Routing between PFSense and second router ???
-
Thank you to Johnpoz and Mikeisfly! :D
I may move the FIOS interface I created on the PFSense router to a LAN port on the FIOS G1100 as you suggested… Why the last port?
Can the FIOS G1100 be used as a MOCA bridge or do I simply buy a MOCA bridge in addition? Do I lose the WIFI and LAN as a G1100-MOCA bridge?
The ONLY setup for NAT that I see in the PFSense GUI is Outbound-Manual rules generation. I believe I had to set that up for use with OpenVPN???
To date I have absolutely no type of Port-Forwarding done on the PFSense router. However, Everything operates properly in terms of FIOS functionality.
The FIOS interface on the PFSense router is NOT routed over the VPN... I was worried FIOS would bitch about it! >:(
Since I clearly do not Know; You say I have Natted the FIOS G1100... Is that because I have OCD and manually assigned IP addresses and range? Or is it double-NAT I think because both sides of the FIOS G1100 are private network IPs? I believe I read that Port-Forwarding gets screwed up in a double-NAT setup, But since my IP ranges don't repeat/ overlap, maybe it will work?
The Paint diagram I created is missing quite a bit from what is actually configured in my home network...
The PFSense router has one 4-Port 1G NIC and one 2-Port 10G NIC (Both NICs are RJ45/ Ethernet, I may switch to SFP+ for the 10G side of things) There are four interfaces configured on the 1G nic (WAN, LAN, FIOS, and WIFI) Two of those interfaces go to individual 4-Port switches (LAN and WIFI have individual switches) The LAN switch of course has a few PCs on it and there are a few Unifi APs on the WIFI switch. The 10G NIC is a NAS interface for one NAS and my main PC on it (the main PC has both LAN and NAS connectivity).
My personal wireless devices use the PFSense WIFI interface, where as my Wife uses the WIFI from the FIOS G1100.
I would like to add two more interfaces with another NIC; Should I be doing this all through one large switch (with both 1G and 10G), instead of all the individual 4-Port switches??? Should I run all the different interfaces into one switch? Does that simplify or complicate things? Do I need VLANs at that point or just when I have no more physical interface ports remaining?
I am increasing the amount of devices the the 10G NAS interface... Have 10G RJ45 components come down in price now? Or should I change to SFP+ to save money?
So, I think I'm good with setting up a Port-Forward on the FIOS G1100.
All I think I need to know is which port you guys recommend? Do I simply use 443 for HTTPS?
I'm sure I should enter the PFSense router IP address in the rule that I will create on the FIOS G1100 Port-Forward configuration. I believe this is so the port I open, is only open to my PFSense router IP address and not simply everywhere.Thanks again guys!
-
My head hurts after trying to read that.. ;) When you mentioned OCD… did you mean ADHD? Look a Squirrel!!!
"You say I have Natted the FIOS G1100"
If you have it connected to your network via its WAN.. Then yeah your double natting.. That is what that hardware does out of the box.. Did you turn off natting on it? If you did then you would have to setup downstream routing on pfsense, etc.
"All I think I need to know is which port you guys recommend? Do I simply use 443 for HTTPS?"
That would all depend on what your trying to access exactly behind it.
-
HAHA! Thanks! ;)
OOO! a Bird!
As far as using port 443, I don't know. I just want to log into the FIOS router GUI from a PC on my PFSense LAN…
I was guessing port 443 because My PFSense web-configurator protocol is set to HTTPS and I think somewhere else I restricted all the HTTP traffic on my LAN to be pushed to HTTPS...
-
So there is a lot to unpack with your last post. First I will start with why you the last port? It doesn't really matter which port you use but when I am wiring a switch I start from port 1 when the port leads to something in that room or building and I start from the last port if the port goes to a router/firewall/access point/switch (anything that will have multiple MACs on that port) or another building or room where a switch will be depending on how large the project is. That way you don't have port one going to something local but port two goes to your firewall and port three goes to another local port somewhere …. The way I do it as you keep adding things you will eventually meet in the middle of the switch. Just makes it easier for me.
Secondly, your Fios wireless router is really a NAT router / Access point. So anytime you connect one of your PfSense lan ports to the wan of the Fios router and then have devices connected to the lan side of that router via wire or wireless then you are natting. Your PfSense box is natting too because you are giving a public ip on pfsense's WAN interface but then you have private IPs on the LAN side. So anything connected to that Fios router will be doubled natted. First by your PfSense box and then by your Fios router. By moving the wire from the wan port on your Fios router to a lan port there is no natting at that point. The packets will be switched. Remember before you do this you will have to make sure the Fios router is in the same IP range and the lan port it is connected to on the PfSense box. At that point you will not need to setup any port forwarding to access the Fios Gui and everyone will be able to surf. You can restrict traffic to the Fios router from PfSense at that point. By the way when you move the wire from the wan port to the lan port you are essentially not using the Fios router as a router you are making it a access point. The MocA bridge should still work and if you wanted to connect other devices to that MoCa bridge you will need to buy more Moca Bridge devices. Remember though MoCa bridges act like a hub. I prefer to just run a cat5e or cat6 cable you will get much faster speeds.
Thirdly you asked should you use a switch? I would because router/Firewall ports are expensive. Not in terms of cost but in the fact that you only get a few and you don't want to waste them like the way you are doing (I assuming you are using a PC that is why you have some many). Some will argue that when you add vlan tags to a interface it will lower the payload size of the packet which in turn will lower the your bandwidth but in real life you will not notice any speed differences. Also it's just good practice to come off your firewall with a switch and have everything connected to that switch imho.
Lastly, the reason I would use Https to access any gui is just because the traffic is encrypted. It can be a pain because the certificate is self signed so you will get a warning message every time you access your device but it help with anyone trying to intercept that traffic.
I hope this helps, if it is still a little unclear let me know and I can make a diagram. I may make a YouTube video because I think it is a good little topic that I think a lot of people may get something from. Good luck to you and let us know how you make out.
-
Did you enable remote admin on the g1100? Most routers be it soho or not are not going to enable remote admin out of the box on any port.. 443 or https yes is a typical default on the WAN or internet side of the router. If you want to use it in a double nat way. Which I would not recommend then you would need to enable remote admin on that device to hit its gui from its wan side.
You could then port forward to stuff you want to access behind it.
It much simpler to just use it as just an AP. This can be done with any soho wifi router/gateway. Just connect it to your network via one of its lan ports, turn off its dhcp server. And then for ease of management of your wifi. Give its lan an IP on your network your plugging it into. A problem with many soho wifi routers is they do not allow to set a gateway on the lan interface. So this makes management from a different network a problem.
This can be solved a couple different ways. You can source nat on pfsense so the AP thinks connections to its IP are on the same network its plugged into (pfsense IP on this network). Other option is to put 3rd party firmware on it that allow to set a gateway on the lan. This is normally not possible if the device is actually a gateway device (modem/router combo).
3rd option is to just plug it in as AP on your normal lan network… Problem is unless it supports vlans it now makes it not possible to easy firewall your wifi networks from your lan network.
All of this becomes moot if just buy a real AP that supports vlans.. Vs attempting to leverage some isp gateway device as your AP. Or use it as some downstream natting router.
-
Thank you MikeIsFly!!!
Thank you JohnPoz!!!
The two of you have been a great help! :D :D :D
Please look at the new Paint diagram I created, as it reflects what I will try to attempt. This diagram is also more complete compared to the original that I posted.
Most of all my 1G system is now shown; Just the 10G stuff is now missing for the NAS, ETC…I am going to configure the FIOS G1100 as an AP, just as both of you suggested.
I will remove the PFSense interface cable (FIOS 192.168.2.1) from the WAN port (192.168.2.100) on the FIOS G1100 and move it to the LAN port (192.168.2.100).
I will set the FIOS G1100 IP range to match my PFSense FIOS interface (192.168.2.2 - 192.168.2.254).
What IP address do I assign to access the FIOS GUI in this configuration.
When I used the WAN port on the FIOS G1100, I had a LAN IP of 192.168.20.1 for the GUI. This will no longer be the case with the new IP range!On another note; can you guys recommend a high port count switch that handles 10G as well as 1G. I do not want to buy two large switches.
With all the physical ports that I have on my hardware; is there any benefit to purchasing a switch that supports VLANs?
Is a simple managed switch enough to work for me?
Do you guys have a managed switch with a preferred GUI?Thanks again! ;D
-
The Way that you have your diagram the FiOS GUI IP will be 192.168.2.100. Just as Johnpoz said disable the DHCP on the FiOS router and let PfSense assign IPs on that LAN segment. As far as switches I use a brocade FastIron 648p which has 48 gigabit ports which are also PoE. The first four ports are dual personality which means they are either fiber or copper. There is a optional 10Gb module that you will have to buy in addition to the switch if you want to have a 10gb link. I interface the switch through the command line but it does have a GUI if that is what you prefer.
-
MikeIsFly! Okay! I believe I have got it! Thank you!
I forgot about the FIOS G1100 performing DHCP services… I will turn that off.
I will look into the network switch you mentioned. DAMN!!! That is a MF swith!!! OMG!
What can be viewed with a serial console on that switch? Just the CLI or GUI? Can one see their PFSense CLI or GUI from it too?What type of shell/ terminal does this switch use for a command line interface?
I have experience with BASH and with Windows CMD, but not much else... Even with PFSense/ FreeBSD there has been little to no use case for SH.
So I have never learned SH... I'm told BASH is similar enough and/ or a better substitution/ replacement.Hopefully I can get by, as I do not prefer a GUI. I am becoming accustomed to using a GUI thanks to PFSence...
Years ago I had to start learning to use a mouse... I use one all the time now, however it is not my preference.Excluding some Wireless APs, RASPBERRY-PIs, and a ROKU; I don't know what else I could power with POE... What are you powering with POE?
-
Your not going to buy such a switch new - not for home use.. That is going to be an ebay special..
If your looking for a smart switch to do vlans.. There are multiple options out there that support cli and or gui, etc. I have new sg300-28 and sg300-10 on my network. And a bunch of cheaper ones to play with netgear, tp-link, d-link.. these are cheap 8 port gig smart switches.. Very limited in feature set - but very affordable for the home budget in the less than $50 market.. More like $30, etc.. I would for sure stay away from the tp-link 105e or 108e models.. They leave vlan 1 on every port, no way to remove it..
POE for sure could be an option.. If your running 4 unifi AP, what model? Their different models support different modes of POE… like the lite and LR models use passive 24 volts.. So you have to be careful on what POE switch you get. Even some of their switches don't support it, etc.
As to POE, I only have 3 AP currently.. Just use the injectors - but somewhere down the road is camera's that will be most likely from unifi.. So I can see getting a smaller port density poe switch to handle those.
BTW where you running your controller for your AP? On that same 192.168.3 or you doing L3 adoption?
-
Yeah…...
A switch of that caliber is not in my budget, nor do I own anywhere near enough devices to require that level of switch.
It's DAMN NICE though!!!
I am using Unifi AC Pro APs... I used the Unifi mobile application from my cell phone (L3 adoption).
I don't remember exactly, however I believe I originally configured the APs via SSH (Putty) from a PC on my LAN interface.
I may have had the Unifi controller/ discovery software on that same PC also (Layer 2 while the APs were plugged into the 192.168.1.1 interface) ...As far as I know; PFSense does not have the resources to run a controller or other variant software for APs... Do you know if any new features came with FreeBSD 11 in this regard?
-
Your not going to buy such a switch new - not for home use.. That is going to be an ebay special..
True, Brocade sold off all their businesses in parts so you couldn't buy the switch new anyway unless there is still product in the channel. Still iyd a outstanding switch which I got for about $125 on ebay. From what I can see, it may be some what of overkill for your needs but if you can I would snatch one up on ebay before they are all gone just in case you wanted one in the future. I bought 6 of them so I would have back ups if mine died. I haven't had one go bad on me yet and I have had mine for 3-4 years now. Before that I was using HP procurves which are outstanding as well. Brocade just had better features. To Johnpoz's point some of the consumer switches would probably fit your needs better.
To answer your question about the CLI, brocade has their own OS which is very similar to Cisco IOS and they support CDP and FDP which makes VoIP fairly easy if you use cisco phones. If you wanted to, I guess you could telnet from the switch to PfSense but I don't really do that I would just open another telnet/ssh window. I mostly use the GUI interface of PfSense. Works very well. Could get your self in trouble messing with the CLI. I will wait for them to come out with a CLI abstraction layer to start playing with the command line. FreeBSD should really be hidden from the user for security reasons IMHO.
I have Ubiquity AP the AC-pro access point and love them. I run the controller software on a Windows 10 VM on Windows Server 2012 R2. I highly recommend them.
-
Yeah I run the controller on VM running on esxi, but I just use ubuntu vm.. Way less resource hungry and easier to manage, etc.
You could always get their little cloud key as they call it, or run it on a pi, etc. Running the controller is what makes the APs from unifi even better..
-
Thank you Guys! I do not think you could have made it easier!!
The FIOS G1100 is operating like a simple switch using the IP range that I set for the PFSense FIOS interface (with the addition of WIFI).
I finally have access to the FIOS GUI!!!
The last thing that I need to be able to do is SSH (Putty on Windows) from my main PC (192.168.1.101) into the FIOS G1100 (192.168.2.100).
So far I have had no LUCK! I have tried as follows:In the FIOS GUI; I have enabled SSH (on the normal port #22)
I have set the FIOS GUI fire-wall security to allow said traffic
I have set the FIOS GUI local administration to allow said traffic
I have set the FIOS GUI rules to allow port #22 to be forwarded from IP 192.168.2.100 (FIOS LAN port wired to PFSense FIOS interface port)I even temporarily tried setting the FIOS GUI remote administration to allow said traffic… I must be missing something in this crappy FeatureLESS FIOS GUI!
The attached photo is of my PFSense Networking-Server and my FreeNAS Storage-Server. I'm looking for a switch similar in size (a width of aprox. 17").
O! F%#@ ME! I forgot to mention... I need at least two ports of either SFP+ or RJ45 for 10G networking.Please get me to a command line via SSH! PLEASE!!!
-
I seriously doubt that Verizon will give you ssh access to the router. I have FiOS as well and I have the same model router you have. I tried to access it but it was a no go. Why do you need SSH access when you should be able to do everything from the GUI.
-
Okay, That makes sense… Verizon blocks SSH access.
I don't NEED to be able to SSH into the G1100. I just prefer to, over using the GUI.
Thank you for answering my question. :D
-
No problem. I work for a very large ISP not Verizon, and the only way to get SSH access is from our corporate network. If I find a way I will post back here but I doubt it. I know on our modems getting access to ssh opens a lot more options than is present in the GUI. In addition our password changes everyday to log into said modem so even if you could get access to the command-line, cracking the password would be really tough. Not sure if Verizon is doing the same thing.
No problem in answering your question, I like helping plus seeing how you did your setup, it gave me ideas on how I may reconfigure my setup in the future. I like to read through the forums to see others problems and solutions to add to my own knowledge. Good luck to you in the future.
-
Thank you! :D
Your help will always be appreciated here, at least by me anyway!
I'm happy to share anytime! I'm one of the odd-balls that is doing everything with actual hardware and NO Virtualization…
I hear ya; learning new information all the time! However this is all new to me and this community has been absolutely crucial!
I'm the type of person that simply loves to learn something new anytime or even all the time! :D
Good luck to you as well in your endeavors!
