Bridging Firewall to Public Wifi

My building offers wifi to its residents. It is not managed by IT professionals. I would like to use this internet source some of the time, but would like to be protected from machines on that network as well as protected in general. Consider that I have a spare machine with a PCI wireless adapter, a switch and a few machines connected to the switch. Is it feasible to configure the spare machine such that it connects to the building wifi and serves the few machines connected to the switch? Does this cause a NAT issue. Is this something that could be configured with PF Sense, pf in Open BSD, or something similar? I am a novice-intermediate user. I have not configured or managed a firewall before, but I've been using Linux exclusively for a couple of years. So long as the above is possible, I could probably figure it out.

Sara Kline

Posted 2015-04-19T06:42:01.893

Reputation: 21

Thanks. I am not in a position to attempt this at the moment, but knowing you have done it is assuring. – Sara Kline – 2015-04-19T07:43:57.377

Answers

pfSense should absolutely work. My immediate response was going to be to get a cheap router capable of OpenWRT (Neatgear WNDR3700) and connect to the WiFi though Luci... but that was before I saw that you already have hardware. It is absolutely do-able and I encourage you to try it.

As to whether it'll cause NAT related issues, that largely depends on how you configure it. When I did this same thing using OpenWRT, it would have put me behind a second NAT if configured the way you are looking to do it. This can be worked around (disabling NAT, accepting DHCP from the building server rather than your box, etc...). Basically, you are just trying to put IPTables between you and the building WiFi.

I can fire up a virtual machine (or several) and help you pound through it if you hit any snags.

Nathanial Meek

Posted 2015-04-19T06:42:01.893

Reputation: 632

Thanks. I am not in a position to attempt this at the moment, but knowing you have done it is assuring. – Sara Kline – 2015-04-19T07:45:04.030

Sure thing. Let me know if you need additional help. I'm pretty into fringe networking configurations. – Nathanial Meek – 2015-04-19T07:55:38.583

There is one free Linux distribution that matches your requirements and that's ZeroShell.

It provides the main LAN services for small-to-medium-sized networks, similar to the commercial solution RouterOS. It's offered on a Linux LiveCD, so it doesn't have to be installed. It just needs a small drive to save the configuration.

ZeroShell can perform as a router, firewall, RADIUS server, wireless access point, VPN, and more. It includes QoS, hotspot, and Internet load-balancing and fail-over features. It also supports VLAN tagging, multiple SSIDs, and Windows Active Directory.

As it's free and runs from a liveCD, you can try it without much effort. Here is a good starting tutorial provided by LinuxPlanet.

agtoever

Posted 2015-04-19T06:42:01.893

Reputation: 5 490

I didn't know pfSense, mentioned in the other answer. That looks like a good (and better maintained) solution compared to ZeroShell... – agtoever – 2015-04-19T07:09:16.283

ZeroShell looks pretty neat. I had never heard of it. Any interesting ways of going about this are most welcome. Any thoughts on adding a DMZ to the mix? I have reason to believe the building wifi is a hostile network. – Sara Kline – 2015-04-19T07:48:13.457

As long as you don't plan to present services like ssh, ftp, http, etc from your network, it makes no sense to define a DMZ. And because you consider the network hostile, it's (in your case; with your level of experience) not smart to do so. – agtoever – 2015-04-19T07:56:26.553

I will definitely need ssh. – Sara Kline – 2015-04-19T08:08:09.687