The BLUE interface is designed to separate the LAN from the Wireless LAN (or "WLAN").
By default, IPFire controls the access of all devices on blue using MAC Address filtering. This means that all DHCP leases must be manually approved in the IPFire Web User Interface before they can access the network (including access the WUI from blue network itself) and gain internet access. This filtering is separate to any wireless passphrase which you have applied in IPFire; or to any passphrase or MAC address filtering which may be set up on any external Wi-Fi access point.
Disable MAC Address filtering for one client
The client must be identified unique. This done best by specifying the MAC address. Alternatively you can choose the IP.
The WUI page is a bit misleading. Only one entry is mandatory (in case of dynamic DHCP leases only the MAC is really known).
Example (without DHCP on blue): 00:13:02:XX:XX:XX
is the WLAN-clients MAC address and the client should use the IP 192.168.49.1
.
Access this page via menu Firewall --> Blue Access
- Click Enabled
- Click Add and the client will be able to access the internet.
- Add Remark.
Disable MAC Address filtering for ALL clients
To disable MAC address filtering and allow all clients connected to blue internet access do the following on the Wireless Configuration page:
- Entering the blue subnet into the Source IP field and leave the Source MAC Address field blank
- Enter the network address and the subnet mask of the blue network interface in CIDR notation. For example
172.16.1.0/24
for a subnet with a range of addresses from 172.16.1.0 to 172.16.1.255
Note - Disabling MAC address filtering does not disable WLAN encryption
Deny blue clients access to the IPFire web interface
If no blue network clients should have access to the web interface, add the following lines to the file: /etc/sysconfig/firewall.local
.
## Start rule
iptables -A CUSTOMINPUT -s 192.168.49.0/24 -p tcp -d 192.168.49.254 --dport 444 -j DROP
## Stop rule
iptables -D CUSTOMINPUT -s 192.168.49.0/24 -p tcp -d 192.168.49.254 --dport 444 -j DROP
In alternative, a rule entered using the Web User Interface will also obtain the same effect. See below an example. Note that access to the WUI using other zones IP range is blocked by default.
If Squid is available for the Blue zone, writing an ACL rule becomes also necessary.
Allowing Clients on Blue Network to Connect to Green Network
By default, the firewall will not allow traffic from the Blue network to pass through to the Green network. If you wish to allow traffic to pass through from the Blue network to the Green network, you must create a firewall rule to allow that traffic. See Creating a Blue to Green Pinhole.
Using BLUE interface for separate wired network (secondary wired switch)
If after setting up dhcp, dns and mac filtering as for normal wireless network mentioned before, DHCP will not work, change zone configuration for blue interface from default to bridge(knowing only one physical interface is used).
Trouble?
Lots of Drop_Wirelessforward
messages in the firewall log? Then the BLUE network device does not have access to the needed network and you are missing an entry in the Wireless Configuration or need a pinhole from BLUE.