Just go live pfsense. A few hickups needed help
-
@johnpoz said in Just go live pfsense. A few hickups needed help:
You turn off its dhcp server
Why do people always say turn off the DHCP server? Multiple servers are allowed. With duplicate address detection, there's little worry about 2 devices getting the same IP and if you are worried, just give each server it's own address block. Things like DNS server and gateway should be the same though. The client will use the first server to respond to the discover.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
Why because pretty much every dhcp server in these crap wifi routers do not allow you to change where the gateway is... So any client that gets IP from it will point to your now AP to get off the network which will not work very good..
But sure if you wan to run 2 dhcp servers, as long as you change it to hand out the correct info - then yeah have fun..
The other reason is most of the people asking how to do this don't even know what a gateway is, etc. Anyone that understands this stuff, wouldn't be here asking such questions in the first place.
Also while sure dhcp server and even the client "should" be doing duplicate IP detection before for offering or accepting a lease.. Its just going to be easier to just run one... Good luck some of these users tracking down a dupe ip issue. especially if happen to be say pfsense IP :)
-
Before disabling my wifi router dhcp, it has ip 192.168.2.1. My new pfsense box ip is also 192.168.2.1 in order to maintain IP addresses of all my devices.
Is it possible this could cause the problem of not being able to see my wifi router online?
-
Well you can not have duplicate IPs and expect anything to work for either of those machines sharing the IPs ;) Or any other device on the network that needs to talk to say pfsense on 2.1 since it prob ends up sending the traffic to your AP 2.1
If your AP was 192.168.2.1, and pfsense is also pfsense 2.1, change one of them to 2.2
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@JKnott said in Just go live pfsense. A few hickups needed help:
Why do people always say turn off the DHCP server? Multiple servers are allowed
Sure.
Instead of shutting one down, you should manage the two or more so they give the same (DNS, gateway, etc) info. Also, pool sizes should be identical. Or, wait, know : make a mix up and see what happens ....Btw : admins are lazy : admin one thing, or admin 2 things ? Who wins ?
Also : it's more easy to write "shut it off" as "set them all up correctly". The first contains less words.
And : .... I have 5 AP's running with pretty identical settings for my captive portal. I have to run all over these devices to check if my pool is about to be depleted ?
Just imagine : only one slot is left. Some DHCP server wins, but the IP he chooses is already used. He chooses another one ... used also. etc etc etc. The whole pool has to be actively analysed. I guess this will need some network traffic - or a single server just checks his list and knows that this is the last IP.Last but not least :
Advertise : "run multiple DHCP servers on a LAN segment and the DHCP and DNS forum will get a whole boatload of "new issues" ^^Final : I 'trust' the DHCP server pfSense is using. Without any judgements coming from me, I do probably trust less the DHCP server on "some AP".
-
@johnpoz said in Just go live pfsense. A few hickups needed help:
change one of them to 2.2
Chagge the IP of the AP, and set the gateway and DNS on that AP to "192.168.2.1".
You'll be fine. -
Why are you telling them to do that @Gertjan - they could change pfsense to 2.2 if they wanted to.. There is nothing saying that pfsense should be .1
Why would you tell them to do that ;) hehehehe
-
Thanks again for all your replies. It seems the problem of accessing Archer C9 admin page after disabling dhcp is a common one as seen in this thread:
https://awesometoast.com/archer-c9/
Still not sure how to solve it; though both wired and wireless connections to Archer C9 work fine. -
Not sure where you got that from - its one guy that said that... You know what happen, his client he connected to didn't get an IP address because he had NO dhcp server running ;)
I have been doing this since there was wifi router, back in the B wifi days... Disabling dhcp server is not going to stop you from talking to the IP address you set on the thing ;)
But yeah your going to have to have an IP on your client with the correct ip and mask to talk to the IP you set on the thing ;)
-
Okay, thanks. I will have to detach it from pfsense box, reset it, assign fixed ip 192.168.2.2 (or .254), disable dhcp, change wifi ssid/password... and plug it back. May have to wait till my family are all sleeping to do that :)
-
only if your having issues talking to it because of the dupe IP.. If you can log into currently no reason to disconnect it
Why do you think you need to change the ssid, and reset??
-
@johnpoz said in Just go live pfsense. A few hickups needed help:
only if your having issues talking to it because of the dupe IP.. If you can log into currently no reason to disconnect it
Now I can't talk to it. It doesn't even show in the dhcp lease list.
Why do you think you need to change the ssid, and reset??
No, I don't want to change the ssid; as now I can't talk to the wifi router, I may have to reset it to factory default before doing the setup again with same ssid, but with different fixed LAN IP, and dhcp disabled.
Sorry for any confusion I may have made.
-
why would it show up in the dhcp lease? Ever? The lan IP of all wifi routers is set as static.. kind of hard to run a dhcp server when your also a dhcp client..
No you wouldn't have to reset it.. You might need to disconnect it from your network and connect to its switch or wifi to see its mac.. Or you could always just manipulate your clients arp table - delete the mac of the pfsense for .1 currently and let it re arp and see if you get the mac of the AP.. Or you could always set a temp static arp with the AP mac for whatever IP you wanted to use to get to it..
But sure if temp removal from the network and resetting is what you want to do - then sure that will work as well :) just not really required any down time to change is IP.
-
If it was using the same IP as pfSense I would expect to see that reported in the system logs when responds to ARP requests at the same time pfSense does.
Steve
-
Thank you for all your support.
I disconnected my wifi router and reset it. Disabled dhcp, then reconnect. Everything works fine. I set its LAN ip as 192.168.2.254, with dns server 192.168.2.1, my pfSense router IP; also reserved the 254 IP in pfSense dhcp; and the status in pfSense Status->DHCP leasing page is online. What strange is when I connected my laptop at home, I can access my wifi access point web config; but it can't be accessed via openvpn on public internet. On openvpn, I can access other local devices by local ips without problem, except the access point (tplink Archer C9 wifi router with disabled dhcp).
Any additional setting I need to make? Thanks -
Do you have a gateway (192.168.2.1 pfsense) set on the wifi router? If not no you wouldn't be able to access it gui remotely, ie your vpn tunnel network.. You would have to create a port forward so you could source nat the traffic so the wifi router thinks your coming from the pfsense 2.1 address.
-
@johnpoz thank. Yes, the gateway was set to pfSense ip (192.168.2.1).
Also set port forwarding on pfSense, still can't access from public internet (neither with/without openvpn connection). -
@bthoven said in Just go live pfsense. A few hickups needed help:
Also set port forwarding on pfSense, ....
No need to.
I can access my AP's (192.168.2 - 192.168.2.3 - 192.168.2.4 ....... 192.168.2.7) just fine from a device (PC) on my LAN (192.168.1.17 - pfSense is 192.168.1.1/.24).
Never tried to connected to them - their WebGUI - using OpenVPN, from the outside, but I guess it works just fine.What are your firewall rules on the OpenVPN interface ?
Rules on the OPT1 interface ? (these shouldn't matter normally).edit :
Connected my Phone using OPenVPN to pfSense (from the outside) and visited an AP 1292.168.2.2 : works just fine.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
Les see these settings on your AP for this gateway. Your running 3rd party firmware on it? I do not recall ever seeing native firmware that allows for setting a gateway on the lan interface.
What port forwarding did you set? It is done different for a source nat..And would ONLY be required if your AP didn't support a gateway. And its not really a port forward, it would be an outbound nat on your inside interface.
Please post screenshot of your AP lan interface settings. And delete any port forwarding you might of setup to access your AP..
Also lets see your lan rules - your not sending stuff out some gateway on the rules are you? They are the default any any rule? Yoru not going to want to open up your AP gui from the public internet!!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
No default route would be my guess too. Or maybe some local firewall restriction.
You could probably workaround both with an outbound NAT rule on the pfSense LAN but it would be better to fix the AP.
Steve
