Orbi Router in routing mode behind pfSense

genivos

Forgive me if there is a topic already about this issue. I have searched a lot but can't find a good answer.
The situation is as the following. I want to install my pfSense directly connected to my ISP. Tested and works.
Behind the pfSense I want to use an Orbi RBR50 in routing mode. I specifically want to stay in routing mode and not AP mode (Bridging) cause I have an Armor subscription what I would like to keep using for now. I know it will be double NAT but that doesn't matter in my case, I don't need UPNP and such on that network behind the Orbi. I'm not using UPNP for security reasons anyways.

Situation will be then: ISP - pfSense - Orbi - switched LAN
IP addressing will be: Internet IP ISP -> pfSense <- 10.10.1.x/24 -> Orbi <- 192.168.2.x/24 - switched LAN

In theory this should work. However, I never got it to work so far. I'm struggling with the limited configuration options in the Orbi mainly.
Anyone a clue or hint in which direction?

SteveITS

@genivos I have not used Orbi. That said, normally nested routers work like that out of the box. pfSense WAN gets DHCP from ISP router, Orbi WAN gets DHCP from pfSense LAN. All subnets must be unique.

If you traceroute out from a device behind the Orbi how far does it get?

genivos

@SteveITS I checkced once more and I found the culprit. I had VLAN tagging on my Orbi WAN port still on. That's not needed anymore since I have a dedicated port on the pfSense box for my Orbi LAN. So, once turning that off it started working as expected and out of the box as you said, of course.

Orbi works fine now and clients can connect to the Internet.

A new challenge now which I am investigating. I'm setting up a VPN on the pfSense. Of course and logically I cannot connect throught the LAN behind the Orbi at this moment. Not sure if that will even work with the Orbi. Thus, VPN - pfSense - Tunnel - Orbi WAN - Orbi LAN. My first guess is to let the tunnel network access the internal LAN but then the Orbi blocks it of course. Going to investigate that as well but perhaps I'm missing something.

greenlight

@genivos I haven't used Orbi before, but there is definitely a type of VPN it supports. With this you can connect pfsense and orbi together. If you use openvpn to access pfsense from outside, I don't think there will be a problem. You can do something like below

OpenVPN > pfsense < Ipsec > orbi

genivos

@greenlight thanks! I will try looking into something like this. Orbi has OpenVPN as well, I was using this before. No IPSEC as I recall.

genivos

@greenlight or pehaps someone else, trying to setup an OpenVPN to my Orbi. It's a bit difficult, I can't really configure much other then ports on the Orbi.
I have the certs imported in pfSense but to make a working VPN from pfSense to Orbi is until now impossible.

In my client settings file which I get from the orbi are these settings but I can't match them all to the pfSense OpenVPN client configuration.

client
dev tun
proto udp
remote 10.10.1.1 12973
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-128-CBC
comp-lzo
verb 5

SteveITS

@genivos If Orbi has a VPN server can you just NAT forward the port from pfSense to the Orbi?

greenlight

@genivos said in Orbi Router in routing mode behind pfSense:

remote 10.10.1.1 12973

the certificates ip addresses must be orbi router's public ip addresses, which one you import on pfsense.

genivos

@SteveITS said in Orbi Router in routing mode behind pfSense:

@genivos If Orbi has a VPN server can you just NAT forward the port from pfSense to the Orbi?

Good one indeed! That works flawlessly. Problem solved, thanks for the suggestion.

genivos

@greenlight said in Orbi Router in routing mode behind pfSense:

the certificates ip addresses must be orbi router's public ip addresses, which one you import on pfsense.

Orbi has no public address anymore, since it's behind the pfSens. But I used NAT, works.