Help configuring pfSense with Gargoyle AP
-
ALU: pfSense Main Router/Firewall
ALU Interfaces: LAN, WAN, WIFIAP, BRIDGE (LAN > WAN)Gargoyle 1.9.1: Access Point with Wireless Clients
The Gargoyle router is only there as Access Point with 3 different WLANs. 2.4GHz, 5GHz and Guest WLAN.I've been fiddling around for a while now but couldn't achieve my ideal configuration….hence a lack of network knowledge.
What I would like to have:
- Gargoyle router plugged into pfSense OPT1, subnet 192.168.3.0/24.
- pfSense makes DHCP for all LAN/wireless clients on the Gargoyle
- Gargoyle Guest WLAN clients should have no access to BRIDGE/LAN network devices. (All other allowed WLAN clients have static DHCP IPs)
I had most of that working but some access between the networks (LAN and WIFIAP) didn't work out and I couldn't figure out what it was.
Also the bandwidth monitoring on the Gargoyle doesn't work when not making use of its WAN port (before Gargoyle was connected from one of the internal switches LAN ports to WIFIAP (OPT1) on ALU).What I have now is, the Gargoyle WAN port is defined as static/wired IP (192.168.1.201), same subnet as pfSense's BRIDGE and is plugged into WIFIAP (OPT1).
The Gargoyle's network address is 192.168.3.1 and the wireless clients are ergo in the same subnet.Bandwith monitoring on the Gargoyle works now but now I can't use pfSense's DHCP (different subnet WIFIAP and Gargoyle's clients) and my firewall rule with ALIAS (IPs) is not working anymore because all traffic coming into the WIFIAP interface now are routed as IP 192.168.1.201 (Gargoyle's WAN IP).
I can live with the second DHCP server on the Gargoyle but no with all wireless clients accessing my BRIDGE clients - only a few selected. However I have a feeling that's not possible? I'm willing so sacrifice the Gargoyle Bandwidth monitoring if I need to...Could anyone maybe share their view/ideas/tips/insights what might be the best way for me to puersuit? (with the given hardware).
-
Hi,
Does your "Gargoyle" have a or some LAN ports ? Use them ! (never ever touche those "WAN ports again)
If you you have 2 (example) "Gargoyle" AP's, give them a static IP 192.168.3.2 and 192.168.3.4 - your DHCP server pool start at 192.168.3.5 (runnings on OPT1/pfSense).
Disable DHCP server on the "Gargoyle" AP's - assign a gateway 192.168.1.3 (pfSense OPT1).Up from this point you can manage your AP's from any device hooked up on your LAN (just use 192.168.3.2 or 192.168.3.3).
-
What Gertjan said is good - you want to avoid the NAT that happens if the WiFi traffic crosses from Gargoyle WiFi/LAN side to Gargoyle WAN, because that hides individual WiFi clients from pfSense. By keeping the traffic directly from Gargoyle WiFi into the pfSense interface you can control things from pfSense - DHCP static mappings and special rule for particular clients/client groups.
I'm willing so sacrifice the Gargoyle Bandwidth monitoring if I need to
I expect the Gargoyle does bandwidth monitoring and control only for traffic that crosses to/from its WiFi/LAN and WAN sides. So you lose that. You can do some of that stuff on pfSense with Traffic Shaping and/or Limiters.
-
Thanks guys, I will reconfigure the Gargoyle tonight and put it back on LAN…I might be back with more questions if I run into problems ;-)
-
I reconfigured again, Gargoyle is now connected via LAN1 port to OPT1 (WiFiAP) on pfSense.
I'm missing something, I remember my problem from before, DHCP doesn't work on the WiFiAP interface. Wireless clients on the Gargoyle won't get an IP address by DHCP from pfSense. If I manually assign IP and gateway the wireless client works fine (internet, pinging LAN addresses).
Am I missing a firewall rule or something else? On WiFiAP are only 2 rules:- Block bogon Networks (Reserved IPs, not assigned by IANA)
- Pass IP4+6, any protocol, any source, any port to any destination
ALU Interfaces
–-------------
WiFiAP, static IP 192.168.3.1/24
BRIDGE0, Members: LAN, 192.168.1.1/25
LAN
WANDHCP Server activated for WiFiAP, Range 192.168.3.30-192.168.3.50
Disabled on Gargoyle: DHCP, Firewall, Routing -
Those settings should work. I am not sure why you have a BRIDGE0 with LAN in it - LAN all by itself should be fine, but the BRIDGE0 thing should not mess up OPT1 WiFiAP.
First try plugging a client directly into OPT1 and make sure the DHCP is working on OPT1.
Then plug the Gargoyle LAN cable back in to OPT1, and if there are other LAN ports on the Gargoyle try the client in one of those… -
I can't remember why I created the Bridge anymore, I followed a tutorial a year ago.
I plugged in my Laptop into OPT1 directly, LAN got an IP via DHCP instantly.I now connected Gargoyle LAN4 to OPT1 but WiFi client doesn't get an IP. So something on the Gargoyle is blocking DHCP I assume?
EDIT:
I SSH into my Gargoyle Router (Archer C7), manually disabled and stopped the Firewall (/etc/init.d/firewall disable and /etc/init.d/firewall stop) and rebooted it and now the Wifi clients get IPs issued. Maybe the GUI didn't apply some firewall config properly.I'll do some more testing and firewall rules now…