adding link to my shop

netblues

What is the distannce between shop and house?

johnpoz

With the nano beams your talking KM range so not sure that would be an issue ;) Line of site could be a problem.

BTW - example setup

netblues

I completely missed the nanobeams part...
Yes, line of sight is the issue.
If you have fiber then it would be faster to access the internet over the nano and fiber connection
And then use the t1 as a backup...
So another pfsense at the shop, and gateway groups, for automatic failover.

It depends what you really want to do

johnpoz

You really don't need any sort of smart switch or router in your shop even - as long as you just want everything in the shop to be on a "shop" network..

You could prob just cancel the T1 - I mean really its kind of useless in this day an age from a speed point of view.

JKnott

@lovingHDTV said in adding link to my shop:

Currently I have a T1 line at the shop.

Ouch!!!

I remember when a T1 was considered fast, but those days are long gone. As mentioned by someone else, all you need ais a subnet and the means to connect it. I don't know how far your shop is or whether it's reachable over your own property, but there are a variety of ways. Fibre has been mentioned. If you have a couple of phone line pairs, you can use SHDSL to pass a few Mb and there's also point to point WiFi. There is some WiFi gear available that's designed just for that purpose.

lovingHDTV

The shop is about 1000 feet, and line of site is good enough. I went with the nano beams because they have great distance and are pretty cheap. There are some trees, but they are not dense enough to pose a problem.

The picture John posted is fairly accurate. For the interim I still want to have the T1 as a failover at the router in the shop. When everything is running nicely it will go away, saving me about $400 per month :)

Today at the shop my LAN and VLAN are the same setup as my house. That is what is confusing me, is there a way to setup this link to the shop and not have to redo everything in the shop?

For example. My house and shop are setup as LAN is 192.168.1.0, VLANs are 192.168.10.0 (IOT) and 192.168.20.0 (Guest). I'd like to not have to reconfigure my shop to something different, just provide a different internet feed.

Is this possible with the picture above?

thanks,
david

JKnott

@lovingHDTV said in adding link to my shop:

about $400 per month :)

For that kind of money, you can get fibre, running @ 1 GB and have lots of change left over. Where I live, 1 Gb over fibre is $114/month from my ISP.

lovingHDTV

OK I finally go the link between the two nano beams.

I run them through the ig2 interface on the router. I can ping the dishes from both sides, I can dhcp an IP from the router, from the router in the shop. so that part is working.

However I cannot ping anything outside the local network from the shop. I looked at my shop_link interface and the IPV4 gateway is set to none. I went to add a gateway, but my router gateway didn't show up.

It seems that I may need to add a gateway for the shop_link interface?

thanks,
david

kiokoman

no IPv4 Upstream gateway must be none
you have to check firewall rules for that interface
out of the box only LAN is open and can go everywhere if you have a new interface like OPT you need to set the firewall rules yourself first
you can ping your own vlan network because the traffic is not passing through pfsense yet

lovingHDTV

I can ping from my lan to the shop_link. I can ping all the nano beam dishes and the router in the shop, all 10.10.1.0/24 ip addresses.

In the shop I can ping the nano beam dishes, but I cannot ping anything else.

The only firewall rules for the shop_link are:

For my gateway interface I just see the port forwarding rules to get to my LAN services. There is nothing there for the shop_link.

Do I add rules to the shop_link interface or the gateway inteface?

thanks
david

johnpoz

Well your shop firewall rules block everything.. So why would you think you could ping anything?

Why would you be blocking bogon? And blocking rfc1918 is going to prevent you from going to any of your other networks for sure.

kiokoman

the last 2 rules are disabled from what i can see
maybe start with a rule that permit any to any and see if it work
you can adjust it later eventually

lovingHDTV

@johnpoz
These settings are just the defaults it gets created with. I didn't change any of them.

I don't understand what the RFC 1918 or bogon networks are so I didn't change them.

At my shop I don't need access to my LAN, just to get to the internet.

david

johnpoz

Pfsense sure and the hell does not create rfc1918 or bogon block on a new lan interface.. Only if you made pfsense think this was a wan interface would it do that.. Which this is not to be honest.. it would be just a transit network to your other router.. Which you don't have or even need..

I even gave a drawing of how you would set this up..

lovingHDTV

@johnpoz
Interesting. i just added the new interface, named it, put in the static IP (10.10.1.1), setup a dhcp server for it.

the block bogon and RFC1918 boxes come pre-checked, so I left them that way.

david

kiokoman

well anyway remove this from the interface

lovingHDTV

Yes, I did that. I can now ping 10.10.1.1

I'll move it over to a VLAN instead of a different subnet. I have VLANs working so maybe the routing is different.

I chose a new subnet because I wanted to use a different interface port. Maybe I can do that with a VLAN?

david

lovingHDTV

I did figure out how to add the dedicated interface to a VLAN, created the VLAN and I can now get to the internet when plugged into the router at the house. Not to get it working on the other end of the nano beams. Need to reconfigure their IP addresses to the VLAN address space.

Not sure why I can't get it working as a 10.10.1.1 subnet, but I do get something now.

thanks,
david

johnpoz

There is no difference to pfsense of vlan or native just naked on an interface, vs just tagging and not tagging the traffic leaving.. Or looking for that vlan tag on traffic entering the physical interface the vlan is on.

All routing would be the same.. Its just another interface, tagged or not tagged is the only thing that is different..

lovingHDTV

I'm trying to figure out why I can't get access to the shop_link VLAN from my LAN. I've setup the firewall rules just like my other VLANs. I see a couple differences. The other two VLANs share the same interface on the router, while my shop vlan has its own interface.

The shop interface is also called (wan) in pfsense. I think that is because it is the first interface and they seem to be hard coded (?) as wan lan opt1 opt2 opt3 seen here: <had to remove becauase the xml in a code block got flagged as spam>

Does this matter? I have a rule on my LAN interface that should allow me access, at least it works on the other VLANs.

I tried looking in the Firewall rules, filtering on the destination IP to see if I could find the rule blocking my ping tests, but when I ping 192.168.30.116 it never shows up in the firewall log. So it sounded to me like it never got out of the LAN interface. If I ping the router 192.168.1.1 it does show up in the firewall log, but no other destination IP shows in the firewall log.

EDIT: OK I figure out the logging issue, I didn't have the allow rule set to log. When I set to log I do see that the ICMP packet is passed, but I still get 100% packet loss, so it seems the return response isn't getting back.

I can access all the antennas from the shop just fine, but would also like to access them from the house.

Ideas on how to further debug my issue?

thanks,
david

PS. I'm getting a nice steady 27Mbps up and down speed at the shop. It is wonderful!!!