Solving Ranger Extender subnet with a Route in pfSense?

DaHai8

I have a wifi network called Bob that does not extend to the garage very well. So I installed a Wifi Range Extender, called Mary, on Bob and connected those devices (camera, light switches) to Mary.
Problem is, I can no longer access those Garage Camera and Light Switches (their admin web pages) from any of the other subnets on my pfSense router, whereas before when they were connected to Bob, I could.
From what little I understand of this discussion:
https://superuser.com/questions/586901/does-a-wi-fi-range-extender-create-a-separate-network
"These are fake repeaters. Real repeaters require WDS to be configured at the access point. They do a form of NAT that impersonates their clients to the access point. This means seamless roaming is not possible."
So, there is a NAT inside the Range Extender (Mary) that is preventing access to those connected devices from the other subnets on pfSense?

Bob Wifi is 172.28.1.x
Mary Ranger Extender is 172.28.1.4
Joe Wifi is 172.28.2.x

If I connect to Mary, I can access the Garage Camera and Light Switches
If I connect to Bob, I can also access the Garage Camera and Light Switches and all devices connected to Bob
If I connect to Joe, I cannot access the Garage Camera or Light Switches, but I can access any device connected to Bob
If I connect the Garage Camera and Light switches directly to Bob, I can access them from Bob and from Joe

I'm thinking I need a Route set up in pfSense.
But then again, I'm thinking I don't have a clue what going on.
Any advice?

P.S. I believe switching the Range Extender to a Wired Access Point would probably solve this problem, but running cable to the Garage is a PITA.

Thanks!

DaHai8

Here is some more information:

Ping rom the Raspberry Pi at 172.28.2.3 to the Range Extender at 172.28.1.4:

# ping 172.28.1.4
PING 172.28.1.4 (172.28.1.4) 56(84) bytes of data.
^C
--- 172.28.1.4 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 180ms

PIng from the Raspberry Pi at 172.28.2.3 to Home Assistant at 172.28.1.3:

# ping 172.28.1.3
PING 172.28.1.3 (172.28.1.3) 56(84) bytes of data.
64 bytes from 172.28.1.3: icmp_seq=1 ttl=63 time=0.453 ms
64 bytes from 172.28.1.3: icmp_seq=2 ttl=63 time=0.323 ms
64 bytes from 172.28.1.3: icmp_seq=3 ttl=63 time=0.281 ms
64 bytes from 172.28.1.3: icmp_seq=4 ttl=63 time=0.276 ms
^C
--- 172.28.1.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 142ms
rtt min/avg/max/mdev = 0.276/0.333/0.453/0.072 ms

Traceroute from the Raspberry Pi at 172.28.2.3 to the Ranger Extender at 172.28.1.4:

# traceroute 172.28.1.4
traceroute to 172.28.1.4 (172.28.1.4), 30 hops max, 60 byte packets
 1  172.28.2.1 (172.28.2.1)  0.242 ms  0.167 ms  0.138 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * *^C

Traceroute from the Raspberry Pi at 172.28.2.3 to Home Assistant at 172.28.1.3:

# traceroute 172.28.1.3
traceroute to 172.28.1.3 (172.28.1.3), 30 hops max, 60 byte packets
 1  172.28.2.1 (172.28.2.1)  0.239 ms  0.149 ms  0.141 ms
 2  HomeAssistant (172.28.1.3)  0.321 ms  0.240 ms  0.284 ms

Now when on the same subnet....

Ping from Home Assistant at 172.28.1.3 to the Range Extender at 172.28.1.4:

[core-ssh ~]$ ping 172.28.1.4
PING 172.28.1.4 (172.28.1.4): 56 data bytes
64 bytes from 172.28.1.4: seq=0 ttl=63 time=4.097 ms
64 bytes from 172.28.1.4: seq=1 ttl=63 time=4.993 ms
64 bytes from 172.28.1.4: seq=2 ttl=63 time=3.420 ms
64 bytes from 172.28.1.4: seq=3 ttl=63 time=2.823 ms
^C
--- 172.28.1.4 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 2.823/3.833/4.993 ms

And finally, Traceroute from Home Assistant at 172.28.1.3 to the Range Extender at 172.28.1.4:

[core-ssh ~]$ traceroute 172.28.1.4
traceroute to 172.28.1.4 (172.28.1.4), 30 hops max, 46 byte packets
 1  5c53de3b-esphome.local.hass.io (172.30.32.1)  0.008 ms  0.007 ms  0.006 ms
 2  mary (172.28.1.4)  5.548 ms  2.077 ms  2.009 ms

So it appears that pfSense doesn't know where to send the packets destined for 172.28.1.4 (mary Range Extender) when they originate from a different subnet (172.28.2.x). But it has no problem if the packets are going to 172.1.3 (home assisant) from a different subnet.
Only when on the same subnet as mary Range Extender (172.28.1.x) can that device (and those connected to mary) be pinged.

So, it seems like a static route is needed, but pfSense already routes to 172.28.1.3 automagically. So I don't have a clue what route to add.

Hope this helps explaingthis further.

SteveITS

@DaHai8 What is Joe?

In general a route would send the subnet behind Mary, to Mary.

DaHai8

@SteveITS said in Solving Ranger Extender subnet with a Route in pfSense?:

@DaHai8 What is Joe?

In general a route would send the subnet behind Mary, to Mary.

Joe is any device connected to subnet 172.28.2.x - in the above Pings and Traceroutes, that would be the Raspberry Pi.

But what is the subnet behind Mary (the Range Extender)?
All those connected devices have the same IP address as they did when connected directly to Bob.
Would that route be added to the Range Extender, mary?

So, you're saying the packets being sent to/through mary (Range Extender) are getting to their destinations, but don't know how to get back?

I'll work on drawing a diagram

DaHai8

Hope this helps

SteveITS

@DaHai8 If Mary is a router providing NAT there’s a subnet behind Mary. What IP does a device there have?

DaHai8

@SteveITS said in Solving Ranger Extender subnet with a Route in pfSense?:

@DaHai8 If Mary is a router providing NAT there’s a subnet behind Mary. What IP does a device there have?

Same IP addresses as w/o Mary. For instance the Camera is at 172.28.1.25 regardless of being connected to Mary Range Extender (172.28.1.4) or direct to the Wifi Bridge (172.28.1.2)

The really confusing part is that I cannot ping Mary (or any device connected to Mary) unless I do so from some device on that subnet (172.28.1.0/24)

DaHai8

Ok, just for Giggles, I changed the mode on Mary (the Wireless Range Extender) to Wired Access Point and connected an Ethernet cabled from the Wifi Bridge (172.28.1.2) to it:

And, as I suspected in my original post, this works...grrr
I can Ping and access Mary from any other subnet on pfSense (like the Raspberry Pi on 172.2.3) and any device connected to Mary.

None of the IP addresses on any of the devices (including Mary) changed. But everything works and my network on 172.28.1.0/24 is "extended".

However, this bites, because running Ethernet from the Wifi Bridge out to the Garage is near impossible.

Argh

DaHai8

I gonna give up and return the Range Extender. There does not appear to be a workaround or resolution to it isolating itself and devices connected to it when in Wifi Range Extender mode. Wired AP Mode is just not possible for me as running cable to the garage is not an option.

I'll look into converting my setup to a Mesh system as that appears to be the best solution.

Thank you, @SteveITS , for all your help and suggestions.

Cheers.