Nework Layout & Routing Help… please :)
-
I understand what you're saying, but I don't have a box that I can keep on 24/7 without having to reboot every now and then. So until I do I'll just keep DDWRT running along, but the idea is to have only pfSense at some point which is why I want to start migrating over.
Can you tell me how I should setup the link between pfSense and DDWRT - should I configure it as a WAN or basic VLAN?
Thanks for the help, kejianshi! -
Interesting - I've not had to use my WAN/LAN as a single port yet. I've always had a dedicated WAN and on the LAN configured multiple VLANs.
Your Managed switch will need some VLAN tagging done. You will need to tag the port coming from the DD-WRT to the switch to include a VLAN group. Lets arbitrarily call that 10 so that port will need a PVID 10 and include tagged VLAN 10. So 10 will go to "WAN". Now, You will need a LAN, so we can call that 20. All the ports connected to things other than pfsense and DD-WRT will need to include tagged VLAN 20 and get PVID 20. The port between pfsense and the switch, I'd call it a trunk and make it include tagged VLAN 10 and 20. I'd call all the other ports except the one connected to pfsense "access". Terminology varies from switch to switch.In pfsense you will need to add a VLAN 10 and make it your gateway and a VLAN 20 and make it your LAN.
They will both use the same MAC/Interface.
That should get you headed in the right direction.
If you say what switch you are using, someone can probably tell you exactly what buttons to push.
People do what you are trying to do all the time but instead of connecting to DD-WRT, they connect to modem directly, so treating the connection to DD-WRT as if it were a modem, like 10,000 people can tell you how this is done.
Everything connected to pfsense and riding those vlans will be double NATed, so your system isn't ideal but will work.
-
Everything connected to pfsense and riding those vlans will be double NATed, so your system isn't ideal.
That is what I wanted to avoid if I could, but wasn't sure if it was possible? What about turning NAT off in pfsense and setting up a static route in DD-WRT? Would that work to eliminate the double NAT issue?
-
In that case, what is the role of pfsense in your configuration? Useless dongle/additional point of failure/latency increaser?
What is it you want pfsense to accomplish for you? -
At this point I wanted more granular control of VLANs via a GUI. Like I said though I will be migrating over to just pfSense over time.
-
If you just want granular control via VLANs via GUI, you can do that with just a VLAN switch. Most have GUIs and will allow VLAN segregation, VLAN tagging etc. You can even set up VLANs segregated out inside of DD-WRT.
-
The level of switch that I'm buying won't give me the ability to block/allow access to/from VLANs down to the node IP & port. I want to move my VLANs away from DD-WRT and phase it out.
-
Then you need to move directly to pfsense. Whats the issue with your pfsense hardware again?
-
Whilst I agree with Kejianshi that moving to pfSense as your primary router would be a better solution I can understand your reasons for keeping DD-WRT. Moving from one working setup to some thing different is always best accomplished one step at a time. There have been countless threads here where people have replaced a complex configuration on some other firewall with pfSense all in one go and then struggled for hours troubleshooting.
It's possible to use pfSense just to route/firewall between your VLANs without NAT. You'll need to add some static routes to dd-wrt so it knows where to send traffic. As I said above though, one step at a time! Set it up as double NAT to start off with and take it from there.
In pfSense there are really only two types of interface, those with a gateway defined and those without. Since pfSense needs at least one gateway the first interface you assign will have one and is labelled 'WAN'. The second interface, by default, will be the internal interface and is labelled 'LAN'. Those are just labels though. Subsequent interfaces are defined as internal (Lan type) or extrenal (Wan type) only by weather or not they have a gateway and can be labelled anything you like. The only interface that has any special properties is the 'LAN' which has firewall rules allowing outbound traffic by default. All other interfaces must be given appropriate rules to allow traffic. I hope that didn't come across too confusing! ;)
Steve
Edit: typo
-
It's possible to use pfSense just to route/firewall between your VLANs without NAT. You'll need to add some static routes to dd-wrt so it knows where to send traffic.
Thanks, Steve.
Would I need to setup a static route for each VLAN (subnet) routed by pfSense or just (1) for the VLAN between pfSense and the router? -
You would need one for each subnet behind pfSense.
Get it working with double NAT first then experiment. ;)Steve
-
Thanks, Steve!
