pfSense, dd-wrt AP, how to access iot subnet from main subnet?
-
So to be clear the DD-WRT device is running as a router at this point?
It has a WAN IP in the pfSense LAN subnet and the 192.168.4.x and .5.x exist only behind it?
Steve
-
@stephenw10 said in pfSense, dd-wrt AP, how to access iot subnet from main subnet?:
So to be clear the DD-WRT device is running as a router at this point? (Yes, for .4.x and .5.x only. The main lan .2.x is still managed (dhcp, dns...)by pfSense)
It has a WAN IP in the pfSense LAN subnet and the 192.168.4.x and .5.x exist only behind it? (Yes)
Steve
-
Ok, that's going to be ugly however you do it because of asymmetric routing.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html#common-scenarioCan you move the dd-wrt device onto a different subnet/interface?
VLANs really would be waaaay better here.
Steve
-
@stephenw10 said in pfSense, dd-wrt AP, how to access iot subnet from main subnet?:
Ok, that's going to be ugly however you do it because of asymmetric routing.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html#common-scenarioCan you move the dd-wrt device onto a different subnet/interface?
VLANs really would be waaaay better here.
Steve
Hi Steve,
Actually, that was what I originally intended to do, ie. vlan, dhcp, dns, all managed by pfSense; but I can't connect my end-devices to the virtual access points that are associated with the VLANs . I did this exercise with two other smaller APs running dd-wrt and openwrt, and it worked fine; but not with my Archer C9v1 dd-wrt. That's why I resorted to this less ideal solution; which is fine for me, except the ability to access them from my main LAN. -
Ok but can you move the dd-wrt device, with the two subnets behind it, onto a different pfSense interface?
Doing that will eliminate asymmetric routing issues which will otherwise be a headache.
Steve
-
@stephenw10 Can I do that without VLAN setting on the dd-wrt side?
-
Yes, if you have a spare NIC in your pfSense box.
-
Thanks I have 2 spare NICs, but I tried to avoid having two APs, if possible. Thank you.
-
Ok but it you have the dd-wrt device connected on a different NIC to the LAN you will avoid asymmetric routing between LAN and either of the two subnets behind it. I suggest you do that and set up static routes in the pfSense to point to dd-wrt in the new subnet.
If you can disable outbound NAT in dd-wrt and have pfSense do that instead it will give you better visibility on the traffic.Steve
-
Steve...thanks a lot for all your suggestions.
-
Just to update that now my dd-wrt access point can have virtual AP, for iot devices, associated with VLAN and obtain dhcp/dns from pfSense. The main LAN network (wired and wireless) can access my iot devices; but not vice versa, as I required.
The solution is to run a patched wlconf and startup script on dd-wrt, as described in the dd-wrt forum:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317181&postdays=0&postorder=asc&start=0 -
Nice.
Worrying having to apply a patched command though. Might break if you ever update dd-wrt.
Have you tried OpenWRT on that hardware?Steve
-
@stephenw10 Openwrt has inadequate support on Broadcom chip. Partly support 2.4ghz wifi and do not support 5ghz band at all, etc....
