Routing Issue (moving from DD-WRT)
-
Your description is hard for me to follow. Can you post a network diagram?
-
Hope this is big enough, looks small on my screen but my res is out of control. Basically I'd want to replace the DD-WRT device so I could put in a PFSense one to do better QoS, VPNing, etc.
The CPE works a lot like cable modems do, where the device has an IP for maint and the customer sees a public IP on their side.
The LAN side of the DD-WRT box is bridged, so we can just assign the 10.x.x.1 to the bridge in the startup script.
It all works as it is, but I'd love to use PFSense instead for a lot of reasons. I think this problem probably has come up before, but I'm not sure the easy way out. If PFSense supported IP Aliases on the interface, that'd probably fix it, but there's 'gotta be a better way'.
Thanks for your help in advance.
-
Ok, this makes more sense now.
I think the easiest thing is to probably put three physical interfaces where the DD-WRT's LAN interface goes. Put one subnet on each interface, even though it's the same broadcast domain so it's pointless to do so, because that's by far the easiest way to do this, and possibly the only way without some serious hacking.
That'll cause some ARP spam in your logs, you can silence that on the Advanced page.
-
I wish I could do that. :) the machine I'm using is limited to the 2 interfaces I have unless I wanted to get a Quad NIC or something esoteric like that. I could just throw IP Aliases against the LAN NIC (basically how it's set up in DD-WRT), but I saw that IP Aliases are generally frowned upon here (to the point of being unsupported).
The public IP range is basically relayed through the 10 network too (a bridged type situation, not a routed one), so basically it ends up being.
PC LAN SIDE <–-> 10.1.3.1/24 <----> 10.1.3.29/24 (for instance) Modem <---> 65.x.x.159 (Customer PC)
I think 3 NICs would probably break this, since the 65.x.x.128/25 would be on its own interface instead of coming through with the 10.1.3.0/24 traffic?
Thanks for your help.
-
I wish I could do that. :) the machine I'm using is limited to the 2 interfaces I have unless I wanted to get a Quad NIC or something esoteric like that. I could just throw IP Aliases against the LAN NIC (basically how it's set up in DD-WRT), but I saw that IP Aliases are generally frowned upon here (to the point of being unsupported).
{…}Just an idea: how about configuring one of the ports as VLAN trunk and hook it up to managed 8 port switch? I've done it with m0n0wall when I needed more ports and I don't see why it would not work with pfsense.
-
I do have a Cisco C2924XL-EN that's going to be going in at that location.
I'd have to make the port attached to the LAN side of the PFSense machine be 3 VLANs (Multi-VLAN mode) and then the ports for my radio base stations (that need access to all 3 networks) as members of those 3 VLANs as well?
I haven't done much work with VLANs unfortunately, so I apologize in advance.
-
I do have a Cisco C2924XL-EN that's going to be going in at that location.
I'd have to make the port attached to the LAN side of the PFSense machine be 3 VLANs (Multi-VLAN mode) and then the ports for my radio base stations (that need access to all 3 networks) as members of those 3 VLANs as well?
I haven't done much work with VLANs unfortunately, so I apologize in advance.
Configure port 1 (for example) on Cisco switch as trunk, tagged VLAN1, VLAN2 and VLAN3. Plug in pfsense , configured for VLAN1, VLAN2 and VLAN3, to port 1. Assign port 2 to VLAN1 untagged, port 3 to VLAN2 untagged, port 4 to VLAN3 untagged. Connect your APs to ports 2-4. AP should not be configured for specific VLAN since ports are untagged.
-
Hm that's interesting. I think I'd have to change that a little because all of these networks have to be accessible to each other (for instance AP1 needs access to all 3 networks, as does AP2), but I think you've given me some food for thought and I think I can make it work.
I appreciate the help, thanks. :)
-
I think I'd have to change that a little because all of these networks have to be accessible to each other
That can be handled by the ruleset within pfSense then. But you can control every portion of it if you go the VLAN way.
On the other hand, quad NICs are quite cheap on eBay… (http://cgi.ebay.de/ws/eBayISAPI.dll?ViewItem&item=270122654207) -
Cool, I'll have to give it a go, thanks for both of your help. :)
-
I have used IP alias with no prob at all. I have a embedda device, with 6 nic (actualy a 1GHZ celeron machine with a 40G disk and 512 MB ram with no VGA or keyboard, just a com port) I try to use as less interfaces as possible.
I have 3 vlan in to the WAN port, and some IP's there. This is tagged trough a layer 2 connection to our MPOI.
I also use BGP at WAN (and have manualy installed quagga) (just started testing out the new BGP package. NICE! :PThe Lan port is connected to the same switch as the WAN port, and is vlaned out with 6 vlan's, Office, Customer1-4, and managment. The office segment is having an 192.168 range, the customer net a 10.30 range for DHCP and a offical X.X.X.X net, (blocking internet until ether
1: a VPN connection with a static username is established
2: The user login to the hotspot with Paypal, visa etc
3: A device with a static offical IP is connecting.and a 172 range for managment.
The managment vlan is to the backhoul wireless net, and is for managment. All devices between Pfsense and CPE is bridged in some way (but has some vlan to get rid of some broadcast)
the 3. nic in use is an internal vlan for managment stats (SNMP ->mrtg, openNMS etc)
There is no problems at all with this configuration.
Why use the cisco? cant u just put the Pf sense as the only device?
-
Why use the cisco? cant u just put the Pf sense as the only device?
It has my 2 T1 cards in it… I have no choice in that matter... :)