We're still plugged into one of the LAN ports (Ethernet '1', '2', or '3') of the network we have set up on the VisionNet M505N modem we are re-purposing for isolated "Internet of Things" connections and "guest" wireless for visitors we aren't going to give access to our regular networks. The modem is happily purring away having authenticated to the DMZ interface of your pfSense firewall that we did in the first section of this multi-part series. Now it is time to configure the wireless settings of the modem, diverging whether it is for IoT isolation or a guest network.
Almost all of the time both types of networks will be designed as limited wireless connections, but your "guest" network may have the need to also have a few wired ports. My initial descriptions will be for an isolated IoT connection, although I will provide the data alongside for setting up a "guest" network as well. Select the 'Wireless' menu item on the left.
Of course, we're going to 'Enable Wireless'. You may want to 'Hide Access Point' (not broadcasting the "SSID", the name of the wireless network) only after connecting your IoT device(s) to the wireless - and typically you won't have a "guest wireless network" hidden at all. For both types of wireless networks, you want to enable 'Client Isolation' for obvious reasons. Not quite as clear, you want to check 'Disable WMM Advertise' on your IoT and "guest" networks (but enable WMM Advertise on your main LANs; it means "Wi-Fi Multimedia" functionality and can help improve streaming from the Internet): Provide only basic services to your visitors, and limit the bandwidth of those connections (which will be a later blog post).
Back to IoT isolation, give that (eventually hidden) wireless network: Give it a long (with spaces) or randomized name. The goal is for nothing except for your IoT devices to connect to it. A guest network is, of course, different: Name it for the function, something like "Guest Wireless". For an IoT network, I have set '3' as the 'Max Clients', a guest wireless should be slightly more, but less than the default of "16". Click on 'Apply/Save'.
Now select the sub-item of 'Security Settings'. In reality (and contrary to the notion that a password is all that is needed for security), we will only set a password on the isolated IoT scenario, unless you want to have a basic password you change occasionally for your guests. "WPS", the method with a button on the modem to easily establish a wireless link should be 'Disabled' with IoT, but possibly enabled for your guest network. Use a WPA2 "Pre-Shared Key" for IoT, and if you are choosing to have a password for your guest network. Click on 'Apply/Save' when finished.
Here is where we gain real security: Click on the 'MAC Filtering' sub-item. I will show an easy way to determine the MAC address(es) connected to your VisionNet M505N modem in a moment, so you might need to return to this area later. If you 'Allow' the 'MAC Restrict Mode' and have an entry only for your IoT device(s), only those MAC address(es) are allowed to connect to the IoT wireless network. You would likely only maintain your IoT Wireless Access Point from one of the LAN ports later (even have a '/30' space with only one DHCP client IP address for that computer, and "reserved" IP address(es) for your IoT device(s)).
For a "guest" network it would be the reverse: 'MAC Restrict Mode' would be set to 'Disabled' until you have neighbor(s) find that open network, then you set it to 'Deny' for their MAC address(es) to block them! Why give them free (even if you are limiting bandwidth) Internet? It is for your guests!
Click on the 'Global Settings' sub-item. The image below is unedited defaults, with some recommendations. The wireless channel (only the 2.4GHz bands on this device - but it is for "guests" and IoT) is shown as 'Auto', but you might want to set it to an out-of-the-way specific channel not bordering your main wireless networks. Set it to '20MHz in Both Bands' rather than '40MHz' to avoid a wider channel footprint. Unbelievably you are trying to un-optimize the two scenarios of an isolated IoT with low bandwidth needs and your limited "guest" wireless.
Tune the 'Basic Rate' down. Again, 'Disable' the 'WMM (Wi-Fi Multimedia)' setting. And immediately above that is an interesting item of 'Transmit Power'. From full power ('100%') there are options to decrease the level in steps of 20% (So other selections of '80%', '60%', '40%' and '20%'). If the wireless signal reaches your IoT device(s) at 20% strength, why have it powered any higher? Put your "Guest WAP" in a location where your guest(s) will be, then cut the transmit power so it isn't going as far as your neighbor's house.
As a final step for this section will be to know how to determine the MAC address(es) of a device by connection to the VisionNet M505N modem. I prefer to select 'DHCP' (showing both wireless and wired LAN connections that are receiving a DHCP IP address from the modem) rather than 'Wireless Clients' under the 'Modem Statistics' menu item. A MAC address is a unique identifier by that interface of the device (and the wireless and wired connection for a laptop would have a separate MAC address for each), the first half is for the manufacturing "vendor". At a later point I will have a more specific blog entry covering MAC address conventions, but for now, you can use this information to create "reserved" IP addresses and allowing or blocking devices by the MAC address they have.
Please stay tuned for further entries in this multi-part series, we are completed with the basic security and isolation techniques for these wireless scenarios, but there are even more security features to come!