Possible for Other Router to be DHCP Server instead of pfSense?
-
If what you want is wifi bridge to provide wired connections??
" I am concerned about is the lack of Ethernet ports on these APs though"
That is not really the job of a AP.. But you could check, I know the 2nd port on the pro is bridged to the other port and you can add a switch on the other port and more ports that way. But not sure when using wireless uplink? But it might be possible - check on the unifi forums. I know if you put a managed switch there then you could have multiple vlans there as well.
Why exactly can you not run a wire?? Normally you should run a wire!!! Then if you need more ports there, use a switch - hang an AP off that switch if you also need wifi in that area, etc.
I am trying to provide both wired and wireless connections, hence my comment about the APs.
Actually, my very 1st idea to solve all these was to simply do Ethernet drops (i.e. running wires). I was stopped by my parents unfortunately, let's just say they don't want me to run wires around the house; engaging contractors for such stuff is disallowed in the same vein.
-
Well do your parents want good wifi or not? Hire someone if they will not let you run it.. Running some ethernet cable is not all that hard.. But this the proper way to provide both wired and wifi connections in an area. You need a wire to where you need wifi coverage so you can properly place the AP.. Any real AP will be POE If you wall need wired in that area - there you go you killed 2 birds with 1 stone.
-
If you house is wired for Cable TV you can also look at MoCA to get the AP/switch where it should be. I never have to think about mine and get 700Mbit/s.
-
Well do your parents want good wifi or not? Hire someone if they will not let you run it.. Running some ethernet cable is not all that hard.. But this the proper way to provide both wired and wifi connections in an area. You need a wire to where you need wifi coverage so you can properly place the AP.. Any real AP will be POE If you wall need wired in that area - there you go you killed 2 birds with 1 stone.
Parents want good wifi… but their definition is a bit looser than ours. ;)
Also, thing is, they don't even allow me to hire the people to do the Ethernet drops! The best they allowed so far is the Netgear Orbi (which I got last night), helps that my friend is willing to buy off my AC66U which will offset some of the costs.
-
If you house is wired for Cable TV you can also look at MoCA to get the AP/switch where it should be. I never have to think about mine and get 700Mbit/s.
I can't find any MoCA equiptment in the market so far. Also, I don't think it is allowed here…
-
allowed where? Why would there be a restriction on moca.. Makes zero sense..
-
allowed where? Why would there be a restriction on moca.. Makes zero sense..
Sorry, I thought there's a ban on MoCA for Singapore. I must have mixed up with something else.
Anyway, I am unsure the state of Coaxial cabling in my house and hence whether MoCA is feasible or not. The import prices and lack of local support for these equipment is not helping
-
Well if you can not run a wire, or use existing wiring like moca, how about powerline adapters.. which would be 3rd choice.. wireless uplink would always be last.
-
Well if you can not run a wire, or use existing wiring like moca, how about powerline adapters.. which would be 3rd choice.. wireless uplink would always be last.
Actually I was using these. Even though these introduced EMI/RFI noises that affected that my audio equipment, I was willing to put up with it for the sake of my family (and invest in those power strips that supposedly reduce such noise). So how I set these up was to simply plug one in my room with my pfSense rig and another in the central part of my house with my Asus AC66U. This fixed almost all Wifi deadspots, but one day, these homeplugs went down out of a sudden for no good reason. Switching them off and on worked, but I decided that it's time for me to move on from homeplugs and try something else seeing that a single router will not solve the issue. Then I saw the Orbi on sale and have good reviews by many and my friend needing to take over my AC66U, so I decided to give it a shot. So far, my family are extremely happy with the Orbi so I guess this part of the network puzzle is solved for now. If they want/need faster speeds, I will insist on proper Ethernet cabling then.
-
And back to the topic at hand. after testing more and reading more, now I can see why you all sounded confused about my questions, real sorry about that! :(
Firstly, I read up about bridging two or more NICs within pfSense, thinking that I may need it. Turns out that it can be done but not recommended; the more recommended method is to simply connect a switch to it, which I failed to consider all these while! So, all I did was to connect to the switch first, and then to the Orbi and other devices. This meant no more funky port forwarding needed for HAProxy (yes, this works too but I am trying to avoid this) and yet all devices being able to connect to the Internet and be protected by pfSense.
Then, I thought through more carefully and noted how only my guests will need only wireless connection, which means I just need to make sure they can connect wirelessly to the Internet but not to my devices. This means I need a properly working "Guest Network" function, which can be accomplished if I keep the Orbi in Router Mode.
Then also, I realised that my laptop, which is connected to the switch, can also connect wirelessly to the Orbi. This means it can be on both subnets (and thus workaround issues such as not being able to print/scan from wireless printer and my mobile devices not being able to find it)
All these knowledge made it a lot easier to solve my issues. Now I can have pfSense packages working properly with my wired devices, a proper Guest Network and all personal devices (non-guest) devices able to talk to each other whenever necessary.
Here's my new (and final?) network diagram
In short, yes, in a network, there can be more than one DHCP server and devices can have multiple IP addresses by having one per network interface
Now only one last thing left: If I were to run out of ports on the switch, should I daisy chain another switch (the cheaper option), or should I try to find a bigger managed switch and replace it (the much expensive option)? Current switch is a TP-Link 8 port Smart Switch TL-SG2008
-
and devices can have multiple IP addresses by having one per network interface
Actually, even an interface can have more than one address. On IPv4, you can create an alias address and on IPv6, multiple addresses are to be expected. For example, on this computer, I currently have 8 IPv6 addresses on the one NIC. There is one link-local address, one SLAAC, based on the MAC address and 7 random number "privacy" based SLAAC addresses. All of them are valid. One thing about the random number addresses is I get a new one every day and the oldest then falls off the end of the list, so the list of addresses will change daily.
-
My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.
I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.
I see, thanks. So is your RPI NIC going straight to a wireless router just like in my situation?
Well… not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.
I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID for each VLAN. In that way, you can use all the pfSense services for each network as desired. -
My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.
I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.
I see, thanks. So is your RPI NIC going straight to a wireless router just like in my situation?
Well… not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.
I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID for each VLAN. In that way, you can use all the pfSense services for each network as desired.Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet
-
Well… not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.
I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID for each VLAN. In that way, you can use all the pfSense services for each network as desired.Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet
Well, if you still have your ASUS unit (or really, any ol' wifi router than can be placed into AP-only mode), you could use both the Orbi and the ASUS, one for the LAN, and one for the guest network.
-
Well… not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.
I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID for each VLAN. In that way, you can use all the pfSense services for each network as desired.Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet
Well, if you still have your ASUS unit (or really, any ol' wifi router than can be placed into AP-only mode), you could use both the Orbi and the ASUS, one for the LAN, and one for the guest network.
The ASUS is now with my friend permanently though, and even then it won't be able to cover the entire house unlike the Orbi (and getting another Orbi for guest network only is too cost-inefficient)
-
Did you ever figure out how to do the guest isolation on the asus when it's in AP mode.
Read a bunch of threads over on the snb forum, but none seem to work in my application.
Guest wifi is on separate vlan. Ideally each wireless guest is completely isolated from each other and any lan hosts on the vlan. Since it's a wireless guest network, chance of wired hosts being present is unlikely, so the latter is not as important. At the minimum getting each wireless host isolated is the goal.
https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-359045
-
I solved that problem on a large installation (650 access points) using uplink ports in brocade switches for per-vlan isolation among the different APs, and Ruckus' ability to set per-SSID isolation in the APs themselves. This achieved campus-wide isolation on certain VLANs between all wired and wireless clients.
You might get close using private vlan edge on the catalyst (protected ports) but that is not per-vlan so it's all or nothing.
-
@darkarn I hope this reply finds you well, did you ever implement this config to hand AC66U DHCP duties?
I have it other way around and my AX11000 is in router mode, and working with no issues with PfSense handling the DHCP duties.
-
I wonder if a raspberry pi zero could do it???
