do with their routers that I would never do - like connect any storage to be shared to it. That's just asking to be hacked.

    BTW, my "desktop" wired LAN is extended using powerline ethernet between floors. It isn't GigE, but I do see a solid 60Mbps connection, which is sufficient for a home PC in the den and running a projector with a Raspberry-Pi.

    There are lots of reasonable solutions. Mine is just one of them. I've been deploying wifi solutions since the early 2000s for enterprises. We always required a full VPN with 2FA to gain access to the corporate network if wifi is used.

    A few years ago, while at a security conference, my laptop got hacked over bluetooth. That immediately ended all bluetooth use here. Seems new hacks are being found for it all-the-time. Don't trust any RF-based protocols to be secure. Seriously. All of them can be hacked.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •