Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Categories
Random page
Top Contributors
Recent changes
Contribute
Create a page
How to help
Wiki policy
Adapt videos to articles
Articles in need of work
Help
Frequently asked questions
Join the discord!
Help about MediaWiki
Consumer_Action_Taskforce
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Futotemporarywikipage
(section)
Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
Purge cache
General
What links here
Related changes
Special pages
Page information
Cargo data
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Setting Up trusted & untrusted WiFi with TP-Link EAP610 & pfSense = <span id="step-1-understanding-the-problem.-why-do-this"></span> == Step 1: Understanding the problem. Why do this? == Let’s say there’s a device on your network you don’t trust. You want to use it, but you don’t trust it. Exhibit A, a Chinese security camera. Hikvision makes good, cheap cameras; but my government tells me I shouldn’t trust them, and I [https://www.fcc.gov/document/fcc-bans-authorizations-devices-pose-national-security-threat listen to & believe everything that my government tells me]. I will want to limit its access to the internet, and other machines. Let’s say it connects via wifi. You can block it from connecting to the internet by its IP - but what if it tries to change its IP? You could create a static mapping in pfSense based on its MAC address, but what if it spoofs its MAC address? If this device were truly malicious, it could do the following: * Spoof its MAC address to get around a static mapping * Try to connect using every single IP address * See if it eventually finds an IP address in that subnet that allows it to go online & connect to other networks/devices * Upload audio recordings of you saying you had a celebrity crush on Sabrina Carpenter, or that you cry listening to Tori Amos’ Baker Baker. Where’d your reputation be then? If you want to be more stringent with this - if you genuinely believe your refridgerator is out to get you by recording your intimate moments & blackmailing you with them(it’s probably not), we can make a separate network for them. We’ll create two separate networks: * '''Main Network''': <code>192.168.5.0/24</code> for trusted devices ''(we’ve already created this)'' * '''Guest Network''': <code>192.168.7.0/24</code> for untrusted devices ''(needs to be created)'' <blockquote>'''Note''': This is not a normal wifi access point. it is an enterprise level device that allows seamless switching between multiple access points, so that if you have a giant area you never lose your connection or connection strength. The downside is that this isn’t as simple as a standard wifi router, this isn’t your linksys wrt54g from 2005 you configure by typing <code>192.168.1.1</code> and typing in <code>admin</code> for the user & password. You need to install controller software to use it; and it’s worth it. These access points like the eap610 can be found used on ebay in liquidation sales for $45, which is cheaper than a lot of wifi routers. </blockquote> Our LAN subnet, where our servers & computers connect to, is <code>192.168.5.0/24</code> meaning that clients connecting here can grab from <code>192.168.5.2</code> to <code>192.168.5.254</code> - <code>192.168.5.1</code> is taken by the router. Our OpenVPN subnet that we connect to when we use our VPN is <code>192.168.6.0/24</code>meaning that clients that connect here can grab from <code>192.168.6.2</code> to <code>192.168.6.254</code> - <code>192.168.6.1</code> is taken by the VPN gateway. Here we’re going to create <code>192.168.8.0/24</code> as another subnet. If you’re trusted wifi, you get to connect to the <code>192.168.5.0/24</code> network. If you are connecting to the untrusted wifi, you get to connect to the <code>192.168.7.0/24</code> untrusted network. When we set up OpenVPN, pfSense created a firewall rule automatically that allowed the VPN subnet of <code>192.168.6.0/24</code> to connect to everything. We will do the opposite for this network. We can create a rule that blocks all traffic TO and FROM the <code>192.168.7.0/24</code> network. Then, we can create specific allow rules for the very specific devices we want it to connect to. If it’s a thermostat, we allow it a connection to & from to <code>192.168.5.4</code>, our home assistant machine. If it is a camera, we allow it a connection to & from <code>192.168.5.2</code>, our frigate machine. It doesn’t matter if the device spoofs its MAC address to get around a static mapping at this point. It doesn’t matter if it tries to grab every single IP address on the subnet - because NOTHING on <code>192.168.7.0/24</code> is allowed to connect to anything anyway. So, it’s stuck. This is more “secure” if your threat model includes a thermostat with a hidden microphone in it connected to your wifi, that might want to get around being blocked from phoning home. # Can’t access your main network # Can’t see your devices # Can still access the internet This is what VLANs are for. We’ll create two completely separate networks: * Main Network (192.168.5.0/24): For your trusted devices * Guest Network (192.168.7.0/24): For everyone else <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113190058398.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113190156285.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113190459933.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113190855998.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113190925796.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113190952807.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113191027630.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113191045988.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113191714961.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192027212.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113191736911.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113191815241.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192136101.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192201701.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192215825.png </gallery> </div> <span id="step-2-pfsense-configuration-guide-for-trusted-untrusted-networks"></span> == Step 2: PfSense Configuration Guide for Trusted & Untrusted Networks == We want to have two separate networks; but we are using one cable to connect the switch to our wifi access point. We do that with VLANs, which are “virtual” LANs. Each packet we send is going to have a tag on it that tells it which LAN it is. The switch, & in the case the wifi access point, will use this to direct the traffic to the correct virtual LAN. Each of our wifi clients will be connecting to a LAN. The trusted wifi network will connect to the standard <code>192.168.5.0/24</code> LAN, and the untrusted to a 2nd network we create on <code>192.168.7.0/24</code> <span id="create-vlans"></span> ==== 2.1 Create VLANs ==== # Navigate to: '''Interfaces > Assignments > VLANs''' # Click “Add” to create first VLAN: #* Parent Interface: Select your LAN interface (usually igb0 or em0) #* VLAN Tag: 7 #* Priority: leave blank #* Description: '''“maliciouswifi”''' #* Click '''“Save”''' <span id="create-network-interfaces"></span> ==== 2.2 Create Network Interfaces ==== # Go to: '''Interfaces > Assignments''' # From the '''“Available network ports”''' dropdown: #* Select the VLAN 7 interface and click “Add” #* Note the names assigned (typically OPT1 and OPT2 #* Name this '''maliciouswifi''' <span id="set-ip-range-of-new-interface"></span> ==== 2.3 Set IP range of new interface ==== # Go to: '''Interfaces > MALICIOUSWIFI''' # In '''“General Configuration”''' set the following options: #* Set '''“Description”''' to maliciouswifi #* Set '''“IPv4” Configuration Type”''' to Static IPv4 #* Set '''“IPv6 Configuration type”''' to None. #** If you have a reason to use IPv6, you are probably a network administrator for the world trade tower or a mall or something & aren’t reading this guide anyway. # In '''“Static IPv4 Configuration”''' set the following options: * '''“IPv4 Address”''' to <code>192.168.7.1</code> ** The slash thingie at the end to <code>/24</code> - this means we get the entire range from <code>192.168.7.2</code> to <code>192.168.7.254</code> for wifi clients connecting to this network when we set up DHCP server. * Set '''“IPv4 Upstream Gateway”''' to None <ol start="4" style="list-style-type: decimal;"> <li>Hit '''“Save”'''</li></ol> <span id="configure-dhcp-server"></span> ==== 2.4 Configure DHCP Server ==== DHCP is what allows you to connect to a wifi network and get online without having to specify the IP address, gateway, DNS server, etc. This is necessary so clients get an IP address when they connect to the wifi network automatically. * Malicious wifi Network DHCP: # Navigate to: '''Services > DHCP Server > MALICIOUSWIFI''' * The interface maliciouswifi will be at the top after you click onto '''“DHCP Server”''' <ol start="2" style="list-style-type: decimal;"> <li>Configure: <ul> <li>Enable: ✓ Checked '''” Enable DHCP server on MALICIOUSWIFI interface “'''</li> <li>'''“Address Pool Range”''': <ul> <li>From: 192.168.7.2</li> <li>To: 192.168.7.254</li></ul> </li></ul> </li> <li>Click Save</li></ol> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192410257.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192442850.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192623441.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113192834456.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113193208715.png </gallery> </div> <span id="step-3-configure-firewall-rules"></span> == Step 3: Configure Firewall Rules == Now, we’re going to block this from connecting to anything. <span id="block-maliciouswifi-to-everything"></span> ==== 3.1 Block maliciouswifi to everything ==== <ol style="list-style-type: decimal;"> <li><p>Navigate to: '''Firewall > Rules > MALICIOUSWIFI'''</p></li> <li><p>Add this rule:</p> <ol style="list-style-type: lower-alpha;"> <li>Block Inter-VLAN Access:</li></ol> <ul> <li>Action: Block</li> <li>Interface: '''“MALICIOUSWIFI”'''</li> <li>Protocol: Any</li> <li>Source: Any</li> <li>Destination: Any</li> <li>Description: '''“Block maliciouswifi access to everything”'''</li> <li>Click Save</li></ul> </li></ol> ==== 3.2 Add allow rules for devices you wish to speak to one another. ==== Right now devices connected to this wifi network can’t connect to anything. Even if it were a malicious device that were going to try every IP on this subnet after spoofing its MAC address and try to get access to the outside world, it’s stuck. We would want to add rules '''ABOVE''' the ''“Block maliciouswifi access to everything”'' rule for things we did want to talk. For instance, let’s say a wireless camera were attached here. We would want to add a rule to allow traffic from the camera, let’s say it’s at <code>192.168.7.15</code> to the frigate machine at <code>192.168.5.2</code> , and then another rule to allow traffic from the frigate machine to the camera. This rule would be listened to ''before'' the rule to block everything. You can use this to make sure that the thermostat only communicates with home assistant, that the fish camera only communicates with your VPN, etc. It’s a great way to keep untrusted devices from having rampant access to everything. <span id="step-4-tp-link-omada-controller-sdn-installation-guide"></span> == Step 4: TP-Link Omada Controller SDN Installation Guide == <span id="optional-note-for-the-paranoidskip-ahead-if-not-paranoid"></span> ==== 4.0 Optional note for the paranoid(skip ahead if not paranoid) ==== '''To be clear, if you’re at this level of paranoia, just find a router that has meshing with openwrt and deal with the lower level of performance with switching you’ll get with it. I have yet to find an open source access point + open source firmware that is even close to closed source ones with regards to seamless roaming across multiple access points without dropoffs or slowdowns''' If you have a problem with running closed source software from a company headquartered in Shenzhen on your computer - I don’t blame you. Rather than install this onto your host system, you can install it onto a virtual machine you do not allow to access the internet, that runs nothing but this software. You would install the virtual machine for omada the same way you would install the virtual machine for mailcow. We have done this many times - simply follow the instructions we’ve already followed, with the following changes: <ul> <li><p>When installing Ubuntu server, choose minimal install in the installer.</p></li> <li><p>Set the IP to 192.168.5.7 instead of 192.168.5.3 we chose for mailcow</p></li> <li><p>Set the hostname & name of the computer to '''wifitool'''</p></li> <li><p>Set the static mapping in pfsense with hostname '''wifitool'''</p></li> <li><p>Make a pfSense firewall rule blocking all traffic '''to''' and '''from''' <code>192.168.5.7</code> on the LAN interface for any protocol, so it looks like this:</p> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114175555928.png </gallery> </div></li></ul> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114175638119.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114175738722.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114175818156.png </gallery> </div> Lastly, if you want a level of paranoia that matches [https://www.reuters.com/world/us/us-lawmakers-urge-probe-wifi-router-maker-tp-link-over-fears-chinese-cyber-2024-08-15/ congress], you can set up temporary pfSense firewall rules that block the computer you use to access the tp-link omada controller in your web browser from connecting as well - and toggle them on each time you run the tp-link omada controller software in your browser, and make a rule blocking the IP address of each individual access point from going online as well. <span id="prepare-the-system"></span> ==== 4.1 Prepare the System ==== Before installation, remove any conflicting packages like older MongoDB versions, Java, or remnants of previous Omada installations to avoid conflicts. '''We never installed these packages onto our server, so they should not be there. Just in case they are. To be clear, you should not have any use for these packages at this point if you’ve been following this guide. ''' <pre>sudo apt purge -y mongodb-org* openjdk-11-* openjdk-8-* jsvc sudo apt autoremove -y sudo apt clean</pre> <span id="install-java-8-and-mongodb"></span> ==== 4.2 Install Java 8 and MongoDB ==== Install Java 8, as the Omada Controller requires it, and install MongoDB (v7.0 is recommended here). It wants old Java. Not version 11. <pre>sudo apt update # Some of this software you may already have. No big deal, it doesn't hurt to make sure. sudo apt install -y openjdk-8-jre-headless jsvc curl gnupg lsb-release curl -fsSL https://pgp.mongodb.com/server-7.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor echo "deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/ubuntu $(lsb_release -sc)/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list sudo apt update sudo apt install -y mongodb-org</pre> <pre>sudo systemctl enable mongod --now sudo systemctl status mongod</pre> <blockquote>'''IMPORTANT NOTE:''' mongodb is expecting you to be using an older version of Ubuntu Linux(22.04, codename “jammy”) for this to work. We are using Ubuntu Server (24.04, code name “noble”). There is nothing wrong with this''(besides the fact that I subjected you to ubuntu in the first place, but that’s a conversation for another time)''. 24.04 is the latest stable, long term release. However, mongodb still thinks that jammy is the latest long term/stable release. If mongodb does not have a repository for ubuntu 24.04 jammy by the time this guide is released, you will have to make the following edit for apt to let you install mongdo from this repository: </blockquote> <pre># Open source list file for mongodb for editing sudo nano -w /etc/apt/sources.list.d/mongodb-org-7.0.list</pre> <pre># Find the following line: deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/7.0 multiverse</pre> <pre># Replace the word `noble` with `jammy` deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse</pre> '''The steps in the three grey code boxes above are only necessary if you received an error while trying to install mongodb''' <span id="find-omada-sdn-controller-software-on-tp-links-website-to-download"></span> ==== 4.3 Find Omada SDN Controller Software on tp-link’s website to download ==== Download the latest .deb package from [https://www.tp-link.com/us/support/download/omada-software-controller/ TP-Link’s Download section]. Right click the download button, click '''copy link''' in your browser, and paste it into the command below: <pre># Make subdirectory for storing programs if it isn't already there in our home directory mkdir -p ~/Downloads/programs cd ~/Downloads/programs # Check TP-Link's website for the latest version of this sfotware, it should be a .deb file with a filename that looks something like what you see below, just with a newer version wget https://static.tp-link.com/upload/software/2024/202411/20241101/Omada_SDN_Controller_v5.14.32.3_linux_x64.deb</pre> <span id="install-the-omada-controller"></span> ==== 4.4 Install the Omada Controller ==== Install the Omada Controller SDN package. If dependencies are flagged, ignore them to proceed with the installation. <pre>sudo dpkg --ignore-depends=jsvc -i Omada_SDN_Controller.deb # Just in case anything funny happened while installing an ancient version of java sudo apt --fix-broken install</pre> <span id="verify-it-installed-start-the-controller"></span> ==== 4.5 Verify it installed & Start the Controller ==== The Omada Controller should now be running. Access the Omada interface by navigating to <code>https://192.168.5.2:8043</code>. <blockquote>'''NOTE:''' If it gets stuck on “Starting Omada Controller. Please wait….” and keeps outputting dots, and never starts, and it gives you a bs error about java virtual machine not being available, you followed TP-Link’s documentation instead of mine. Do not pass go, do not collect $200, go directly to jail. That is your punishment for expecting GNU/Linux documentation for a piece of software to work; and you deserve it. </blockquote> ----- To enable it on boot, type <code>systemctl enable tpeap</code> , but it should already be starting on boot. <span id="step-4.5-vlan-tags"></span> == Step 4.5: VLAN tags == <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113114803712.png </gallery> </div> This can be confusing. There are $250 wifi routers that, when put in wifi bridge mode to be used as a switch, will not pass VLAN tags properly. Then there are $20 [https://www.netgear.com/business/wired/switches/unmanaged/gs308/ Netgear GS308v3 switches] that support VLAN tags perfectly. You don’t have to spend a lot of money to get a switch that has VLAN tags. How do you tell if yours supports VLAN tags? Good question. Netgear’s [https://www.downloads.netgear.com/files/GDC/Unmanaged_Switches/300-Series_Gigabit_DS.pdf datasheet for the GS308] and their [https://www.downloads.netgear.com/files/GDC/GS308v3/GS305v3_GS308v3_IG_EN.pdf instructional manual for the GS308] do not mention the word “VLAN” - not even once. It says it supports 802.1p QOS, but that is not 802.1Q VLAN tagging. Most modern switches DO support this; but what if you have an old one? What if you are re-purposing an old wifi router as a switch for this setup? Many wifi routers, even older ones, have settings that allow them to be used as a wireless bridge. As I have said earlier on, when people tell you to ''“RTFM”'', what they are actually saying is ''“eat shit and die”'' - it’s their way of expressing that they hate you. Manuals are functionally useless for 99% of products sold, and rarely if ever answer actual questions. They answer questions that can be answered intuitively without a manual. <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113115922968.png </gallery> </div> My best answer is as follows; if you are going to have a very small home network, the Netgear GS308 is a great pick that works with VLAN tags. It’s dirt cheap and a workhorse. If you want something that is more upscale, I’d suggest looking at the [https://www.tp-link.com/us/business-networking/omada-switch-l3-l2-managed/sg3218xp-m2/v1/ TP-Link Omada SG3218XP-M2] & other switches in that series, for the following reasons: '''2.5 GbE speeds''' Most switches have gigabit ports. This means 1 gigabit - which translates to '''100-120 megabytes per second''' in the real world. Around 2009 when these started to become cheaper(sub-$200), this was more than enough, since hard drives of the time were in the 70-120 megabyte per second range. This meant that it made no sense to pay extra for a switch with more bandwidth, since your hardware was not capable of making use of the extra bandwidth. Whether using a $10,000 switch or the $50 1 gigabit switch, your transfer speed would be the same. As time has moved on, even cheap desktop hard drives do over 180-250 megabytes per second, and cheapie solid state drives can achieve 200-400 megabyte per second read & write easily. 1 gigabit ports on switches mean you are losing out on transfer speed. 2.5 GbE switches are capable of '''270-290''' megabytes per second,approximately, in the real world. This is still under the capability of more expensive NVME solid state drives, but it is over double what you get with the old gigabit switches. '''Power over Ethernet(PoE)''' If you do plan on setting up security cameras, PoE means that you can plug the ethernet cable into the camera without having to run a separate line for power. The power for the camera is provided by the switch through the ethernet cable. '''Easy management using Omada controller software''' If you want to have fun with some of this switch’s other features, you can use the same software we’ll be using for EAP-610 wireless access points to control the switch. <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113193732516.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113193805590.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194116940.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194135465.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194243719.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194341452.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194419692.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194432870.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194509149.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194551382.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194714308.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241113194736836.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114081503037.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114081612226.png </gallery> </div> <span id="step-5-configuring-tp-link-eap610-vlans-in-omada-controller"></span> == Step 5: Configuring TP-Link EAP610 VLANs in Omada Controller == <span id="loading-controller-adopting-your-access-point"></span> ==== 5.1 Loading controller & adopting your access point ==== <ol style="list-style-type: decimal;"> <li><p>Visit Omada Controller in your browser:</p> <pre>https://192.168.5.2:8043</pre> <blockquote><p>'''NOTE:''' Take a close look at the IP address & port in the terminal and visit the URL it tells you to upon finishing the installation of TP-Link Omada controller software.</p></blockquote></li> <li><p>Adopt the access point that matches the IP address you see in pfSense under '''Diagnostics –> ARP Table''' or under</p> <ul> <li>Go to Devices</li> <li>check that EAP610 shows as '''“Connected”'''</li> <li>If not adopted, use “Adopt” button</li></ul> </li></ol> <span id="navigate-to-where-we-create-a-new-network"></span> ==== 5.2 Navigate to where we create a new network ==== # Click on the zone you just created on the main homepage under '''Site List''' once you log in. In our case, that is '''home_demo''' # Click on '''“Settings”''' in the lower left corner. * Make sure you clicked on a zone first - if you click on ''“Settings”'' in the lower left corner it will take you to the settings for the controller program rather than for the zone you’re setting up for wifi. <ol start="3" style="list-style-type: decimal;"> <li><p>Click '''“Wireless Networks”'''</p></li> <li><p>Click '''“Create New Wireless Network”'''</p></li></ol> <span id="configure-the-easy-settings-for-the-network"></span> ==== 5.3 Configure the easy settings for the network ==== # Fill in all the usual settings for normal wifi setup you’ve done before on normal wifi routers #* '''SSID''': maliciouswifi #** this is the name of the network that shows up when you search for wifi networks on your laptop or phone #* '''Device type:''' EAP #** Band: 2.4 GHz, 5 GHz #* '''Security Key''': whatever password you want for connecting to it #** This is the wifi password for the network <span id="configure-vlan-settings-youre-likely-not-familiar-with-if-youre-reading-this"></span> ==== 5.4 Configure VLAN settings you’re likely not familiar with if you’re reading this ==== # Click '''“Advanced Settings”''' # Set '''“VLAN”''' to '''“Custom”''' and '''“Add VLAN'''” should show up as a new menu item. # Choose '''“By VLAN ID”''' when the '''“Add VLAN”''' part shows up after you click '''“Custom”''' # Set the number to 7, which we chose when making the VLA N in pfSense. <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114111018846.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114111105623.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114111257746.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114111344084.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114111434791.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114111555972.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241114111626689.png </gallery> </div> <span id="step-6-make-sure-blocking-rules-work"></span> == Step 6: Make sure blocking rules work == # Connect your phone to this network. Don’t use a VPN. Turn VPN off. # Try connecting to the web or to home assistant, or anything we set up. It shouldn’t work. # Add a firewall rule to allow traffic to & from the IP address your phone has grabbed, to the home assistant VM which we set up at <code>192.168.5.4</code> # Try to access the home assistant VM now on your phone. # If it works now, but didn’t before, you did a good job. You can now connect untrusted wifi IoT devices to this and be confident that there is a slightly lower chance that your refridgerator is going to report you fapping back to the manufacturer.
Summary:
Please note that all contributions to Consumer_Action_Taskforce are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (see
Consumer Action Taskforce:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)
