Map an AP's management IP to appear in a different, more trusted, LAN subnet?












1















I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.



My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.



But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.



I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.



I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)



But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)










share|improve this question





























    1















    I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.



    My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.



    But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.



    I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.



    I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)



    But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)










    share|improve this question



























      1












      1








      1








      I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.



      My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.



      But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.



      I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.



      I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)



      But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)










      share|improve this question
















      I'm not sure of the best way to solve this problem, although several solutions (including some really simple "don't worry about it" solutions) probably exist.



      My LAN has totally segregated WiFi and wired subnets, on different NICs. (Say, WiFi=10.10.0.0/16, wired=10.20.0.0/16). Firewall rules on the router prevent all traffic arriving at the wifi interface, from passing to the LAN or to any of the router IP's themselves - so WiFi clients can reach the WAN and nothing else.



      But the WiFi subnet also includes a single IP for the AP's management systems (webui, ssh). I want to totally segregate this from the less trusted WiFi side, by putting WiFi client traffic in say VLAN 6, and traffic to/from the management IP in VLAN7. And I want VLAN7 reachable from the LAN (ideally, reachable via a LAN IP that's similar to LAN switches and infrastructure services, as seen from the LAN), and not reachable from VLAN6.



      I'm using either of pfsense or its close fork, opnsense, they have almost identical capabilities in these areas.



      I can imagine I'd set up the VLANs, define a virtual IP on the LAN, and bridge the virtual IP to the WiFi management IP using 1:1 NAT on one or the other interfaces. And then I'd add filter rules on the VLAN interfaces, to ensure only packets from LAN to AP management IP is allowed into VLAN 7. (That last part I'm happy with, no help needed)



      But I'm very unclear about the VLAN/NAT specifics at the router. How would I actually do it? (As in, the actual steps)







      routing nat vlan pfsense server-security






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 2 at 8:09







      Stilez

















      asked Feb 2 at 8:02









      StilezStilez

      77211022




      77211022






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401259%2fmap-an-aps-management-ip-to-appear-in-a-different-more-trusted-lan-subnet%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1401259%2fmap-an-aps-management-ip-to-appear-in-a-different-more-trusted-lan-subnet%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Probability when a professor distributes a quiz and homework assignment to a class of n students.

          Aardman Animations

          Are they similar matrix