Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Opt1 interface setup

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 4 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jahonixJ Offline
      jahonix
      last edited by

      Sorry, the weehooey post is nonsense in regard of your requirement. He integrates (bridges) it into your LAN which is the opposite of what you wanted. How he describes it is not how you do it properly (if at all). You would better connect it to a switch on LAN.

      You want a separate subnet for your WLAN like for guest access.
      Assign the NIC to an interface at  Interface (assign). Go to that newly created interface and enable it, plus give it an IP address with netwask which does not overlap with your existing LAN network.
      At  Services > DHCP Server you might want to give it a DHCP range to hand addresses to your WiFi clients.
      Now you need to create firewall rules to
      –1 block traffic to the LAN subnet  and
      --2 allow DNS and access to the internet (HTTP, HTTPS and probably other stuff like mail etc.).
      Keep this order. It's easier to block a few networks, single hosts or what have you and allow the rest afterwards.

      1 Reply Last reply Reply Quote 0
      • M Offline
        malcmail
        last edited by

        Thanks guys. Where I'm at so far. LAN on 192.168.1.x. Opt1 set up to run on 192.168.10.x. Firewall rules for Opt1 exactly mirror those for the LAN at the moment (until I get it going). And outbound is automatic. DHCP on the wireless router is off. No internet on Opt1 though - what am I  missing? Thanks for the help.

        1 Reply Last reply Reply Quote 0
        • M Offline
          malcmail
          last edited by

          I've checked that DHCP is running on Opt1 and limited the range, although all still within 192.168.10.x, but it doesn't appear to be handing out IP addresses. If I attach to the LAN interface I can ping through to the OPT interface - and wireless AP attached to it. But nothgin if I attach to the wifi AP itself.

          UPDATE: now dishing out addresses but no ping to the internet.

          1 Reply Last reply Reply Quote 0
          • weehooeyW Offline
            weehooey
            last edited by

            malcmail - I owe you an apology. I read your post too quickly. jahonix is correct, my reply would not do what you wanted.

            jahonix - Thank you for pointing out my mistake. One question, had he wanted to just add wireless, why is it better to use a switch than to use Opt1? I have seen that comment before but unclear as to why. The only thing that comes to mind is to off load the switching of the LAN traffic to the switch (should be cheaper device). Is there another reason?

            malcmail - Regarding your follow up questions. Are you pinging an IP address or hostname? If you are pinging a host name, try IP address (eg 8.8.8.8). You might not have DNS.

            1 Reply Last reply Reply Quote 0
            • M Offline
              malcmail
              last edited by

              weehooey - no problem. We've all done it. I tried pinging Google by number rather than name to check if it was DNS but no joy sadly.

              SO checking again I can ping the wireless AP from the client device but not the opt1 interface at 192.168.10.1. But the device has n IP address in the right subnet - and that is only being handled by pfsense as there is no DHCP on the wireless AP. I thought I was confused before!!

              1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan
                last edited by

                Just checking here …
                Are you aware of the fact that the LAN interface is "delivered" with a default pass-all rule ?!
                And that all other interfaces you activate afterwards (OPT1, OPT2, etc) have NO firewall rules, so NOTHING gets in - like DHCP requests ?!?

                With other words : what are your firewall rules for OPT1 ?

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • M Offline
                  malcmail
                  last edited by

                  Yup. Spotted that one. So on Opt1 I have copied the LAN rules (changing the interface of course). Hopefully the attached shows enough of the rules to highlight any likely errors.

                  ![OPT1 firewall rules.JPG](/public/imported_attachments/1/OPT1 firewall rules.JPG)
                  ![OPT1 firewall rules.JPG_thumb](/public/imported_attachments/1/OPT1 firewall rules.JPG_thumb)

                  1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan
                    last edited by

                    @malcmail:

                    Yup. Spotted that one. So on Opt1 I have copied the LAN rules (changing the interface of course). Hopefully the attached shows enough of the rules to highlight any likely errors.

                    Your image show the OPT1 firewall rules ?
                    "LAN Net" is NOT "OPT1 Net".
                    Can you show the OPT1 firewall rules ? (because we are talking OPT1 setup, not LAN setup).

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      malcmail
                      last edited by

                      And there we have it. The bonehead move that i inevitably made. Duh! Thanks very much for your help there.

                      1 Reply Last reply Reply Quote 0
                      • jahonixJ Offline
                        jahonix
                        last edited by

                        @weehooey:

                        had he wanted to just add wireless, why is it better to use a switch than to use Opt1?

                        A router interface is in no way a substitution for a switchport.
                        With a software based router each packet has to go all the way down to the kernel and back up to the interface again. Compare that to a switch where packet-pushing is handled in hardware within its chipset.

                        1 Reply Last reply Reply Quote 0
                        • jahonixJ Offline
                          jahonix
                          last edited by

                          And for blocking WLAN to LAN create a rule to block From: Opt1 Net  To: LAN Net above any allow rule.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            malcmail
                            last edited by

                            Thanking you Sir. I presume that still allows the LAN clients to access anything on OPT1?

                            If I want to open one item (a printer) to OPT1 users I presume I canset up an allow rule before the deny rule to allow OPT1 net to access 192.168.1.{printer] (clearly with a number instead).

                            ANd then it is on to traffic shaping :) And maybe captive portal just for a laugh frankly ;)

                            1 Reply Last reply Reply Quote 0
                            • jahonixJ Offline
                              jahonix
                              last edited by

                              @malcmail:

                              I presume that still allows the LAN clients to access anything on OPT1?

                              Sure, you always filter what is coming IN on a specific interface.
                              What's coming from your LAN is OUT on Opt1 interface. If you wanted to filter that it would be on the LAN rules tab.

                              @malcmail:

                              If I want to open one item (a printer) to OPT1 users I presume I canset up an allow rule before the deny rule to allow OPT1 net to access 192.168.1.{printer] (clearly with a number instead).

                              Exactly.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.