[Firehol-support] Firehol centralised on router with Wifi AP

[Tsaousis, Costa]

Kjetil, quite a complex setup.
I don't know how to help you, but here are a few things that might help you
decide:

First, please update your firehol. It is way too old. Firehol and fireqos
are just a bash scripts. So, updating should be very easy.

MARKs do not leave the host. So, you cannot MARK on one host and examine
that MARK on another.

Most people that support different security policies on different SSIDs, do
it with VLANs, so that each SSID uses a different VLAN. Of course your AP
has to support this.

On Linux VLANs are like separate virtual interfaces. You are going to have
vlan0, vlan1, vlan2, etc. If your AP can do it, this is the way to go. At
your firewall you will have SSID1 clients on vlan1 and SSID2 clients on
vlan2. Of course you will have to configure your DHCP server to respond on
both VLANs.

Costa


On Mon, Sep 12, 2016 at 12:47 AM, Kjetil Kjernsmo <kjetil at kjernsmo.net>
wrote:

> Hi all!
>
> I've been using FireHOL on my router and firewall box for a while now for
> my home network, and it was great finding something making it that easy to
> set up. I'm still on 1.297 though, as it is a Debian Stable box.
>
> Now to my next problem: My router has a 5 ethernet interfaces, and where
> eth2 connects to a Wifi accesspoint, namely a Ubiquity UniFi AP. However, I
> would like to have all firewall rules on the router box, and additionally,
> I'd like to divide the connecting devices into authorized and unauthorized
> classes, where the authorized devices has the pretty much full access to
> the LAN, at eth1. Those two requirements creates some problems, that I
> hope someone can help me resolve :-)
>
> My initial idea was just to keep the AP open for all, and just use OpenVPN
> for all devices. Enabling OpenVPN on my mobile phone required setting a
> PIN though. I did that, but the rest of the family most certainly can't be
> bothered. Also, my security requirements aren't high, there are no huge
> business secrets here, we live rurally (I don't expect Google to drive by
> any time soon :-) ) and the signal is barely detectable outside the walls.
> This calls for fewer hoops. :-)
>
> Now, I've configured the AP to have a public clear-text essid and an
> encrypted private one.
>
> Then, my next idea was to use Dnsmasq where I gave each known device an IP
> based on their MAC, and the idea was that unknown devices would be
> dynamically assigned outside of this range. Then, I could use those ranges
> in the firewall config. Apparently, Dnsmasq don't work that way, it cannot
> guarantee that dynamically assigned IPs are outside of the static range
> for a given interface.
>
> Now, rather come up with more silly ideas, I suppose it is time to ask for
> help... :-) Is it possible to allow both unknown and known users at the AP
> without firewalling them there and at the firewall allow known users to
> access the LAN? Without making the known users jump through too many
> hoops?
>
> I just has another idea that I don't know whether can work: Could I have
> the AP mark packages from the known devices and then use that mark in the
> firewall? That would certainly not be the perfect solution, but possibly
> good enough.
>
> Or something else entirely?
>
> Best,
>
> Kjetil
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support