Secure Wireless Gateway Setup Guide

Disclaimer: This guide does not provide cut-and-paste terminal instructions. Its purpose is to explain the setup process step by step.

Overview

This guide outlines the creation of a secure wireless IoT or WPA3 enterprise gateway on a budget. By purchasing a compatible WPA3 Unifi AP and a PC capable of virtualization, you can establish a highly secure wireless gateway. This setup serves as a foundation for both WPA3 enterprise wireless gateways and public WiFi access points, with the added benefit of isolating the network appliance from your local network.

Technical Skills Required

• MongoDB setup for Unifi compatibility
• Manual NAT configuration
• Knowledge of pfSense firewall rules
• Firewall VPN clients
• Radius configuration
• Public Key Infrastructure (PKI)

WPA3 Enterprise Consideration: This setup has been tested with EAP-TLS. Implementing PKI is crucial to protect against evil twin attacks. An authentication back-end may be required if the internal pfSense user manager is insufficient. For more information on EAP-TLS, refer to this link.

Prerequisites

• pfSense CE
• Unifi Network Application
• Ubuntu LTS VM image capable of running MongoDB
• x86 hardware with at least 2 NICs
• Unifi AP (required for the Unifi VM)
• Hypervisor capable of running on Ubuntu LTS

Unifi Network Server: Download here

Step-by-Step Guide

1. Set Up Unifi Network Application:
   • Deploy a single VM or multiple VMs based on your requirements.
   • For high availability, create a deployment template or use a stable base image.
   • If you already have a Unifi network, this VM is not adopted but runs in an isolated environment.
   • Updating and Installing Self-Hosted UniFi Network Servers (Linux)
   • Additional Help: GitHub Gist
2. pfSense Setup:
   • Install pfSense in your preferred hypervisor.
   • Create 2 bridges to physical NICs (Bridge 1 and Bridge 2).
   • Allocate Bridge 1 and 2 for pfSense.
   • Set one bridge to LAN and the other to WAN.
   • WAN port for access to pfSense web GUI, Unifi controller, syslog data, VPN tunnels, accounting, etc.
   • Virtualizing pfSense Software with VMware vSphere / ESXi
   • Virtualizing pfSense Software with Hyper-V
3. VPN Providers:
   • Install a VPN client on pfSense to NAT IoT devices transparently through a tunnel.
   • pfSense as an OpenVPN client for specific devices
4. Networking Options:
   • Option 1 (IDS): Bridge the Unifi VM to the LAN adaptor connecting directly to the AP. This is faster but less secure. Isolate the Ubuntu VM within the client OS for security reasons.
   • Option 2 (IPS): Create an internal or virtual adaptor shared by pfSense and Unifi. Set up appropriate firewall rules for IPS capability using Snort or Suricata.
5. Port Forwarding:
   • Port forward from pfSense to the Unifi controller.
6. Security Considerations:
   • Set up firewall rules for your IP configuration.
   • Change usernames and passwords to strong ones.
   • Open a port on the WAN interface to the internal firewall GUI and block local access.
   • Block pfSense’s webGUI from within the isolated environment to enhance security.
7. WPA3 Enterprise EAP-TLS (Optional):
   • Set up Radius for those extending the platform to a WPA3 enterprise network.
   • pfSense has optional packages like FreeRADIUS, which is WPA3 enterprise-ready.
   • The Radius package with pfSense provides LDAP integration or local user accounts managed in pfSense.
   • Using EAP and PEAP with FreeRADIUS

Once set up, you can access the pfSense web GUI and Unifi controller from your local network. Any Unifi AP plugged into Bridge 2 can be adopted by the standalone controller.