Map an AP's management IP to appear in a different, more trusted, LAN subnet?
I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.
My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.
But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.
I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.
I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)
But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)
routing nat vlan pfsense server-security
add a comment |
I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.
My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.
But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.
I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.
I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)
But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)
routing nat vlan pfsense server-security
add a comment |
I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.
My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.
But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.
I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.
I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)
But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)
routing nat vlan pfsense server-security
I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.
My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.
But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.
I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.
I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)
But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)
routing nat vlan pfsense server-security
routing nat vlan pfsense server-security
edited Feb 2 at 8:09
Stilez
asked Feb 2 at 8:02
StilezStilez
77211022
77211022
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401259%2fmap-an-aps-management-ip-to-appear-in-a-different-more-trusted-lan-subnet%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401259%2fmap-an-aps-management-ip-to-appear-in-a-different-more-trusted-lan-subnet%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown