Hardware purchase advice please
-
Hi Steve,
I'm used to DD-WRT. So I guess allot of the settings are kept simple since all ports on a 4 port router
like the Asus N16 is done automatically.That is pretty much as simple as I wish to keep it.
So I'd go..
192.168.2.1
192.168.3.1rather than
192.168.1.2
192.168.1.3
?Thing is… with any commercial router no matter which of the 4 ports I connect to.
They are all given ips on the same like 192.168.1.*
not 192.168.*.2So all my devices on my Asus with DD-WRT was like 192.168.1.101, 192.168.1.102 etc
Hmm, a few problems there I think. ;)
All I want to do is set up each LAN port like any other simple setup for a home network.
Do you mean like a SOHO router with 4 LAN ports?
So… when I go to Opt1 ENABLE...then set to STATIC, leaving all else default then I come to Static IP address.
Is this not the same as WAN which in my case is 192.168.1.2 ? for all LAN ports?
Or do they have to be set like 192.168.1.2, 192.168.1.3 etc? which does not make sense.
Actually subnet is showing as 192.168.1.0 so maybe that is right?The usual way this would be set up is that each interface is a separate subnet. So for example you could use:
LAN is 192.168.1.1/24 (the default configuration)
OPT1 is 192.168.2.1/24
OPT2 is 192.168.3.1/24
OPT3 is 192.168.4.1/24If your WAN interface is using a private IP, like 192.168.1.2 as you say above, then you would have to choose something else because the WAN interface must use a different subnet.
Then I go to Firewall.. set to..
Pass.
Opt2
ANY
Destination –-> tick NOT then select "Any".
Place a description and SAVE?If you want to allow traffic from devices connected to OPT2 out to the internet or to other interfaces you need a rule more like:
Pass
OPT2
Protocol: any
Source: any
Destination: anyThis is a very permissive rule though.
A rule that has destination 'NOT any' will never match traffic. ;)Then Services –-> DHCP Server...
Select Opt2.
Port range same as LAN ? 192.168.1.10 - 192.168.1.245
then SAVE?The IP range would be different because OPT2 is not the same subnet as LAN. So for the above example it could be 192.168..3.10 - 192.168.3.254
That would leave 192.168.3.2 - 192.168.3.9 for any static IP assignments you wanted to use.Steve
-
I thought you might say something like that.
Most SOHO routers, such as the Asus N16, are in fact a two port router with a 4 port switch (5 if you count the internal one) on the same board.
With your setup you have 5 completely independent interfaces which allows you much better control over different network segments. Each interface can have different firewall rules. This is a far more powerful configuration but is also more complex to setup.
The problem is that if you are just substituting this for the N16 then you might have issues with devices not seeing each other.
It is possible to setup the interfaces to behave exactly like they would on the N16 by bridging them together.
http://doc.pfsense.org/index.php/Interface_Bridges
Due to the fact that traffic still has to be moved between each interface in software this will not be as fast as a real switch. Probably not what you wanted to hear. :-\Anyway I'm sure we can come to a configuration that meets your requirements. I think you said earlier that you wanted to remove as many devices as possible. What devices are you actually connecting?
Steve
-
Hi Steve,
Ok, so if I have different IPs hooked up to the LAN interfaces like.
192.168.1.2
192.168.2.2Etc (reason I'm using ..*.2 is because the dd wrt I would connect purely for wireless needs.
And that uses 192.168.1.1. I probably should change this to 192.168.6.2So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In the house the following is what is connected.
2 full size pcs.
Netgear NAS
2 networked laser printers.
The 3 below are networked via home plugs…
1 plasma tv
1 Mini ITX home theatre pc.
Ps3Wifi.
Nintendo 3ds
2 laptops
iPad -
So what I think I'm going to do is…
Set up pfsense so it reflects...
192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcLeave the dd wrt 192.168.1.1
Sounds good thus far?
-
So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In general they will be able to communicate, as long as you have allowed it with firewall rules. Just as your desktop PC can talk to a random web server in a completely different IP range, pfSense will route the traffic between it's different interfaces.
However some software will not work across subnets, specifically often media server/client programs. Things that use DLNA or equivalent protocols to automatically find servers often only look locally. Some clients do not even allow for manual entry of the server address (a massive oversight IMHO!). It is possible to extend the reach of some of these using the IGMP proxy between two interfaces but this is a bit hit-and-miss. If you're not using this feature you may not have any trouble.192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcDo you mean WAN here? What is your WAN connection? The fact that it's a private address implies you have some upstream router.
Steve
-
So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In general they will be able to communicate, as long as you have allowed it with firewall rules. Just as your desktop PC can talk to a random web server in a completely different IP range, pfSense will route the traffic between it's different interfaces.
However some software will not work across subnets, specifically often media server/client programs. Things that use DLNA or equivalent protocols to automatically find servers often only look locally. Some clients do not even allow for manual entry of the server address (a massive oversight IMHO!). It is possible to extend the reach of some of these using the IGMP proxy between two interfaces but this is a bit hit-and-miss. If you're not using this feature you may not have any trouble.192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcDo you mean WAN here? What is your WAN connection? The fact that it's a private address implies you have some upstream router.
Steve
So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In general they will be able to communicate, as long as you have allowed it with firewall rules. Just as your desktop PC can talk to a random web server in a completely different IP range, pfSense will route the traffic between it's different interfaces.
However some software will not work across subnets, specifically often media server/client programs. Things that use DLNA or equivalent protocols to automatically find servers often only look locally. Some clients do not even allow for manual entry of the server address (a massive oversight IMHO!). It is possible to extend the reach of some of these using the IGMP proxy between two interfaces but this is a bit hit-and-miss. If you're not using this feature you may not have any trouble.192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcDo you mean WAN here? What is your WAN connection? The fact that it's a private address implies you have some upstream router.
Steve
At the moment I have WAN: 192.168.1.0 (from what I can see)
LAN1: 192.168.1.1
LAN2: 192.168.2.1
LAN3: 192.168.3.1
LAN4: 192.168.4.1I've added the same firewall rule that pfsense automatically added to LAN1 and copied to all other LANs after I enabled them.
I've also in DHCP Server,
LAN1: 192.168.1.10 - 192.168.1.245
LAN2: 192.168.2.10 - 192.168.2.245
LAN3: 192.168.3.10 - 192.168.3.245
LAN4: 192.168.4.10 - 192.168.4.245And changed nothing else. Which is the same as what was already set for LAN1 from what I can see.
I can access the internet from all 4 LAN ports now.
But as you'd said… If I use a switch and hook everything up I'm having success them all seeing each other at the moment.
But when I connected the NAS drive to another LAN port i.e LAN2 on pfsense. The NAS drive was not accessible from windows
even after rebooting the NAS.So Windows was 192.168.1.1 range and NAS was 192.168.2.1 range.
How is this fixable?
-
If you have firewall rules on each interface that are the same as the default LAN rule then you should be able to access anything from any interface. From a client on LAN1 you could access the NAS box on LAN2 directly by entering it's IP address. You can also access it by name if you have the right options selected in DNS Forwarder depending if the NAS has a static lease.
When you say you are not 'seeing' the NAS drive what do you mean? It doesn't magically appear in Windows Explorer?
You can always bridge those two interfaces such that they will share a single subnet.
Steve
-
If you have firewall rules on each interface that are the same as the default LAN rule then you should be able to access anything from any interface. From a client on LAN1 you could access the NAS box on LAN2 directly by entering it's IP address. You can also access it by name if you have the right options selected in DNS Forwarder depending if the NAS has a static lease.
When you say you are not 'seeing' the NAS drive what do you mean? It doesn't magically appear in Windows Explorer?
You can always bridge those two interfaces such that they will share a single subnet.
Steve
Hi Steve,
thanks for your reply :)
Yes, before it was listed as a networked drive as nas-0A-70-F1: ReadyNAS Duo, and I was able to locate it under "network".
I'm liking the new way of doing things thus far. I actually think it's much better than the commercial routers.
I even got OpenVPN working with HideMyAss.. and the results was great with speeds.
I just now need to figure IPVanish's settings.As for the the nas-0A-70-F1: ReadyNAS Duo not showing.
It would be great to know how to bridge them so I can do that as that is probably the one thing I'd want to change at the moment.thanks
-
Ah that's good.
Ok, well you could just bridge two interfaces and that would solve the problem.
Alternatively there will be a way to make the NAS box show up in Windows. I have always been a little vague here, not my area of expertise, but you could just add it as a server in Windows. That would probably allow it to show every time. If you had a domain controller you could probably add it there also. There are probably a load of other ways of doing this I'm unaware of! ::)In my opinion you should try that first because just bridging the NICs restricts your ability to filter traffic to some extent. Of course you weren't filtering at all before so that may not be a concern. ;)
The configuration you want to end up with would be something like:
WAN - em0
LAN1 - bridge0
LAN2 - em3
LAN3 - em4In which bridge0 contains em1 and em2. Now before you try this I should point out that it can easily get confusing and it's easy to accidentally lock yourself out of the system. I did once write a guide to do this, here. Your case is easier because you are not adding all the interfaces to the bridge. Let me know if that's sufficient.
Steve
-
Brilliant I will give this a go :)
Ah that's good.
Ok, well you could just bridge two interfaces and that would solve the problem.
Alternatively there will be a way to make the NAS box show up in Windows. I have always been a little vague here, not my area of expertise, but you could just add it as a server in Windows. That would probably allow it to show every time. If you had a domain controller you could probably add it there also. There are probably a load of other ways of doing this I'm unaware of! ::)In my opinion you should try that first because just bridging the NICs restricts your ability to filter traffic to some extent. Of course you weren't filtering at all before so that may not be a concern. ;)
The configuration you want to end up with would be something like:
WAN - em0
LAN1 - bridge0
LAN2 - em3
LAN3 - em4In which bridge0 contains em1 and em2. Now before you try this I should point out that it can easily get confusing and it's easy to accidentally lock yourself out of the system. I did once write a guide to do this, here. Your case is easier because you are not adding all the interfaces to the bridge. Let me know if that's sufficient.
Steve
-
Steve are you able to help with this….
OK so usually I give all my devices a fixed network IP by binding the device mac to an IP on the range.
So I have one device hooked up to LAN3 which has IP 192.168.3.1
OK... so I go to DHCP Server then select LAN3 then I go to the bottom to DHCP Static Mappings for this interface.
I add the mac and give it an ip of 192.168.3.10
I have the pool set to 192.168.3.10 - 192.168.3.245I've tried different IPs that I know are not in use within the above range also, but The following input errors were detected:
The IP address must not be within the DHCP range for this interface.
I get the following error
It will however allow me to add ips from 1-9 192.168.1.2 etc.
But that's not within the poolIs this some kind of bug?
-
Not seeing the NAS maybe due to a NetBIOS issue. More specifically NetBIOS won't cross subnets unless there is a device on all four subnets to manage it across those subnets. This is similar to the situation you'd run into if you were also using mDNS.
-
I've tried different IPs that I know are not in use within the above range also, but The following input errors were detected:
The IP address must not be within the DHCP range for this interface.
I have fallen foul of this several times. Each time it was because I consistently misread the error message.
The static leases you assign must NOT be within the DHCP lease pool. No idea why but I seem to skip over the word 'not' every time. ::)
So for your interface your have a lease pool of 192.168.3.10-245. When you try to assign a static mapping to 192.168.3.10 it won't allow it. You could use 192.168.3.9 for example. Or any thing in the ranges 192.168.3.2-9 or 192.168.3.246-254Steve
-
This post describes a possible solution to this without bridging:
http://forum.pfsense.org/index.php/topic,60400.msg326309.html#msg326309Steve
-
I've tried different IPs that I know are not in use within the above range also, but The following input errors were detected:
The IP address must not be within the DHCP range for this interface.
I have fallen foul of this several times. Each time it was because I consistently misread the error message.
The static leases you assign must NOT be within the DHCP lease pool. No idea why but I seem to skip over the word 'not' every time. ::)
So for your interface your have a lease pool of 192.168.3.10-245. When you try to assign a static mapping to 192.168.3.10 it won't allow it. You could use 192.168.3.9 for example. Or any thing in the ranges 192.168.3.2-9 or 192.168.3.246-254Steve
Thanks steve,
strange way of doing it.
I guess I would not be able to use 192.168.1.1 since this is used the router and surely would cause issues right?Also, not sure if you can advise me with this.. was hoping so… I want to use OpenVPN but have it so it only works on specified LAN adapters rather than all.
Is there a way I can do this? -
Is this some kind of bug?
No. That is the intended behaviour. DHCP static address assignments must be outside the pool of "dynamic" address assignments.
Consider this a measure to help reduce the likelihood of duplicate address assignments. If you add a new static assignment within the pool there is no easy way to tell if DHCP is about to assign the same address to a system requesting DHCP configuration.
-
I guess I would not be able to use 192.168.1.1 since this is used the router and surely would cause issues right?
Right. You can't use the interface address.
Also, not sure if you can advise me with this.. was hoping so… I want to use OpenVPN but have it so it only works on specified LAN adapters rather than all.
Is there a way I can do this?Yes. You can put in firewall rules to catch traffic from your selected clients and set the gateway they use as the OpenVPN gateway. You may want to setup a failover group such that they can still connect in the event the VPN goes down.
Steve
-
I guess I would not be able to use 192.168.1.1 since this is used the router and surely would cause issues right?
Right. You can't use the interface address.
Also, not sure if you can advise me with this.. was hoping so… I want to use OpenVPN but have it so it only works on specified LAN adapters rather than all.
Is there a way I can do this?Yes. You can put in firewall rules to catch traffic from your selected clients and set the gateway they use as the OpenVPN gateway. You may want to setup a failover group such that they can still connect in the event the VPN goes down.
Steve
Thanks.. I'm trying to get IPVanish working now…
I'm reading this... http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/
The part that I find a little concerning is the part at #14 where it says...Now go to the the WAN Tab and create the same rule. (Weird,while it doesn’t make sense, if this rule is missing, it didn’t work for me.)
Does it mean, add a new rule and do..
Action: pass
Interface: WAN
Protocol: any
Then I need to set the gateway to the VPN Gateway.But adding such rule at the WAN is ok?
-
Hmm, that guide seems too vague for my liking in some areas. You shouldn't have to add that rule to WAN, why is it there? Also the guide says to add an allow any to any from any to the VPN interface but here the VPN interface is acting as your WAN so you have allowed any traffic including any random incoming stuff. :-
I would look at some other guides if I was you. There are a few here on the forum.Steve
-
Hmm, that guide seems too vague for my liking in some areas. You shouldn't have to add that rule to WAN, why is it there? Also the guide says to add an allow any to any from any to the VPN interface but here the VPN interface is acting as your WAN so you have allowed any traffic including any random incoming stuff. :-
I would look at some other guides if I was you. There are a few here on the forum.Steve
Thanks steve, that's what I was thinking too.
It did not make much sense to me.
I was able to get HideMyAss working without a WAN rule.
But IPVanish is just having non of it :(
