WiFi in front of pfSense
-
I am asking for some feedback/opinions on this setup;
Office LAN (10.0.1.0/24) <-> (LAN) pfSense (WAN) <-(10.0.2.0/24)-> ADSL WiFi and router box <-> ADSL Internet ISP
Site is remote with solar power and batteries, so I want to minimise the number of devices to be powered - avoid using another WiFi Access Point on Office LAN.
ADSL router has port forwards setup to the pfSense for any ports that need to be open from the internet (e.g. to OpenVPN servers).
OpenVPN site-to-site shared key links come in and out of the pfSense.
DHCP is disabled on ADSL WiFi box.
WAN has a rule allowing anything in with a source address in WAN subnet - lets the WiFi clients get to pfSense.
pfSense provides DHCP on LAN and WAN.
Wired clients are on LAN and work like a normal setup.
WiFi clients connect to the ADSL WiFi box, get DHCP from pfSense WAN. That gives them pfSense as the default route and DNS server.
pfSense DNS forwarder has host overrides for names of things in the Office LAN (this is a small Office LAN that does not have a server running DNS).
pfSense DNS forwarder has Domain Overrides to point to DNS servers that are across the OpenVPN links at other sites - this lets clients resolve names of things at other internal sites.
If the DNS request does not match the above, then DNS Forwarder sends it out to the ADSL router, which does a normal internet DNS query.It all seems to work - the WiFi clients effectively first go "backwards" to the pfSense. pfSense decides if their packets need to go to Office LAN, across an OpenVPN link to the company intranet, or back across the WAN subnet to the ADSL router and internet.
Any opinions, thoughts or advice? Have I not thought about something here that is going to bite me?
-
That is a very interesting setup. Why did you prefer not to have a wifi card in the pfsense machine (to act as an AP) and drop the ADSL router/wifi?
-
Interesting indeed. :)
I would be tempted to use the lowest power adsl modem I could find in bridge mode and a wifi card in the pfSense box. However I can see why you would want to keep your existing hardware.What is the power consumption of your existing devices? How are they powered, DC, inverter?
What sort of dsl are you using? If you have adsl1 you can get some usb powered modems that are very low consumption (2.5W max from usb).
Steve
-
We are using Alix for pfSense. We don't have the WiFi hardware for that at the moment, and it would have to be brought to us from the USA. In any case, we have been using the same model TP-Link ADSL router in our offices and in various private homes. They are locally available, value for money (the whole box is cheaper than the WiFi components for the Alix), they work, and do all the port forwarding, DynDNS updating… that we have needed. Having the same model device everywhere is easy for support.
The ADSL is ADSL2.
Sites with solar have panels on the roof, battery/s, Alix running directly on DC. We are looking to use some little 5-port Cisco switches that take 12V DC. Fit-PC3 also takes 12V DC. We want to power as much as possible directly from 12V DC; no inefffecient inverters. It looks like we will need a DC-to-DC converter to power the ADSL device - they seem to all require more than 12V DC. The network infrastructure (firewall/router, switch, WiFi and file server) is then totally off the mains, and can be left on 24/7.
I am installing a site tomorrow, so I will measure some AC watts and report (I don't have a device with me to measure the DC watts straight off the battery, which will be less). -
Ah well you've clearly spent some time thinking about this. :)
You should be aware, if you're not already, that the voltage from your batteries will actually be between 10.5V (very flat) and 15V (equalising charge if your charger controller does that). The Alix has a very wide input voltage range, most devices are not as forgiving!
Anyway sounds intersting. What battery and panel size do you have to run that stuff 24/7?Wild suggestion: The TP-Link router may have a mini-pci wifi card. You could just move it into the Alix.
Steve
-
All the devices we use on direct 12V DC have a wide input range - usually 10-16V. (Alix, Fit-PC and the 5-porrt Cisco switcches) Yes, we have to be careful with this, because when charging is happening the voltage will be up to 15V pushing into the batteries.
We use Exide Inva Tubular 150AH batteries. Thye now have a 5-year (and maybe now even 8-year) guarantee. They have been working well for the couple of years we have been using that brand.
We have various solar panel/charging systems of different generations at different places, depends on the history of the site! -
Doing an install for real is always a good test :) With the "Office LAN" server and PCs sitting on the WAN side, there is an asymettric routing situation. The PCs have pfSense as their default gateway (given by DHCP on pfSense WAN). They initiate sessions to places on the internet. Their packets are sent to pfSense, then back across WANnet to the ADSL router. But when the replies come back, the ADSL router delivers the packets directly to the PC concerned, since ADSL router and PC are on the same LAN. pfSense stateful firewall does not see the reverse flow of packets.
For small things, it works. But as soon as someone tries to send email with a decent-size attachment, the send hangs and times out.
I enabled NAT for the WAN subnet (10.49.120.0/24 in the screen shot). Now a PC on the WANnet sends a packet to the pfSense WAN IP (its default gateway). pfSense NATs it, changing the packet source address to WAN IP, and sends it to the ADSL router, which sends it to the internet. The reply comes back addressed to pfSense WAN IP, so the ADSL router deliver it there. pfSense "unNATs" it back to the original PC, which happens to be on the pfSense WANnet, and the packet is correctly delivered to the original PC.
This scheme makes all the traffic pass through the pfSense in both directions. Seems to work!
Edit: screenshot added
-
Hello,
I think sloppy states in firewall rules advanced option are used for that kind of setup.
I use sloppy states for redirecting web traffic to a transparent proxy on the same lan and it "works for me"
Have you tried that ?
Regards,
Stéphane -
Here are some power consumption figures for anyone interested:
Alix 2D13 5.5W
TP-Link TD-W8901G ADSL WiFi+Router 5.9W
Fit-PC3 with AMD G-T56N CPU and 500GB disk:
Startup (5 seconds spinning up the disk): 20W
CPU running stuff (e.g. Windows Server Startup): 15.5W
Idling: 12.3W
Lenovo S10-3s Netbook:
On built-in display: 15.0W
On external display: 12.5W
(thus 10" built-in screen uses about 2.5W)When I get the little Cisco 12V DC switches I will post power consumption for those also.
-
Real numbers are always interesting. :)
How are you measuring those power figures?Steve
-
Those are measured with the devices on their AC power adapters. So it includes losses in the AC power adapter. I have a little German AC power measuring device which goes inline between the power outlet and the device:
Model KD-302 www.reichelt.de - http://www.reichelt.de/Energiemessgeraete/KD-302/3/index.html?;ACTION=3;LA=446;ARTICLE=88135;GROUPID=5664;artnr=KD+302;SID=10UI5Pr38AAAIAAB3sITw5cb7d0c9c3b801cc11b1a7b204477306 - the German/European plug is somewhat compatible with the Indian/South-Asian sockets we have.
When I can get some real DC measurements direct from battery, I will post those also. -
I look forward to a comparison with the DC measurements. :)
Steve
-
Updated AC power consumption figures:
- Cisco SF100D-05 5-port 100Mb mini ethernet switch:
with 0 devices connected: 0.8W
with 2 devices connected: 1.1W - Alix 2D13 5.5W
- TP-Link TD-W8901G ADSL WiFi+Router 5.9W
- Fit-PC3 with AMD G-T56N CPU and 500GB disk:
Startup (5 seconds spinning up the disk): 20W
CPU running stuff (e.g. Windows Server Startup): 15.5W
Idling: 12.3W - Lenovo S10-3s Netbook:
On built-in display: 15.0W
On external display: 12.5W
(thus 10" built-in screen uses about 2.5W)
Items 1, 2 and 4 take 12V DC direct, with a reasonable variation, so can be connected to a 12V solar/battery system.
I won't be at our test site to get real DC figures for a few weeks - will post again then. - Cisco SF100D-05 5-port 100Mb mini ethernet switch: