Pfsense + wireless router (bridge mode)

Seraphin

Hi,

I apologize if the question is kinda basic, but unfortunately even after reading a lot of forum threads and tutorials I was not able to solve it.

My setup is the following:

pf sense router (pcengines apu2c4) pfSense 2.3.2-RELEASE-p1 (amd64 full-install)
TD-W8960N (wireless router with integrated adsl2 modem)

I want to set the Wireless router in bridge mode in order to disable NAT/routing and only use it for the wireless clients + modem.

I used the following guide: https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

*** Welcome to pfSense 2.3.2-RELEASE-p1 (amd64 full-install) on pfSense ***

WAN (wan)      -> pppoe1    -> v4/PPPoE: 151.62.71.XXX/32
LAN (lan)      -> igb1      -> v4: 192.168.1.1/24

The Wireless AP has the static IP 192.186.1.2 (dhcp server disabled, bridge mode enabled to act like a wireless ap/modem) and a cable from the lan(not wan) port to the pfsense igb0 lan port.

Everything works fine for the clients that are connected directly to pfsense router, except the wireless clients don't receive an IP from the pfsense dhcp server and they cant access the lan clients and have no internet access.

I used "Automatic outbound NAT rule generation. (IPsec passthrough included)" for the WAN interface.

My target is that the lan/wireless clients use the pfsense router for routing/NAT and can ping/reach each other and the wireless ap should just act as a bridge for the pfsense router. Probably I'm missing some firewall/NAT rule?

Thank you.

jahonix

TL;DR
This won't work.
Your modem has to be in front of your pfSense whereas an AP has to be behind it. A single device cannot be on both sides obviously. Best bet is to get a decent separate AP.

Seraphin

I see…to buy a UniFI AP was anyway ony my todo list.

Until i replace the router what would be the cleanest way to "integrate" the wireless router with pfsense ? The wireless router does the pppoe dialing and routes the traffic from the wireless clients, pfsense uses the wireless router for wan (static ip or through the wireless router dhcp).

Should i disable the dhcp server on the wireless router or is it enough if the ip range is not the same as the pfsense dhcp range? If i want the wireless clients being able to access the lan clients (including the pfsense router) and vice versa do I need to set a static route on the wireless router?

Thank you very much.

JKnott

If the modem/router is in bridge mode, then it's DHCP server is not used.  There's no point in having it configured as a router and followed by pfSense as a router/firewall.  So, it's either the router/modem as a router & firewall or pfSense as a router & firewall, not both.

Seraphin

@JKnott:

If the modem/router is in bridge mode, then it's DHCP server is not used.  There's no point in having it configured as a router and followed by pfSense as a router/firewall.  So, it's either the router/modem as a router & firewall or pfSense as a router & firewall, not both.

I can't use the router in bridge modem because as jahonix state I cant use the modem and the AP in a single device.

johnpoz

What does wifi have to do with bridge mode?  If you enable bridge mode then wifi is no longer an option on that device..  Which isn't what you you would want on anyway.. Unless your ISP is giving you more than 1 public IP.. Then sure you could have a wired device with public IP and then wifi or wired devices with your other public IPs from your ISP.

So to me here are the options..

Set that device to bridge mode, no wifi.. this way pfsense gets public IP on wan
Leave the device as nat pppoe or whatever you doing.  Pfsense just gets rfc1918 address on its wan.  No wifi on this isp device.  Get a AP for your wifi connected "behind" pfsense.

Seraphin

@johnpoz:

What does wifi have to do with bridge mode?  If you enable bridge mode then wifi is no longer an option on that device..

Probably the tplink has no real bridge mode or a "broken" one, but it allows me to set the modem on "bridge mode", thus pfsense runs pppoe and not the router, wifi however is still running and clients can connect.

Set that device to bridge mode, no wifi.. this way pfsense gets public IP on wan
Leave the device as nat pppoe or whatever you doing.  Pfsense just gets rfc1918 address on its wan.  No wifi on this isp device.  Get a AP for your wifi connected "behind" pfsense.

I'm just a little bit confused lets say I'm buying an additional adsl2 modem which pfsense uses for wan (through pppoe) and I connect the wireless tplink router like this: https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense wireless clients should obtain their IP from the pfsense router right? If the wireless client cant reach the pfsense router/don't get an IP assigned from the pfsense dhcp server what might be the problem? NAT rules?

jahonix

@Seraphin:

…lets say I'm buying an additional adsl2 modem ...

Better get a good AP, I'd prefer Ruckus/Xclaim but if you go with Ubiquity that's probably fine.
A modem is a modem and you already have one. APs differ way more.

Seraphin

The Ubiquity should be cheaper? and I think the Ruckus needs a yearly license fee?

However I'm still curious why the wireless router with NAT and DHCP switched off (hence a normal AP) and plugged into one of the pfsense lan ports did not work? Something wrong with the cheap tplink router that even claiming it switched off NAT still does some routing thing? Or some wrong/missing firewall/NAT rules on my side? Setting a static route on the wireless router fixed reaching the pfsense box/clients but still dhcp/routing did not work.

Derelict

only use it for the wireless clients + modem.

You cannot do that. You can't have the same device on the outside and the inside. At least not a dumb device like that one.

jahonix

@Seraphin:

The Ubiquity should be cheaper? and I think the Ruckus needs a yearly license fee?

You can compare a Ubiquity to Xclaim wireless, which is Ruckus' "consumer brand".
Ruckus APs don't stop working when you have no support license. You just don't get firmware updates.

@Seraphin:

However I'm still curious why the wireless router with NAT and DHCP switched off (hence a normal AP) and plugged into one of the pfsense lan ports did not work?

Don't know. Which port of the TP-Link did you use - LAN1 to LAN3 or the LAN/WAN port?
Use LAN1..LAN3 and obviously, if you do that, you cannot use its modem anymore.
Don't expect too much of a $30 AIO device.

Albert_aw

First of all,
If I am not wrong, you cannot use your internal device as a modem, because you already have the PFSense as your gateway to the internet.
This device can be used only as an AP to connect the user into PFSense, you can disable DHCP from the gateway to make it also your DHCP but that's the maximum.
Since your PFSense is doing all the gateway job, you do not need the modem feature.
As for the firewall rules, just make sure that your LAN has the Anti-lockout rule enabled and you are allowing the full IPv4 from LAN net into Any (or WAN specifically).
you can make some troubleshooting by pinging the LAN address (PFSense LAN IP) from any point in the LAN, in some cases it won't ping, just make sure you create a rule that allow LAN net to access LAN address and you should be fine.
One more important thing (supposing that your device can support it), try to plug the AP on a LAN port not WAN port, in order to make your device behave like an internal AP, otherwise you might be creating a new subnet inside your LAN subnet. So that the LAN side of the PFSense will be a WAN side for your AP, just be careful with that.

Derelict

Looks like he needs a modem to bridge ADSL to ethernet. So either another ADSL modem without all the built-in crud like the wifi or the existing modem/router using only the modem feature.