Possible for Other Router to be DHCP Server instead of pfSense?



  • Hi, I am thinking of letting my wireless router to become a DHCP server instead of my pfSense machine. This is so currently my wireless router, an Asus AC66U (and eventually Netgear Orbi)  is in AP mode but it cannot do its Guest Network feature unless I set it back to router mode. Switching off its DHCP server once it is back to router mode means none of my wireless devices can connect to the Internet

    Will this break any pfSense capabilities like pfBlocker and HAProxy?

    Thanks!



  • All a DHCP server does is hand out addresses.  So, any DHCP server can be used and you can even have more than one, provided there is some means to prevent duplicate addresses being handed out.


  • Netgate

    It can also insert hostnames into local DNS. If you are not using that (or the other DHCP server duplicates such behavior and you use it for DNS instead, too) you should be OK.



  • I was doing a little research it seems that changing the firmware was the solution for one person.
    https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/

    Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
    ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

    Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

    In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

    -i wl0.1 -j DROP
    -o wl0.1 -j DROP
    -i wl1.1 -j DROP
    -o wl1.1 -j DROP

    I hope this does not lead you in the wrong direction. I know that I used iptables with dd-wrt on a router one time to create a guest network.



  • @JKnott:

    All a DHCP server does is hand out addresses.  So, any DHCP server can be used and you can even have more than one, provided there is some means to prevent duplicate addresses being handed out.

    Thanks! I tried using two DHCP servers (one in pfSense, another on the wireless router. See: https://www.snbforums.com/threads/orbi-as-dhcp-server-for-wireless-devices-pfsense-as-dhcp-server-for-wired-devices.37429/) but I stopped as I thought that this may cause issues with pfSense's packages.

    On the other hand, having a DHCP server only on the wireless router didn't work out as my wired devices are unable to connect to the Internet, but this could also be due to my setup.

    @Derelict:

    It can also insert hostnames into local DNS. If you are not using that (or the other DHCP server duplicates such behavior and you use it for DNS instead, too) you should be OK.

    Thanks, are you referring to the part where I can name my devices in the DHCP server (i.e. "Static DHCP Mapping on LAN")?

    @mich04:

    I was doing a little research it seems that changing the firmware was the solution for one person.
    https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/

    Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
    ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

    Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

    In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

    -i wl0.1 -j DROP
    -o wl0.1 -j DROP
    -i wl1.1 -j DROP
    -o wl1.1 -j DROP

    I hope this does not lead you in the wrong direction. I know that I used iptables with dd-wrt on a router one time to create a guest network.

    Thanks but I did try this method. It worked for two weeks, then no one on the guest network can connect to the Internet at all. Besides, this works only for Asus routers on Merlin; I prefer a solution that can be used on other routers.



  • Also, I forgot to mention why I needed to to do this and what is my setup:

    As mentioned in another thread, I will like to upgrade from an Asus AC66U to a Netgear Orbi to fully resolve Wifi deadspots. Almost everything is ready (e.g. possible locations for the satellite and the router, site survey to ensure feasibility) but there is one last challenge: Guest Network with pfSense.

    Before I got my pfSense machine, my setup was like this:

    Fiber + Cable Internet Modems (i.e. dual WAN) => Asus AC66U in router mode (wireless devices connect to this) => Managed Switch => other wired devices (e.g. computers, NAS)

    Guest network on the AC66U can work as intended; users on the guest SSID cannot connect to other devices but of course can still connect to the Internet.

    But, I am currently using pfSense as my router as I need some of the packages like HAProxy for work purposes. Right now it is also aggregating a fiber WAN and a cable WAN from the same ISP (i.e. dual WAN). So my setup is like this:

    Fiber + Cable Internet Modems => pfSense => Managed Switch => Asus AC66U in AP mode (wireless devices connect to this) + other wired devices (e.g. computers, NAS)

    I got the needed pfSense capabilities, but guest network on the AC66U is now broken as users on the guest SSID can connect to other devices on the network regardless of their SSIDs.

    I have consulted many pages such as this: https://www.snbforums.com/threads/guest-network-not-restricting-local-network-access.22659/ but this is still unresolved (e.g. guest network having no Internet). Furthermore, seeing how I need the Orbi to solve Wifi deadspots, most solutions will not work as they are not for the Orbi.

    At the same time, I noticed that while I need pfSense's pfBlockerNG and general firewall capabilities for the entire network, I will need the other capabilities like HAProxy just for wired devices. Furthermore, all guest devices are wireless so far and for wireless devices, as long they can connect to the Internet in their respective SSIDs, I am ok.

    So, I am thinking of doing this setup:

    Fiber + Cable Internet Modems => pfSense => Managed Switch => Asus AC66U/Netgear Orbi in router mode (wireless devices connect to this) + other wired devices (e.g. computers, NAS)

    Then set it such that both pfSense (192.168.1.x) and the Orbi (192.168.0.x) will be DHCP servers.

    I have briefly tested this. At least I can connect to the Internet on my wired and wireless devices, and when on the guest network, I will not be able to connect to other devices. This is what I wanted, but I am unsure what other side effects will there be as my other wired devices are not online yet (still upgrading them as we speak) and I needed to revert to previous setup as right now my family is using the Internet and I need to rush back to my work.

    Addendum: I realised that I am running out of ports on my managed switch, hence this may be my final setup instead

    Fiber + Cable Internet Modems => pfSense => Asus AC66U/Netgear Orbi in router mode (wireless devices and some wired devices connect to this) => Managed Switch => other wired devices (e.g. computers, NAS)



  • I tested more, got some good news and bad news

    Good news is that it can work… if you just want a simple network. Most devices, wired and wireless, can connect to the Internet and have their IP addresses. Guest network will play nicely but yet all personal devices can still talk to each other. Hence you can get some benefits of pfSense and also guest network with just almost any other consumer grade router in the market paired with a pfSense machine.

    If you need any port forwarding, this will be tricky though. You first need to forward the required port to the wireless router in the NAT section, and then get the wireless router to forward that to the device. I managed to get Teamviewer's WOL working for one of my machines this way.

    Bad news is that, this did not work out in my use case. Some of the crucial devices like some of the VMs and managed switch I am using simply do not want to acknowledge the DHCP packets from the AC66U (which I find it strange since before pfSense, there is no such issue) and thus, have no IP addresses and therefore cannot connect to the Internet.

    Worse still, HAProxy will not work as the pfSense router (192.168.1.1) and my VMs (192.168.0.x) are in separate subnets. Port forwarding won't help too.

    This boils down to a few ways I can go on from here:

    1. Install another NIC on pfSense, set up DHCP for only that LAN and connect it to switch: May be able to solve the issue of not getting IP addresses for all devices and HAProxy issues, but with the need to use the wireless printer too which will be on another subnet, this will create new issues too. Highly unlikely.

    2. Reconsider the wireless router and use Ubiquiti APs instead (which have VLAN tagging that can resolve this): Can solve the issue of not having proper guest network in pfSense via VLANs,. But these need Ethernet backhaul, which the house is not equipped with. Highly unlikely.

    3. Don't use guest network: Considering that guests come to my house at most weekly v.s. the much more pressing issue of solving Wifi deadspots that is affecting us daily, I rather just get the Orbi, set it to AP mode (which has a non-functional guest network feature for now) and solve the deadspots first. Then I will look into locking down the network in other ways (e.g. read up on how to block certain internal IPs from communicating with certain devices?)  Highly likely.

    Let me think these through a bit, but in the meantime, am I making sense here?



  • My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
    I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
    It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.

    The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.

    I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.



  • @a_null:

    My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
    I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
    It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.

    The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.

    I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.

    I see, thanks. So is your RPI NIC going straight to a wireless router just like in my situation?


  • Rebel Alliance Global Moderator

    I think your confused at what a dhcp actually does.. As stated by JKnott it hands out IPs and info for the client on the network, ie what gateway to use, ntp server, info about wpad, etc. etc..

    Any device on your network can be dhcp.  Now the ones that come with some soho router more likely than not going to be very limited in nature.  Many can not even hand out a gateway address other than themselves.  Or do other scopes at all.

    Pfsense has a limit that it can not be a dhcp server for a network it does not have a interface in.  But that is not a limitation of any real dhcp server..  Do you not have any boxes on your network running linux, bsd, windows even?  Any these could run dhcpd..

    What I don't get is why you think pfsense can not just be your dhcp server???  Do you have any downstream networks you need dhcp for so this is why you need a different dhcp server?  You can run multiiple dhcpd on different layer 2 networks.  Or you can run 1 with multiple layer 2 networks and relay of the dhcp info.  Pfsense can be a dhcp relay, etc.

    Just at a loss to why you want some soho router to be dhcp??  Unless you were running 3rd party the feature set of their dhcp servers is very limited.



  • @johnpoz:

    I think your confused at what a dhcp actually does.. As stated by JKnott it hands out IPs and info for the client on the network, ie what gateway to use, ntp server, info about wpad, etc. etc..

    Any device on your network can be dhcp.  Now the ones that come with some soho router more likely than not going to be very limited in nature.  Many can not even hand out a gateway address other than themselves.  Or do other scopes at all.

    Pfsense has a limit that it can not be a dhcp server for a network it does not have a interface in.  But that is not a limitation of any real dhcp server..  Do you not have any boxes on your network running linux, bsd, windows even?  Any these could run dhcpd..

    What I don't get is why you think pfsense can not just be your dhcp server???  Do you have any downstream networks you need dhcp for so this is why you need a different dhcp server?  You can run multiiple dhcpd on different layer 2 networks.  Or you can run 1 with multiple layer 2 networks and relay of the dhcp info.  Pfsense can be a dhcp relay, etc.

    Just at a loss to why you want some soho router to be dhcp??  Unless you were running 3rd party the feature set of their dhcp servers is very limited.

    Thanks!

    1. I am aware that not just routers or pfsense machines can be DHCP servers too. Just that I am unsure how (or even, why) to let other machines be DHCP servers instead of these two devices.

    2. I have tried letting pfSense become my DHCP server and then let my wireless router become a wireless AP. Sure, devices can get IP addresses and then connect to the Internet, but then I am unable to set up guest networks, which is why I needed to start this thread in the first place.

    3. I was letting a SOHO/wireless router become my DHCP server as I am trying to keep my network as simple as possible (i.e. just buy a new router and that's it approach). The idea is to just get all devices connect to that, separated between personal network and guest network, and then through pfSense for its capabilities (e.g. dual WAN, HAProxy, multiple DDNSes). This worked until I realised that some of my devices are not getting IPs from the router.

    Sure, "dedicated" APs like Ubiquiti's APs would have solved my guest network issue with VLAN tagging, but they cannot cover my entire house which means I won't solve my Wifi deadspots.

    In short: I am replacing my AC66U with a Netgear Orbi to solve Wifi deadspots, but will like to retain guest network and pfSense functionality with the least amount of additional equipment whenever possible.

    And no, currently AP mode on the Orbi does not have a functional guest network yet.




  • Rebel Alliance Global Moderator

    "Sure, "dedicated" APs like Ubiquiti's APs would have solved my guest network issue with VLAN tagging, but they cannot cover my entire house which means I won't solve my Wifi deadspots."

    Huh?  So you place them where you need them just like your plan for orbi - cheaper to boot!!  And allow for better placement as well since they are POE..  If you really want to use wifi uplinks vs a wire.  Wire is always best to connect your AP, they do sell mesh model now.

    I currently see just 2 orbi at $380.. You know how many unifi AP you could buy for that?  Even if you went with the PRO model at 130 you could get 3..  If you went with the lite model you could do 4 of them.  And if your plan is to use pfsense - why would you want to or need to pay for the orbi router?  If you want to move away from your typical flat 1 network home setup then yoru going to want smart switch(es) and AP that do vlans.  Doesn't have to be unifi - but your going to want AP that can do vlans if your looking to segment your network.

    That such a device would not allow for vlan tagging of SSIDs just blows my mind..

    As to why you would run your dhcp server on something other than a router or "pfsense" because you want to have features.. Or for example you run AD, where you would want DHCP to be integrated with your AD as MS intends it to be, etc.  You want to run dhcp for your whole network with multiple vlans and want a central dhcp server that can all of the scopes in one place, etc. etc..  You could prob write a whole book on dhcp design ;)

    Is that a downstream router (L3 switch in router mode?) you show in your drawing..  Or is that suppose to be pfsense?  Where is pfsense in that drawing?



  • @johnpoz:

    "Sure, "dedicated" APs like Ubiquiti's APs would have solved my guest network issue with VLAN tagging, but they cannot cover my entire house which means I won't solve my Wifi deadspots."

    Huh?  So you place them where you need them just like your plan for orbi - cheaper to boot!!  And allow for better placement as well since they are POE..  If you really want to use wifi uplinks vs a wire.  Wire is always best to connect your AP, they do sell mesh model now.

    I currently see just 2 orbi at $380.. You know how many unifi AP you could buy for that?  Even if you went with the PRO model at 130 you could get 3..  If you went with the lite model you could do 4 of them.  And if your plan is to use pfsense - why would you want to or need to pay for the orbi router?  If you want to move away from your typical flat 1 network home setup then yoru going to want smart switch(es) and AP that do vlans.  Doesn't have to be unifi - but your going to want AP that can do vlans if your looking to segment your network.

    That such a device would not allow for vlan tagging of SSIDs just blows my mind..

    As to why you would run your dhcp server on something other than a router or "pfsense" because you want to have features.. Or for example you run AD, where you would want DHCP to be integrated with your AD as MS intends it to be, etc.  You want to run dhcp for your whole network with multiple vlans and want a central dhcp server that can all of the scopes in one place, etc. etc..  You could prob write a whole book on dhcp design ;)

    Is that a downstream router (L3 switch in router mode?) you show in your drawing..  Or is that suppose to be pfsense?  Where is pfsense in that drawing?

    Thanks!

    1. Yeah, I wish my house is fully wired with Ethernet ports in all rooms! That would have already solved my Internet issues… 3 years ago at least!

    Anyway, yes, I need to use Wifi backhaul for this (i.e. "mesh" solutions). Unfortunately Ubiquiti's mesh solutions are not in Singapore (and even in Asia?) and it is unknown when will this change. Also, I will like to resolve this soon.

    And yeah, it's not just you or me who are confused about the Orbi's features; from what I can see in NetGear's forums, VLAN tagging is one of the highly requested features of the Orbi.

    2. Ah, thanks for telling me more about DHCP, I didn't know that there are more complex designs of such servers! Just that for the context of this issue, I am unsure if I will ever need these.

    3. Sorry, let me label the rest of the icons properly!




  • Rebel Alliance Global Moderator

    You do understand the normal unifi AC AP can do wireless uplink..  If your having a problem with wiring.  They are not just "mesh"



  • @johnpoz:

    You do understand the normal unifi AC AP can do wireless uplink..  If your having a problem with wiring.  They are not just "mesh"

    Hmm wait, can the APs connect to each other wirelessly? I am asking as the AC66U will be replaced either by these APs or the Orbi. And I don't think I have seen anything like this mentioned in the manuals before…

    Another thing that I am concerned about is the lack of Ethernet ports on these APs though, but I guess I will just go get a managed switch with more ports (but I am hoping it won't have to come to this since I just want to replace only the AC66U and be done with this problem lol)



  • I checked around a bit more, turns out Ubiquiti has such features; I wasn't searching with the right terms: https://help.ubnt.com/hc/en-us/articles/115002262328-UniFi-Feature-Guide-Wireless-Uplink

    Now just to see if the prices are better and the trade-offs are ok

    Also, I realised that in my earlier tests, I have forgotten to use the DHCP Relay feature in pfSense once I switched off its DHCP server! :-[

    Let me test if this will make a difference or not


  • Rebel Alliance Global Moderator

    If what you want is wifi bridge to provide wired connections??

    " I am concerned about is the lack of Ethernet ports on these APs though"

    That is not really the job of a AP..  But you could check, I know the 2nd port on the pro is bridged to the other port and you can add a switch on the other port and more ports that way.  But not sure when using wireless uplink?  But it might be possible - check on the unifi forums.  I know if you put a managed switch there then you could have multiple vlans there as well.

    Why exactly can you not run a wire??  Normally you should run a wire!!!  Then if you need more ports there, use a switch - hang an AP off that switch if you also need wifi in that area, etc.



  • @johnpoz:

    If what you want is wifi bridge to provide wired connections??

    " I am concerned about is the lack of Ethernet ports on these APs though"

    That is not really the job of a AP..  But you could check, I know the 2nd port on the pro is bridged to the other port and you can add a switch on the other port and more ports that way.  But not sure when using wireless uplink?  But it might be possible - check on the unifi forums.  I know if you put a managed switch there then you could have multiple vlans there as well.

    Why exactly can you not run a wire??  Normally you should run a wire!!!  Then if you need more ports there, use a switch - hang an AP off that switch if you also need wifi in that area, etc.

    I am trying to provide both wired and wireless connections, hence my comment about the APs.

    Actually, my very 1st idea to solve all these was to simply do Ethernet drops (i.e. running wires). I was stopped by my parents unfortunately, let's just say they don't want me to run wires around the house; engaging contractors for such stuff is disallowed in the same vein.


  • Rebel Alliance Global Moderator

    Well do your parents want good wifi or not?  Hire someone if they will not let you run it.. Running some ethernet cable is not all that hard.. But this the proper way to provide both wired and wifi connections in an area.  You need a wire to where you need wifi coverage so you can properly place the AP.. Any real AP will be POE  If you wall need wired in that area - there you go you killed 2 birds with 1 stone.


  • Netgate

    If you house is wired for Cable TV you can also look at MoCA to get the AP/switch where it should be. I never have to think about mine and get 700Mbit/s.



  • @johnpoz:

    Well do your parents want good wifi or not?  Hire someone if they will not let you run it.. Running some ethernet cable is not all that hard.. But this the proper way to provide both wired and wifi connections in an area.  You need a wire to where you need wifi coverage so you can properly place the AP.. Any real AP will be POE  If you wall need wired in that area - there you go you killed 2 birds with 1 stone.

    Parents want good wifi… but their definition is a bit looser than ours. ;)

    Also, thing is, they don't even allow me to hire the people to do the Ethernet drops! The best they allowed so far is the Netgear Orbi (which I got last night), helps that my friend is willing to buy off my AC66U which will offset some of the costs.



  • @Derelict:

    If you house is wired for Cable TV you can also look at MoCA to get the AP/switch where it should be. I never have to think about mine and get 700Mbit/s.

    I can't find any MoCA equiptment in the market so far. Also, I don't think it is allowed here…


  • Rebel Alliance Global Moderator

    allowed where?  Why would there be a restriction on moca.. Makes zero sense..



  • @johnpoz:

    allowed where?  Why would there be a restriction on moca.. Makes zero sense..

    Sorry, I thought there's a ban on MoCA for Singapore. I must have mixed up with something else.

    Anyway, I am unsure the state of Coaxial cabling in my house and hence whether MoCA is feasible or not. The import prices and lack of local support for these equipment is not helping


  • Rebel Alliance Global Moderator

    Well if you can not run a wire, or use existing wiring like moca, how about powerline adapters.. which would be 3rd choice.. wireless uplink would always be last.



  • @johnpoz:

    Well if you can not run a wire, or use existing wiring like moca, how about powerline adapters.. which would be 3rd choice.. wireless uplink would always be last.

    Actually I was using these. Even though these introduced EMI/RFI noises that affected that my audio equipment, I was willing to put up with it for the sake of my family (and invest in those power strips that supposedly reduce such noise). So how I set these up was to simply plug one in my room with my pfSense rig and another in the central part of my house with my Asus AC66U. This fixed almost all Wifi deadspots, but one day, these homeplugs went down out of a sudden for no good reason. Switching them off and on worked, but I decided that it's time for me to move on from homeplugs and try something else seeing that a single router will not solve the issue. Then I saw the Orbi on sale and have good reviews by many and my friend needing to take over my AC66U, so I decided to give it a shot. So far, my family are extremely happy with the Orbi so I guess this part of the network puzzle is solved for now. If they want/need faster speeds, I will insist on proper Ethernet cabling then.



  • And back to the topic at hand. after testing more and reading more, now I can see why you all sounded confused about my questions, real sorry about that!  :(

    Firstly, I read up about bridging two or more NICs within pfSense, thinking that I may need it. Turns out that it can be done but not recommended; the more recommended method is to simply connect a switch to it, which I failed to consider all these while! So, all I did was to connect to the switch first, and then to the Orbi and other devices. This meant no more funky port forwarding needed for HAProxy (yes, this works too but I am trying to avoid this) and yet all devices being able to connect to the Internet and be protected by pfSense.

    Then, I thought through more carefully and noted how only my guests will need only wireless connection, which means I just need to make sure they can connect wirelessly to the Internet but not to my devices. This means I need a properly working "Guest Network" function, which can be accomplished if I keep the Orbi in Router Mode.

    Then also, I realised that my laptop, which is connected to the switch, can also connect wirelessly to the Orbi. This means it can be on both subnets (and thus workaround issues such as not being able to print/scan from wireless printer and my mobile devices not being able to find it)

    All these knowledge made it a lot easier to solve my issues. Now I can have pfSense packages working properly with my wired devices, a proper Guest Network and all personal devices (non-guest) devices able to talk to each other whenever necessary.

    Here's my new (and final?) network diagram

    Network Diagram

    In short, yes, in a network, there can be more than one DHCP server and devices can have multiple IP addresses by having one per network interface

    Now only one last thing left: If I were to run out of ports on the switch, should I daisy chain another switch (the cheaper option), or should I try to find a bigger managed switch and replace it (the much expensive option)? Current switch is a TP-Link 8 port Smart Switch TL-SG2008



  • and devices can have multiple IP addresses by having one per network interface

    Actually, even an interface can have more than one address.  On IPv4, you can create an alias address and on IPv6, multiple addresses are to be expected.  For example, on this computer, I currently have 8 IPv6 addresses on the one NIC.  There is one link-local address, one SLAAC, based on the MAC address and 7 random number "privacy" based SLAAC addresses.  All of them are valid.  One thing about the random number addresses is I get a new one every day and the oldest then falls off the end of the list, so the list of addresses will change daily.



  • @darkarn:

    @a_null:

    My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
    I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
    It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.

    The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.

    I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.

    I see, thanks. So is your RPI NIC going straight to a wireless router just like in my situation?

    Well… not exactly, I guess. But they are all on the same LAN switch.
    Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

    My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

    I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
    I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.



  • @a_null:

    @darkarn:

    @a_null:

    My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
    I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
    It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.

    The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.

    I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.

    I see, thanks. So is your RPI NIC going straight to a wireless router just like in my situation?

    Well… not exactly, I guess. But they are all on the same LAN switch.
    Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

    My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

    I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
    I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.

    Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet



  • @darkarn:

    @a_null:

    Well… not exactly, I guess. But they are all on the same LAN switch.
    Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

    My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

    I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
    I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.

    Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet

    Well, if you still have your ASUS unit (or really, any ol' wifi router than can be placed into AP-only mode), you could use both the Orbi and the ASUS, one for the LAN, and one for the guest network.



  • @a_null:

    @darkarn:

    @a_null:

    Well… not exactly, I guess. But they are all on the same LAN switch.
    Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

    My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

    I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
    I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.

    Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet

    Well, if you still have your ASUS unit (or really, any ol' wifi router than can be placed into AP-only mode), you could use both the Orbi and the ASUS, one for the LAN, and one for the guest network.

    The ASUS is now with my friend permanently though, and even then it won't be able to cover the entire house unlike the Orbi (and getting another Orbi for guest network only is too cost-inefficient)



  • Did you ever figure out how to do the guest isolation on the asus when it's in AP mode.

    Read a bunch of threads over on the snb forum, but none seem to work in my application.

    Guest wifi is on separate vlan.  Ideally each wireless guest is completely isolated from each other and any lan hosts on the vlan.  Since it's a wireless guest network, chance of wired hosts being present is unlikely, so the latter is not as important.  At the minimum getting each wireless host isolated is the goal.

    https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-359045


  • Netgate

    I solved that problem on a large installation (650 access points) using uplink ports in brocade switches for per-vlan isolation among the different APs, and Ruckus' ability to set per-SSID isolation in the APs themselves. This achieved campus-wide isolation on certain VLANs between all wired and wireless clients.

    You might get close using private vlan edge on the catalyst (protected ports) but that is not per-vlan so it's all or nothing.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy