Secure Wireless Gateway Setup Guide
Disclaimer: This guide does not provide cut-and-paste terminal instructions. Its purpose is to explain the setup process step by step.
This guide outlines the creation of a secure wireless IoT or WPA3 enterprise gateway on a budget. By purchasing a compatible WPA3 Unifi AP and a PC capable of virtualization, you can establish a highly secure wireless gateway. This setup serves as a foundation for both WPA3 enterprise wireless gateways and public WiFi access points, with the added benefit of isolating the network appliance from your local network.
Technical Skills Required
- MongoDB setup for Unifi compatibility
- Manual NAT configuration
- Knowledge of pfSense firewall rules
- Firewall VPN clients
- Radius configuration
- Public Key Infrastructure (PKI)
WPA3 Enterprise Consideration: This setup has been tested with EAP-TLS. Implementing PKI is crucial to protect against evil twin attacks. An authentication back-end may be required if the internal pfSense user manager is insufficient. For more information on EAP-TLS, refer to this link.
- pfSense CE
- Unifi Network Application
- Ubuntu LTS VM image capable of running MongoDB
- x86 hardware with at least 2 NICs
- Unifi AP (required for the Unifi VM)
- Hypervisor capable of running on Ubuntu LTS
Unifi Network Server: Download here
- Set Up Unifi Network Application:
- Deploy a single VM or multiple VMs based on your requirements.
- For high availability, create a deployment template or use a stable base image.
- If you already have a Unifi network, this VM is not adopted but runs in an isolated environment.
- Updating and Installing Self-Hosted UniFi Network Servers (Linux)
- Additional Help: GitHub Gist
- pfSense Setup:
- Install pfSense in your preferred hypervisor.
- Create 2 bridges to physical NICs (Bridge 1 and Bridge 2).
- Allocate Bridge 1 and 2 for pfSense.
- Set one bridge to LAN and the other to WAN.
- WAN port for access to pfSense web GUI, Unifi controller, syslog data, VPN tunnels, accounting, etc.
- Virtualizing pfSense Software with VMware vSphere / ESXi
- Virtualizing pfSense Software with Hyper-V
- VPN Providers:
- Install a VPN client on pfSense to NAT IoT devices transparently through a tunnel.
- pfSense as an OpenVPN client for specific devices
- Networking Options:
- Option 1 (IDS): Bridge the Unifi VM to the LAN adaptor connecting directly to the AP. This is faster but less secure. Isolate the Ubuntu VM within the client OS for security reasons.
- Option 2 (IPS): Create an internal or virtual adaptor shared by pfSense and Unifi. Set up appropriate firewall rules for IPS capability using Snort or Suricata.
- Port Forwarding:
- Port forward from pfSense to the Unifi controller.
- Security Considerations:
- Set up firewall rules for your IP configuration.
- Change usernames and passwords to strong ones.
- Open a port on the WAN interface to the internal firewall GUI and block local access.
- Block pfSense’s webGUI from within the isolated environment to enhance security.
- WPA3 Enterprise EAP-TLS (Optional):
- Set up Radius for those extending the platform to a WPA3 enterprise network.
- pfSense has optional packages like FreeRADIUS, which is WPA3 enterprise-ready.
- The Radius package with pfSense provides LDAP integration or local user accounts managed in pfSense.
- Using EAP and PEAP with FreeRADIUS
Once set up, you can access the pfSense web GUI and Unifi controller from your local network. Any Unifi AP plugged into Bridge 2 can be adopted by the standalone controller.