Wireless SSIDs tied to VLANs using a Cisco Aironet and pfSense

Background

This project came about while searching for a new housing arrangement, one involving housemates. You see, many housemates are not techies; most are open to you dropping in your hardware for the internet service and local network. They like it because their bills go down because they are no longer renting equipment from the ISP and also like the situation because they have on-site technical support. These type of arrangements are great for me because I like the control and my hardware performs better than the rented equipment. Also there is typically no threat in these non-techie situations that your equipment is going to be pen-tested. It is sort of like sitting your grandmother at a terminal and saying ‘go crazy’; no matter what she does, if she’s like most grandmothers, she’ll never run metasploit against your devices, or port scan the network, or innocently explore all the directories in your network shared folders. However, if you do decide to live with people that self identify as a ‘techie’, you do run the risk of one or all of those situations happening to some degree.

One possible solution to this, is to obfuscated tentacle hentai as a document folder full of PDF diary entries on a password-less network share to send a subtle message to that nosy/curious roommate. However this method only works to a point, before curiosity turns to interest. Instead, I’ve decided to avoid the situation all together and logically separate the networks with VLANs including using separate SSIDs.

This project, like many projects as of late is something I find really cool. Cool because it’s over most people’s head, including my own at first, so it was a fun challenge to setup. These articles further my own knowledge in the research required to fully understand it, they also document the process should I have catastrophic failure of hardware (brain, storage, and backups), and last I hope these articles provide instruction to at least one other person besides myself.

 

 

How does this VLAN stuff work?

VLANs allow isolation of physical hardware into logical groups, on switches this isolation is port based. However on a wireless access point, the VLAN isolation can be based on the SSID. VLANs are most apparent from the perspective of a switch. Managed switches are the heart of VLAN operation. Lets take a managed switch.

2014-04-30 17_00_04-Managed Switch

When you buy a managed switch, you plug it in and connect your network-printer, PC, and NAS; everything just works; it’s features are being wasted but it works out of the box.

2014-04-30 23_34_36-YourLAN

We’ll say in this hypothetical situation, you get a dorm-mate. He has a PC and router he wants to use in conjunction with your switch. No big deal, you have extra ports, you know about VLANs, you don’t want interwebs, and there doesn’t need to be connectivity between your ports and the dorm-mate’s.

2014-04-30 23_33_41-VLANed

So you get on your managed switch and create two VLANs. VLAN33  is assigned to port 1 (network-printer), port 2 (PC), and port 3 (NAS.) On VLAN44 your dorm-mate’s PC is on port 4 and the router on port 5. The switch logically separates and groups ports 1,2,3 into one group; ports 4,5 are in another group. Communication between the two VLANs is impossible for two reasons; one, the switch is no longer bridging those ports and sees them as completely separate groups. Two, best practice says to put each VLAN on it’s own subnet; due to using multiple subnets, a router or a L3-switch is needed to communicate between the VLANs. With this demonstration your VLAN does not have internet access because the router is on the other VLAN. BUT wait, I just said you need a L3 device to communicate between VLAN, what’s different in this case? That will be answered next.

In the diagram above none of the devices except the managed switch are even aware VLANs are being used. But lets say your dorm-mate then wants to use your printer and you’d like to connect to the internet. This is possible by using switchport trunking and VLAN tagging. Tagging actually was occurring before in the last arrangement; when a frame enters a port it is tagged with which ever VLAN id is assigned to that port. But when the frames were leaving out to the destination port the frames were untagged. So why is tagging even used? Tagging is used to keep track of where a frame can and can’t go. The next question is, well if the tagging is stripped when it leaves the destination port (an access port to be more precise now), how then do frames that are tagged get to a router? The answer, is to configure the switch port going to the router as a trunk port and also configure which VLAN ids are allowed to be on that trunk port. The router’s interface is then configured to have sub-interfaces for each VLAN it’s going to handle. The sub-interfaces act as regular interfaces but share the same physical port.

Below is the new configuration in our hypothetical situation. The router is now acting as ‘router-on-a-stick’. This means that the router now handles communication between the VLANs, which personally to me is amusing considering the VLANs are on the same switch at least in this situation.

2014-04-30 23_31_54-VLANed - Trunked

At this point you can access the internet and your dorm-mate’s PC and she can access your devices including your printer. A firewall rule on the router easily handles restricting traffic from your dorm-mate’s subnet to only your printer.

Another cool thing you can do with VLANs, tagging, and trunking is to carry VLAN traffic from one switch across a campus to another location. This effectively allows you to group individuals in an enterprise setting by department rather than geographical location. This might be extremely effective for a company that might have developers in a few buildings on their property that share network resources containing trade secrets but share their office space with other ‘less-secure’ employees such as interns. To further our example, lets say you want to play a LAN based multiplayer game such as CS1.6 with a friend in another dorm room. Setting up the routers and switches to pass VLAN tagged frames throughout the network would allow you to do this. As you can see below VLAN33 is in both your dorm room and your friends door room.

2014-04-30 22_42_57-Expansion

Lets now proceed to applying VLANs to wireless devices and instead of using ports as the VLAN boundary we’ll use the wireless SSIDs.

 

 

Hardware and software used

The hardware and software we’re using here: a Cisco Aironet 1040 Series wireless access point for radio communication and pfSense 2.1 whitebox to function as a router-on-a-stick for restricted access between the subnets/VLANs.

 

 

Network reference data

Guest Network

  • VLAN20
  • 10.0.20.0/24
  • Default Gateway, DNS, and DHCP server – 10.0.20.1
  • SSIDs public and public-5G

VLAN30 – Your Network

  • VLAN30
  • 10.0.30.0/24
  • Default Gateway, DNS, and DHCP server – 10.0.30.1
  • SSIDs epijunkie and epijunkie-5G

VLAN40 – Roommates Network

  • VLAN40
  • 10.0.40.0/24
  • Default Gateway, DNS, and DHCP server – 10.0.40.1
  • SSIDs roommate and roommate-5G

The native VLAN is left with the default configuration of 1.

The WebGUI is located at 10.0.1.2 as configured through the BVI interface.

 

 

Configuring the Cisco Aironet

These are the bare minimum configurations need to get both the 2.4Ghz and 5.0Ghz radios working with VLAN segmentation between the SSIDs. This guide assumes you are using CLI to configure the AP and that you’ll be using WPA2-PSK for authentication.

 

This first block of configuration sets up the SSIDs and which VLAN to associate with it, the passwords (encrypted upon entry into the configuration but easily decrypted with this tool), and the key management method.

dot11 ssid public
 vlan 20
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii guestpassword
 mbssid Guest-mode


dot11 ssid epijunkie
 vlan 30
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii temptemp
 mbssid Guest-mode


dot11 ssid roommate
 vlan 40
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii temptemp
 mbssid Guest-mode


dot11 ssid public-5G
 vlan 20
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii guestpassword
 mbssid Guest-mode


dot11 ssid epijunkie-5G
 vlan 30
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii temptemp
 mbssid Guest-mode


dot11 ssid roommate-5G
 vlan 40
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii temptemp
 mbssid Guest-mode

 

This block of configuration configures the base radio interfaces, which encryption scheme and cipher to use, defines the SSIDs names on the radio interface, and then turns on the radio.

interface dot11Radio 0
 mbssid
 encryption vlan 20 mode ciphers aes-ccm
 encryption vlan 30 mode ciphers aes-ccm
 encryption vlan 40 mode ciphers aes-ccm
 ssid public
 ssid epijunkie
 ssid roommate
 no shutdown

interface dot11Radio 1
 mbssid
 encryption vlan 20 mode ciphers aes-ccm
 encryption vlan 30 mode ciphers aes-ccm
 encryption vlan 40 mode ciphers aes-ccm
 ssid public-5G
 ssid epijunkie-5G
 ssid roommate-5G
 no shutdown

 

This block of configuration sets up the subinterfaces for each VLAN, the bridge groups, and also points to the dhcp server to relay from.

interface Dot11Radio0.20
 encapsulation dot1Q 20
 bridge-group 20

interface Dot11Radio1.20
 encapsulation dot1Q 20
 bridge-group 20

interface GigabitEthernet0.20
 encapsulation dot1Q 20
 ip helper-address 10.0.20.1
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled

 

interface Dot11Radio0.30
 encapsulation dot1Q 30
 bridge-group 30

interface Dot11Radio1.30
 encapsulation dot1Q 30
 bridge-group 30

interface GigabitEthernet0.30
 encapsulation dot1Q 30
 ip helper-address 10.0.30.1
 bridge-group 30
 no bridge-group 30 source-learning
 bridge-group 30 spanning-disabled

 

interface Dot11Radio0.40
 encapsulation dot1Q 40
 bridge-group 40

interface Dot11Radio1.40
 encapsulation dot1Q 40
 bridge-group 40

interface GigabitEthernet0.40
 encapsulation dot1Q 40
 ip helper-address 10.0.40.1
 bridge-group 40
 no bridge-group 40 source-learning
 bridge-group 40 spanning-disabled

 

This configures the base ethernet device and also VLAN1 subinterface.

interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive

interface GigabitEthernet0.1
 bridge-group 1
 encapsulation dot1Q 1 native
exit

 

This configures the default Bridge Group Virtual Interface 1. This interface is where you configure the IP for managing the AP.

bridge irb
bridge 1 route ip
interface BVI1
 ip address 10.0.1.2 255.255.255.0
exit

 

Not required but sure helpful for not getting interrupted while typing in commands.

line con 0
 logging sync
exit

 

 

Configuring pfSense

This is a fairly straight forward configuration of pfSense. It just works and is pretty powerful. I highly recommend using pfSense as your router if you aren’t already. I actually spent most of the time wrestling the Cisco AP to communicate with pfSense; both of which use a standard called 802.1q which covers VLANs.

 

First you’ll need to create VLANs under Interfaces > (assign) > VLANs > “+

2014-05-11 03_00_01-pfSense.localdomain - Interfaces_ VLAN

Add each VLAN. In the case below we are configuring the guest VLAN.

2014-05-11 03_16_08-pfSense.localdomain - Interfaces_ VLAN_ Edit

 

Should look like this after you’ve created all the VLANs.

2014-05-11 03_02_22-pfSense.localdomain - Interfaces_ VLAN

Next to create the sub-interfaces for each VLAN.

2014-05-11 03_03_02-pfSense.localdomain - Interfaces_ Assign network ports

 

Afterwards:

2014-05-11 03_03_38-pfSense.localdomain - Interfaces_ Assign network ports

 

Now enable each sub-interface and configure an IP address. I used the 10.0.X.1 scheme, where X is the VLAN id. This can be done under Interfaces > OPTx.

2014-05-11 03_04_44-pfSense.localdomain - Interfaces_ OPT1

 

After each sub-interface is enabled and IP address is configured, the DHCP service needs to be enabled on each of the sub-interfaces. Services > DHCP Server > Sub-interface Name.

2014-05-11 03_06_42-pfSense.localdomain - Services_ DHCP server

 

For simplicity sake I have basic (highly insecure) firewall rules set in this guide. I do however recommend you create rules that restrict traffic between interfaces, especially your guest network. If you aren’t familiar, these rules are evaluated from top to bottom, the first rule to match is the one that is used to handle the packet (drop, reject, pass.) There is also an implicit deny all  (catch all) at the end which will drop any packet that made it that far without matching another rule.

2014-05-11 03_25_44-pfSense.localdomain - Firewall_ Rules

 

An allow any (bad practice) firewall rule.

2014-05-11 03_26_13-pfSense.localdomain - Firewall_ Rules_ Edit

 

Create rules as you see fit and keep your data safe from prying eyes.

2014-05-11 03_30_05-pfSense.localdomain - Firewall_ Rules

 

 

Final Thoughts

While VLANs are not absolutely secure, they are a measure of deterrent. As with all security matters there is a trade-off of convenience and true security. In my case they provide decent separation of the LAN traffic while still providing the possibility of sharing resources.

This entry was posted in How To, Technology, Wireless and tagged , , , , , , . Bookmark the permalink.

One Response to Wireless SSIDs tied to VLANs using a Cisco Aironet and pfSense

  1. mveplus says:

    Thank you EpiJunkie!

    Your tutorial saved me a lot of time! Especially with AP setup!
    My setup is very similar – VM SuperHub 3.0 – running as a modem – pfSense running on Hyper-V ( on my Desktop PC W10 x64 pro with two Ethernet cards) + Netgear GS105Ev2 + Cisco AP3600 – autonomous firmware. I’ve merged 2.4G and 5G to use same name and used different VLANs ID to reflect my.
    I just wanted to run a few different VLANS for guests, home and kids, and have some visibility, add filtering, put YouTube in restricted mode for some and remove ad’s on the fly.
    Thank you ,thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *