Possible to put wifi router Behind pfSense ? (Double NAT)?



  • I am pretty new to networking and understand the basics - not a whole lot.
    Currently I have two Asus 68u (TMob Cell spot) routers in a cascading arrangement. One router connects to my ISP directly (No Modem - FIOS via ethernet), and the other router is connected to AirVPN. Both routers are on DHCP mode (Router 1: 192.168.29.1 / Router 2: 192.168.30.1). Router 2 is behind Router 1 (LAN to WAN).  All i want is to put a pfSense firewall in front and then have 2 networks (Regular ISP and VPN). I spent a few frustrating hours trying to set up pfsense box (has 4 NICS, no wifi) but didn't get anywhere.

    If i connect the computer directly to pfSense LAN i am able to get the internet, but routers are not able to do so. pfSense is configured with standard rules - can someone give me some advice?

    If possible I would like to try all further setup experiments behind Router 1 so as not to lose internet connectivity, until I have this figured out - that is, if this scenario is even possible….

    Thanks to anyone who can help.

    ps: I researched on the topic of configuring opt1 on pfsense for openvpn to Airvpn but it appears to be much too complicated so I would like to replicate my current setup behind pfSense if possible. Setting up the VPN router in AP is not an option because that turns off the router's VPN capability.



  • No one?  :(

    So its not possible to  put a DHCP Wifi router behind pfSense box without putting it in AP mode?


  • Rebel Alliance Global Moderator

    Huh?

    You can double nat all you want, triple nat, quadruple nat, etc.. BUT why??  What is the logic of not just using your wifi router as AP??

    Connect pfsense to your vpn service and then you can route what ever clients/protocols you want out the vpn be it everyone or portion, etc.



  • Starlights,

    It looks like you've got two internal networks – one for regular internet traffic (ISP) and one for VPN traffic (VPN).  Each has its own subnet.  I assume you use different SSID's and have to manually change between these depending on what your want your lan devices to use -- in other words you want the networks isolated from each other.

    So now you want to make pfsense be your first line of defense.

    Start by making sure that the dhcp server on the pfsense is using the same subnet as (ISP).  Then for the (ISP) wifi router, configure it to dumb AP mode.  That should mirror your current setup -- lan devices would get ip addresses in the subnet they're familiar with, and you only have one nat translation occurring -- except now it's happening at pfsense and not the (ISP) router.

    This just leaves the (VPN) router and that network.  Plugging the wan port of (VPN) into the lan side of pfsense should work the same as how you originally had things before pfsense was added.  Traffic coming into the LAN or wifi side of (VPN) would go through the VPN tunnel.  This tunnel is natted first from the (VPN) router to lan pfsense, and then natted again from lan pfsense to wan pfsense. pfsense shouldn't be causing any issues with this. As far as it knows, a single device on the lan network (VPN router) is trying to connect to something on the internet.

    As johnpoz mentioned however, this is making things more complex then it needs to be.

    Ideally what you'd want to do is configure openvpn to work with AirVPN in pfsense.  Then have all internal vpn traffic go through a second LAN port of pfsense out to the other (VPN) router -- now in AP mode.

    I did I quick search for AirVPN and it looks like there are all kinds of instructions for getting it working with various equipment, such as dd-wrt (Another router similar to pfsense).  If you cannot translate these instructions for pfsense, I suggest looking to see if AirVPN has a forum where you can get the help you need because this is definitely doable.

    You'll almost certainly get better performance this way due to the better hardware running pfsense vs that wifi router.



  • @Tantamount & @johnpoz: Thank you for responding!
    Tantamount, your response is very helpful. I have responded to your observation and advice below. Please tell me if I am on the right track:

    –------------
    It looks like you've got two internal networks -- one for regular internet traffic (ISP) and one for VPN traffic (VPN).  Each has its own subnet.  I assume you use different SSID's and have to manually change between these depending on what your want your lan devices to use -- in other words you want the networks isolated from each other.
    So now you want to make pfsense be your first line of defense.

    Absolutely correct – that is exactly how I want to setup


    Start by making sure that the dhcp server on the pfsense is using the same subnet as (ISP).  Then for the (ISP) wifi router, configure it to dumb AP mode.  That should mirror your current setup -- lan devices would get ip addresses in the subnet they're familiar with, and you only have one nat translation occurring -- except now it's happening at pfsense and not the (ISP) router.

    In my current setup (Fios via Ethernet), I do not have any ISP supplied equipment. I connect one of my Cellspot (Asus) routers directly to the Ethernet cable. Ethernet from Fios ONT comes in directly to the WAN port of Router 1.
    So as I understand:

    1. Connect the incoming Ethernet to the WAN port of psSense box. Then change Router 1 to AP mode.
    2. From pfSense LAN port, connect AP (LAN to WAN?)
    3. Change pfSense LAN to 192.168.1.1 (Do I need to change AP to 192.168.1.2 or let psS DHCP handle that?)

    This just leaves the (VPN) router and that network.  Plugging the wan port of (VPN) into the lan side of pfsense should work the same as how you originally had things before pfsense was added.  Traffic coming into the LAN or wifi side of (VPN) would go through the VPN tunnel.  This tunnel is natted first from the (VPN) router to lan pfsense, and then natted again from lan pfsense to wan pfsense. pfsense shouldn't be causing any issues with this. As far as it knows, a single device on the lan network (VPN router) is trying to connect to something on the internet.

    I tried this past weekend however I think I could not get the OPT1 (2nd LAN port in pfSense box) configured correctly so I was getting no packets.

    1. Do I need to configure any rules? I copied the ipv4 connectivity rule from LAN to OPT1 but still couldn’t get connection
    2. I create a second subnet : 192.168.2.1 on OPT1  - Do I let pfSense DHCP handle the VPN Router? Or should I configure it to 192.168.2.2 ?
      Did I get the above correct? If not, please correct me. (Thanks!). If I missed stuff, please feel free to add it in.

    As johnpoz mentioned however, this is making things more complex then it needs to be.
    Ideally what you'd want to do is configure openvpn to work with AirVPN in pfsense.  Then have all internal vpn traffic go through a second LAN port of pfsense out to the other (VPN) router -- now in AP mode.

    This is what I ideally wanted, and perhaps once I am more confident of my abilities, I will attempt it.


    I did I quick search for AirVPN and it looks like there are all kinds of instructions for getting it working with various equipment, such as dd-wrt (Another router similar to pfsense).  If you cannot translate these instructions for pfsense, I suggest looking to see if AirVPN has a forum where you can get the help you need because this is definitely doable.
    You'll almost certainly get better performance this way due to the better hardware running pfsense vs that wifi router.

    Here is a link to a very comprehensive guide that I found on the airvpn forum for psSense 2.3 (https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ ), however I think, at this time it’s a bigger bite than I can chew. Unfortunately I cannot have my network down for over an hour, and this isn’t something that I am confident of being able to achieve within that time…