Intentional Asymmetric Routing to a VLAN.
-
DOH! You are right it is set to TCP (copy error), but none of that solved it.
I mentioned earlier that I moved to the top of LAN the default any to any rule and re-enabled it and copied it to the GUEST_VLAN_90 interface also, but no joy.
Those were IPv4*.The NetGear AP (I am using it in router mode attached to one of it's switch ports) works fine for internet access for the WiFi attached devices.
I suspect that internally the NetGear AP is rejecting anything that is not on it's own subnet.
Sanity check - I just repeated the the IPv4* any to any on both LAN and GUEST_VLAN_90 interfaces from their respective interfaces. Nothing. LAN shows data go out, but nothing comes back on the GUEST_VLAN_90 interface.
Phizix
P.S. Thanks for the help. Maybe some kind of inter LAN NAT.
-
@Phizix said in Intentional Asymmetric Routing to a VLAN.:
Maybe some kind of inter LAN NAT.
If your AP is blocking access from other networks, then sure you could always source nat the traffic so your AP thinks the traffic is coming from the pfsense IP in that vlan.. This is a simple outbound nat.. Here I do this to talk to one of my devices that doesn't have a gateway.
This allows me to talk to this device from my VPN.. Because that device doesn't have gateway to know how to talk back.
If your device has some firewall that prevents access from other vlans - the "correct" way to fix that would be to allow that traffic on the devices firewall.. Only if there is no way to do that would I suggest you source nat. To trick the device into allowing the traffic.
-
You really think a NetGear Wireless router is sophisticated enough to have those kinds of settings? Awww, hell no! LOL!! Unfortunately not. I will try the outbound NAT.
Any matching firewall rules that need to be in place? Same as you showed previously?
Phizix
-
No I don't think that - but just answering your question ;)
-
OK over wireless I looked at the LAN setup on the AP and it has NO gateway. Only on it's WAN interface can you set up a gateway, which I am not using.
I will have to pick it back up tomorrow. I added the outbound NAT with "IPv4* any to any" rules on both interfaces, but still no joy.
I will have to pick it back up tomorrow evening after work. I will do some investigating on my own to see why it will not connect to it. But many thanks for all the advice.
If I figure this out on my own, I will post back so others can benefit from the solution.
Phizix
THANKS AGAIN!
-
Yeah if your using a old wifi router as AP, most native firmware does not allow for setting a gateway on lan side... You might be able to run some 3rd party (openwrt, dd-wrt, etc) they allow it.
If not its a simple source nat to allow such a setup to work.. Or you just admin from that same network or via wifi.
Other option - is some native firmware allows you to set a route - even if not a default gateway, where you could set a router to your lan network. That it would use.
To be honest the correct solution - which cost money ;) Is to get a real AP when your wanting to move into more complex setups where everything is just one flat network. Vs just leveraging some soho device not meant for such setups.
Get real AP that can do vlans, and real switches that can do vlans, etc. It can be done on the cheap, when budgets are limited.
-
I was mostly using this as a learning experience. I have only been "pfSense-ing" for a couple of weeks.
The funny thing is if I connect to one of my main switch ports on the same VLAN (90) that is upstream of the AP itself, I can connect to the interface by IP.
In any case thanks again!
Phizix
-
Well yeah sure - your on its same network, no need for gateway or route ;)
see my edit - when you start to move away from toys, its time to move into real equipment that supports more sophisticated setups.. But there is a cost to doing that ;)
While many users love to use pfsense in their home setups, its is more than capable of being used in an enterprise - and supports enterprise sort of setups.. But to do that - you need equipment that also supports these more advanced features.
-
I plan after all this COVID-19 period to get a better AP for this, but for now the Guests get the older equipment - ;-)
Phizix
-
There are many reasonable priced AP that can do vlans, and more features.. Along with switches - a 40$ smart switch can do vlans.. So you can move into a more robust and secure and feature rich network without having to have enterprise budgets ;)
And for sure you can piece meal it, start small add this, and then that, and then upgrade.. Not like you have to spend $$$ to get the ball started ;) The big piece you have already done with moving to pfsense ;) And that is FREE ;) hehehe
When I first started upgrading my network not that long ago I was running pfsense as VM on esxi, on old n40L microserver - now it running on a $750 sg4860 for my home ;) hehe.. So yeah you can spend money - but it can be done cheap if need be.
-
@johnpoz said in Intentional Asymmetric Routing to a VLAN.:
There are many reasonable priced AP that can do vlans, and more features.. Along with switches
Avoid TP-Link on both. Some models don't do VLANs properly.
-
I have a 12 port 10G (each port) switch as my backbone and a 10 port (8-1G : 2-10G) switch as a remote switch in the bedroom. Both are NetGear ProSafe - they work great and are MUCH better than their consumer line. The trunk between them is LAGG {2x10G}.
My machine has a 10G Intel card and I am getting a 10G Intel card for my wife's computer and a non-Intel 10G (probably Aquantia chipset) card for the kids' computer.
The SG-5100 has a LAGG from two of the 1G ports to the backbone.
The one WAN is 400Mb/s and the other is 45Mb/s and is set to balance at 5:1.
Works really well.Phizix
-
Dude then your way ahead of me ;) You just need an AP to work with such speeds then.. And vlans!
Got you beat on wifi and wan speed atleast ;) And I am doing 2.5 (802.3bz) between my pc and nas atleast - hehehe
I have 500 down internet ;)
-
I have an Asus RT-AC88U as my non-Guest WiFi AP - 1G link to the backbone. Next year I am going to go to an AX router in AP mode for non-Guest.
My Synology NAS is on a 2x1G LAGG. And my two older NetGear NAS boxes (for backup) are on 1G links.
Cheers!
Phizix
