Allow IPs on another subnet straight to the WAN gateway
-
@Jarhead
I will look into it but so far even trying to switch the Fritzbox with a proprietary router had the line malfunction and the isp immediately notifying me of rhe apparatus "being tampered with". I guess that's how it goes with Italian ISPs. -
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Jarhead
I will look into it but so far even trying to switch the Fritzbox with a proprietary router had the line malfunction and the isp immediately notifying me of rhe apparatus "being tampered with". I guess that's how it goes with Italian ISPs.So, I checked the FritzBox.
The model is "5530 Fiber" but we're not using its own fiber input, the ISP gave us a standalone ONT which goes to the modem via the 2,5Gbit port..leaving 2 Gigabit ports available.
ISP excuse is "that model's onboard ONT tends to overheat over time so it's better to use an external one".
So the Fritz IS ACTUALLY ALREADY BRIDGED to the ONT..but the ISP will not gve me username/password of the IPoE connection, saying they provide the combo as one machine.
I'm left with no options but to consider it unexpendable and proceed with allowing machines through the firewall.
I need IPs from 192.168.0.2 to 192.168.0.80, which are connected to the LAN port, to reach the Fritz (192.168.0.1) connected to the WAN port, allowing them to be reached by the rest of the 0.1 subnet network (i.e. the office pc, where the webgui credentials of the IPCAMs and APs are stored.
Could you please guide me through? I tried the Alias path a couple times but it's not working so probably I messed up something each time I tried. -
@Troniclab That's too bad, would be the better way to go but not the end of the world.
So then the options are use just pfSense behind the fritz and segregate as needed, or to use both (as in your proposed) and still segregate as needed.
Using pfSense only would be my choice.
To do this, you may need to add equipment to get exactly what you want but that's still not clear.
Assuming you have NO access to the Fritz and can't even change the subnet.
You'll do fritz to pfSense.
fritz - 192.168.0.1
pfSense WAN - 192.168.0.2. Disable "Block private networks and loopback addresses".
Then pfSense LAN - 192.168.1.1/24 or any subnet other than 192.168.0.0/24.
Here comes the added equipment, you'll either need multiple nic's in pfSense or a vlan capable switch to connect it to.
Multiple nic is the way to go.
Make the LAN connect to the bottom (in pic) switch and all devices downstream.
Make the second nic connect to the top switch and downstream.
Firewall rules to do what you want.Using a vlan, you would trunk the LAN interface and add a vlan. In the switch (can be a 5 or 8 port cheap vlan capable) set a port to trunk and tag the same vlan ID that you used in pfSense. Another port is untagged with the LAN ( can leave it at vlan 1 or change if desired) and another port untagged with the vlan id mentioned previously.
The "LAN vlan" will go to the bootom switch, the other vlan to the top switch. Firewall as needed.The one thing I can decipher is the Wifi emitters.... you show it coming off the pfSense but it shows an IP in the 0.0 range still. What's that about?
Are you saying you need that to be available on both subnets?All the "how to" can be discussed after you decide which way you want to go.
-
@Jarhead thank you very much for your help, I'll try to explain better.
I DO have access to the Fritz, but I cannot separate it from the ONT because I wouln't know how to setup the incoming connection in pfSense (ISP not telling me the password to the username); so I NEED to use the Fritz, but I surely can tweak its IP/Subnet/DHCP settings, but there comes another problem: the whole network downwards was built on the 192.168.0.1 IP class and some of the equipment is like 30+ feet up on poles: if I mess up ANYTHING it will require a basket crane to go reset it (emitters don't, being CP210 from TP-Link they have reset button on the PoE, but cameras are all wireless because it's a park and apparently wiring power cables doesn't affect environment but ethernet does).
This is why I would prefer to make all the necessary changes IN the pfSense machine so that it the event of any trouble all I have to do is bypass it to restore the original configuration.
This being said, the pfSense machine comes with a realtek gigabit ethernet port and an additional PCIex card hosting TWO Gigabit Intel ports. Until today I was planning on using the two intels as Wan and Lan and keeping the onboard as optional, but for the sake of elegance I think your port assignation better suits the realtek as Wan and the two intels as lan-for-office and lan-for visitors. ;-)
Now let's talk emitters.
The switch downwards the Lan carries 3 ethernets with following chained configuration:
eth1: CP210 to which connect via wifi 5 IPCAMs
eth2: AP (TPLink) in a conference hall bridged to another CP210 to which connect via wifi 5 IPCAMs
eth3: unmanaged switch that hosts:
- CP210 to which connect via wifi 2 IPCAMs
- AP (D-Link) in an ancient chapel to which connects via wifi 1 IPCAM
...I can easily make you a complete, very detailed, topology of the whole network, if you need it.
The problem is that the 3 external CP210 APs emit THE SAME SSID (and the 2 internal APs have their own but same situation) to which both service machines AND visitors connect.
Up to now, they were mildly segregated by static IPs (service machines) and DHCP pool (visitors) but of course this allows malicious users to ping and reach those static IPs, which is my main concern, besides content filtering.
That's why I need all the APs (IPs going from 192.168.0.2 to 0.6) and all the IPCAMs (IPs going from 192.168.0.60 to 0.72) to possibly KEEP their subnet of belonging (0.1) but still be able to navigate the pfSense Lan (which will have a 1.1 based DHCP) out to the Wan
This way, as I wrote before, if a 0.1/24 IP knocks on the Lan switch, has to be forwarded to the 0.1 subnet, mainly located on the other switch. -
@Troniclab Adding this explanation of the intended setup: if a visitor connects to a 0.1/24 AP it will be "caught" in the 1.1/24 DHCP of the Lan, but the static 0.1/24 IPCAM connecting to the same 0.1/24 AP will be forwarded to the 0.1 subnet along with the AP address itself. That's what I'm fantasizing to do. This way I can access the WebGUIs of the APs and the IPCAMs from the office PC..but visitors can't because they cannot SEE 0.1/24 addresses that stealthly run on the same connection.
-
@Troniclab Still reading your post but thought I'd mention this now in case you see it and want to get started testing this or whatever.
Simple way, make the pfSense LAN 192.168.0.0/24.
Change the fritz LAN to and /30 other than the pfSense LAN,
Follow the rest from my previous post for pfSense WAN and you will now be running on pfSense with the existing topology.
You can then implement what you want from there.
That would be my "step 1".Do the AP's do vlans? Would solve everything.
-
@Jarhead i will give it a try on saturday and will let you know. CP210s probably support VLANs but i'm not sure about the other 2 APs. Will update you asap.
-
@Jarhead Here's what i did:
- turned the Fritz LAN to 10.0.0.x/24 and had pfS WAN static on 10.0.0.2 with Fritz as gateway on 10.0.0.1
- turned pfS LAN to 192.168.0.x/16 and set a DHCP pool from 192.168.1.1 to 254 (for now,as a test)
- made a firewall rule on pfS LAN to allow all/any (for now,as a test)
...and boom! I can see the static IPs on 192.168.0.x which come from the service machines but if I connect to the LAN as DHCP client i'm given an 192.168.1.x address.
So now i need to herd the clients inside the DHCP subnet so that they cannot even ping 192.168.0.x IPs.
I also need to make inaccessibile all the 192.168.0.x IPs which aren't already assigned, so that (i.e.) I can't connect to the lan with a static address in the 192.168.0.x subnet and escape the dhcp.
-
@Troniclab And how are you planning to do that??
They are all on the same subnet now. There's nothing to stop them from talking to each other. That traffic wouldn't even hit a router since it's all layer 2.
You need to use the other interface for either the 1.x or 0.x subnets.
Do the AP's support vlans? -
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
-
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
I can bind 4 of the cameras to the CP210 but unfortunately one of them is behind the emitter and too far to be caught in the backfiring wifi beam
-
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
Also they can only be ASSIGNED to a Vlan,they cannot manage one
-
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
Also they can only be ASSIGNED to a Vlan,they cannot manage one
Ok, you're confusing the s**t out of me now.
Basically what you want is a "guest wifi" network, correct? They have Internet access but no access to anything else, ie cams.You want the "admin network" (ie employees/workers) access to everything, correct?
If so, why would you change to a /16 subnet? That doesn't change anything you had except made it a bigger subnet.
What do you mean "manage" a vlan?
You need to be able to send 2 vlans throughout the whole network. So you're gonna need to replace those 2 switches and configure the AP's.
If you can't do that you'll need to separate the 2 networks with separate AP's. There's not a lot of options for separating layer 2 traffic -
@Jarhead i was afraid you'd say that.. Unfortunately i came to the same conclusion myself..but, again, the cp210 only have the option to be assigned to a vlan (1,2,3...)..but the vlan would be the SAME anyway for both visitors and ipcams. I honestly can't see a way out. If only there was the option of "guest wifi" to channel the dhcp clients into..
-
@Troniclab What is the cp210? Do you have a link for the manual?
-
@Jarhead cpe210,sorry, misled you.
-
@Troniclab So then you should be good. But you'll need to replace the two switches so you can "trunk" the ports to the AP's.
You'll have to send 2 vlans throughout the network and you'll have two ssid's. One guest and one management.Can you log in to one of the cpe210 and check the firmware?
Might have to update it but from a quick Google you should have a "layer 2" menu where you can config vlans -
@Jarhead firmware says as follows
2.2.3 Build 20201110 Rel. 60634 (4555)At the moment all the 210s are in AP mode and enabling multi-ssid shows a table that has a "vlan" column so, i guess they can route different SSIDs to different vlans.. I couldn't see the option because (obviously) I had only one ssid running..and the machine was like "dude,there's only one road, I can't route elsewhere" ;-)
So, getting rid of the 5 and 8 port unmanaged switches and getting a 16 ports managed one I can throw everything at the firewall and it will be able to select what is what, right?
Being the whole operation pro-bono/non-profit, I was thinking about a tplink easy smart switch like this one: TL-SG1016DE.
It has an integrated management console for vlans
Which should be just fine without costing much. I had a bunch of them installed in a multi-apartments condo having vlans for every apartment to avoid wannabe hackers nosing around. Could you take a look and see if it's what we need for this application? If so, I'll buy it immediately and start reconfiguring all the SSIDs of the park. -
@Troniclab Yeah, that will work. Not the greatest but I've used them and it'll do.
-
@Jarhead switch arrived this morning, will install the configuration tool in the office pc and set its IP in the lan subnet.
Once all the machines are connected to the firewall through the switch, I should put the Fritz on DMZ and manage port forwarding from the firewall itself, right? There are some ports i need open for UPS, NAS, RDP, etc..