How to protect outside AP ethernet jack


how can I configure Pfsense to block access from an ethernet port I use for my outdoor unifi AP?
The AP sends 3 SSIDs for different VLANs and is part of my primary LAN.

Thanks Sebastian

There’s probably a way to setup an ACL on your switch using the MAC address of the AP.

or buy a “rj45 lock”.

FreeRadius might help, looks like there is an option to use a MAC address too.

Someone could still cut the cable, crimp the end and enter the network :smile:

There is a whitelist in the port config of my unifi switch. I wonder if this blocks the wifi traffic? testing now…

Well yes, it blocks wifi traffic

Seems like a poorly designed outdoor AP if it has exposed RJ45 jacks. How about installing the cable in conduit, the AP in a locked NEMA rated outdoor enclosure and install the antennas external to the enclosure?

MAC authentication in the switch is the best way, if that port sees a different MAC, then forward to a vlan that doesn’t connect to anything or turn the port off (depends on the features in the switch).

1 Like

I second Greg_E’s statement. Or, disable the port.

If I understand the question correctly (you’re trying to secure an internal switch port that has a cable running to an AP that is outside a physical wall) you could:

  1. set up another VLAN
  2. set the primary VLAN ID on the switch port to the new VLAN
  3. set up a DHCP reservation for the AP in the new VLAN space
  4. set up a firewall rule on that VLAN ruleset only allowing the AP’s IP to talk to the internal network

The switch port will still carry the other trunked VLANS to the AP, so the AP and things attached to the wi-fi will still have connectivity, but anything else that might get directly attached to that port will only receive DHCP from the new VLAN and access will be blocked by the firewall rule.

Thanks, that is the only way I thought of. The Otter suggestions block the wifi traffic.