Nework Layout & Routing Help… please :)
-
Everything connected to pfsense and riding those vlans will be double NATed, so your system isn't ideal.
That is what I wanted to avoid if I could, but wasn't sure if it was possible? What about turning NAT off in pfsense and setting up a static route in DD-WRT? Would that work to eliminate the double NAT issue?
-
In that case, what is the role of pfsense in your configuration? Useless dongle/additional point of failure/latency increaser?
What is it you want pfsense to accomplish for you? -
At this point I wanted more granular control of VLANs via a GUI. Like I said though I will be migrating over to just pfSense over time.
-
If you just want granular control via VLANs via GUI, you can do that with just a VLAN switch. Most have GUIs and will allow VLAN segregation, VLAN tagging etc. You can even set up VLANs segregated out inside of DD-WRT.
-
The level of switch that I'm buying won't give me the ability to block/allow access to/from VLANs down to the node IP & port. I want to move my VLANs away from DD-WRT and phase it out.
-
Then you need to move directly to pfsense. Whats the issue with your pfsense hardware again?
-
Whilst I agree with Kejianshi that moving to pfSense as your primary router would be a better solution I can understand your reasons for keeping DD-WRT. Moving from one working setup to some thing different is always best accomplished one step at a time. There have been countless threads here where people have replaced a complex configuration on some other firewall with pfSense all in one go and then struggled for hours troubleshooting.
It's possible to use pfSense just to route/firewall between your VLANs without NAT. You'll need to add some static routes to dd-wrt so it knows where to send traffic. As I said above though, one step at a time! Set it up as double NAT to start off with and take it from there.
In pfSense there are really only two types of interface, those with a gateway defined and those without. Since pfSense needs at least one gateway the first interface you assign will have one and is labelled 'WAN'. The second interface, by default, will be the internal interface and is labelled 'LAN'. Those are just labels though. Subsequent interfaces are defined as internal (Lan type) or extrenal (Wan type) only by weather or not they have a gateway and can be labelled anything you like. The only interface that has any special properties is the 'LAN' which has firewall rules allowing outbound traffic by default. All other interfaces must be given appropriate rules to allow traffic. I hope that didn't come across too confusing! ;)
Steve
Edit: typo
-
It's possible to use pfSense just to route/firewall between your VLANs without NAT. You'll need to add some static routes to dd-wrt so it knows where to send traffic.
Thanks, Steve.
Would I need to setup a static route for each VLAN (subnet) routed by pfSense or just (1) for the VLAN between pfSense and the router? -
You would need one for each subnet behind pfSense.
Get it working with double NAT first then experiment. ;)Steve
-
Thanks, Steve!
