Google WiFi and pfsense



  • Hey all! Been a pfsense user for a year now abouts. Just invested in a new Google WiFi mesh network system which works great! I move every 2 or 3 years for the military so pretty difficult to run wired backbones for basic repeaters. Anyway, I am super happy with google WiFi! Only thing so far is I can't access my host overrides for my local esxi machine and freenas box that hosts 10 or so web apps . I would assume it has to do with google WiFi using NAT.. Unfortunately it looks like in a mesh network it needs to run in a NAT. Is there anything I can do ?



  • It shouldn't make any difference whether a mesh is using NAT or not.  While I haven't worked with Google WiFi, in general mesh networks move some of the "smarts" from the access point to a central controller.  So, instead of logging into the AP, you log into the controller, with the AP acting as just a bridge to it.



  • @JKnott:

    It shouldn't make any difference whether a mesh is using NAT or not.  While I haven't worked with Google WiFi, in general mesh networks move some of the "smarts" from the access point to a central controller.  So, instead of logging into the AP, you log into the controller, with the AP acting as just a bridge to it.

    I hear what your saying.. There is no "controller" perse, like ubiquiti, I know there is a separate controller . what I think is the problem is is it runs on a its own subnet and has its own dhcp server.  There is no way to turn it off. Its completely controlled via the phone app you install. The only thing I can really set is the DNS servers .



  • That's dumb.  What about people with IPv6, where you don't need NAT?  If it can handle IPv6 without NAT, it should be able to handle IPv4 without it too.



  • @JKnott:

    That's dumb.  What about people with IPv6, where you don't need NAT?  If it can handle IPv6 without NAT, it should be able to handle IPv4 without it too.

    It is a bit silly. The way they explain it, they need it for the features it provides. I did test it, and auto switching clients to the closest station works fantastic . there is also priorities,limiting and a bunch of other useful stuff.. Its besides the point though.


  • Rebel Alliance Global Moderator

    From my very limited research into google wifi is really designed to be the home router at the edge that supplies your wifi as well.  If you bridge it I do believe you loose many of the "mesh" features.

    If you ask me its designed for the typical user that just wants a black box and be done with it.  If you like to tinker/power user you would be better off getting real AP that supports wireless uplink if you have issues with running wires.  This allows you to have a "mesh" but not a multi-hop wireless uplinks?

    I do not believe the google wifi devices actually do multiple hop uplink? Can someone confirm or deny? I can not seem to find a definitive answer.  You can do it with unifi but you need their "mesh" devices the uap-ac-m or uap-ac-pro-m.  But their other ac line pro, lr and lite all support wireless uplink.  Which allows you to place AP around your home without a wire and not run into the typical /2 bandwidth that your typical soho repeater/extender does.  But it does need a connection to an AP that is wired.

    With wireless uplink you use one of the bands as your uplink and the other band is used for clients in the area of that AP.

    So depending on you requirements of wifi this is where you need true mesh or just wireless uplink.

    network -wire - AP –wireless-- AP --client
    network -wire - AP --wireless-- AP --wireless-- AP --client

    ie can you daisy chain the AP wireless, or multihop wireless.

    I do not believe the google allows for multiple vlans either, think you can do a guest but am not clear that you can do multiple different ssids and then tied to different wired networks like you can with normal AP that has vlan support.



  • @johnpoz:

    From my very limited research into google wifi is really designed to be the home router at the edge that supplies your wifi as well.  If you bridge it I do believe you loose many of the "mesh" features.

    If you ask me its designed for the typical user that just wants a black box and be done with it.  If you like to tinker/power user you would be better off getting real AP that supports wireless uplink if you have issues with running wires.  This allows you to have a "mesh" but not a multi-hop wireless uplinks?

    I do not believe the google wifi devices actually do multiple hop uplink? Can someone confirm or deny? I can not seem to find a definitive answer.  You can do it with unifi but you need their "mesh" devices the uap-ac-m or uap-ac-pro-m.  But their other ac line pro, lr and lite all support wireless uplink.  Which allows you to place AP around your home without a wire and not run into the typical /2 bandwidth that your typical soho repeater/extender does.  But it does need a connection to an AP that is wired.

    With wireless uplink you use one of the bands as your uplink and the other band is used for clients in the area of that AP.

    So depending on you requirements of wifi this is where you need true mesh or just wireless uplink.

    network -wire - AP –wireless-- AP --client
    network -wire - AP --wireless-- AP --wireless-- AP --client

    ie can you daisy chain the AP wireless, or multihop wireless.

    I do not believe the google allows for multiple vlans either, think you can do a guest but am not clear that you can do multiple different ssids and then tied to different wired networks like you can with normal AP that has vlan support.

    It is multi uplink in a sense that its redundant. Unless you mean something else. Currently I have my primary google WiFi ap connected via Ethernet from a switch ,then the other two link to whichever is AP is closest in distance.


  • Rebel Alliance Global Moderator

    what I mean by multihop is 2nd ascii diagram

    network -wire - AP –wireless-- AP --wireless-- AP --client

    so your saying it is multihop ie your 3rd AP can connects to the AP that is also wireless to your base AP that has a wired connected to it.



  • t is a bit silly. The way they explain it, they need it for the features it provides. I did test it, and auto switching clients to the closest station works fantastic

    Providing a mesh does not require NAT.  Cisco mesh WiFi does fine without NAT.  What "features" can they provide that require NAT?

    With Cisco access points, they come out of the box ready to used in a mesh, with controller software installed on a switch.  In order to use them as stand alone APs, different firmware has to be loaded.



  • @johnpoz:

    what I mean by multihop is 2nd ascii diagram

    network -wire - AP –wireless-- AP --wireless-- AP --client

    so your saying it is multihop ie your 3rd AP can connects to the AP that is also wireless to your base AP that has a wired connected to it.

    I'll run a few tests. It gives readouts for strength of the ap to client and ap to AP.. From what I'm reading, yes it does hop. But I'll try staging them far enough away so they have no choice but to not have enough strength to reach the base ap so It has to use the wireless ap.

    As for Cisco, I have never personally used their mesh APS.. But I have used their switches which are great. I really want to give these google WiFi APS a chance because I get my 350Mbps line speed through them anywhere in the house lol.



  • So i did verify that "daisy chaining" is supported. I both tested and spoke to a rep. When placing a wifi AP in between the base wired AP and a wireless, it not only increased my speed on one, but on the further one as well. I put in a request feature to have all mesh features in bridge mode only.. Representative said its been a requested feature numerous times and they will try and work on it.

    As for my initial issue.. Has no one ever ran a double NAT and had this problem? Or different subnets?


  • Rebel Alliance Global Moderator

    What about vlan support?  So how many different wireless ssids can you have and how do you tied those to wired networks?  The system sounds good if didn't have to use them as actual router, and how do you put wired devices on the same layer 2 as specific wireless device?



  • @johnpoz:

    What about vlan support?  So how many different wireless ssids can you have and how do you tied those to wired networks?  The system sounds good if didn't have to use them as actual router, and how do you put wired devices on the same layer 2 as specific wireless device?

    Unfortunately at this time it seems multiple SSID's are not supported currently. There is a guest WiFi that can be setup though. 5 and 2.4 GHz channel clients are forced to use whichever is fastest, as they are not different names like traditional routers.I do believe the controller handles forcing clients to use the faster of the two .

    No vlan support either. These seem to be an extremely easy option for the common user. I literally pointed my phone at it after plugging it in, and it expanded my network with every AP I added.

    Adding wired devices on the same layer 2… I'm not sure If you mean having both wired and wireless backhauls for the APs but this is supported. It will use the faster of the two(obviously wired). Also, this is all automated, you hook it up wirelessly, once setup completes , you plug in a wired backhaul. Or, you can connect a wired client when its in wireless bridge mode. I believe you can use both ports for clients, or just run to a dumb switch.

    Hope that answers your questions.


  • Rebel Alliance Global Moderator

    "Adding wired devices on the same layer 2…"

    If they do not support vlan tagging - then no they don't support putting wired and wired devices on the same vlan..  Other than their 1 ssid..

    So for example I have ssid that is vlan 500.. this has both wifi devices and wired devices all on the same layer 2 network.. Some are wireless and some are wired through switching network  This is vlan 500 id in both my switching and wifi network.  So I have a device say in the guest room on wifi one side of the house, and then I have a device in my av cab in the living room that is also on this same network.  192.168.5.0/24

    So you create this guest ssid - how do you have a wired device on only guest network?  And not on your normal ssid?  Can you put the wired interface on the them in either the lan or the guest network?

    As to moving a client to either 5 or 2.4 yes that would be band steering.. Nothing really fancy there.. If they had vlan support and not having to use their base as you router doing nat, etc.  Prob be a very nice choice..  Without the ability to create different networks via wifi how do you isolate your iot devices from your normal network.. Just put all of that on guest?  I guess is better than nothing.

    Do they support enterprise auth vs just psk? Seems only psk

    Security
    WPA2-PSK
    Automatic security updates
    Infineon SLB 9615 trusted platform module

    It seems like a nice product for your typical home user - point and click.. My wifi stuff works, oh wow what pretty interface ;)  Now if they just gave it the ability to do real networking you might have something...  Doesn't seem to support DFS channels? So no 160mhz which kind of one the big things with wave 2 the increased bandwidth, and the mu-mimo is limited because its only 2x2.  Most of the wave 2 AP are suppose to be 4x4 for streams are they not..  So can you lag the 2 ports on them?  If not your limited to 1 gig shared between all your clients to the real network.. So you can not get your full bandwidth that is suppose to be possible with wave 2 higher PHY rates.. If you could lagg the interface then atleast you could use the 1 and 1 gig interface for multiple clients and actually max out..

    Glad you are happy with it, and thanks for sharing some info on.. But seems more a high priced shiny home user device.. Turn it on and all your devices get on the internet ;)  What is happening in the background, actual performance for lots of devices, multiple networks with firewall between your segments, etc. etc..  Not so much ;)



  • Yeah you nailed it. No, it doesn't support any sort of LAGG. It will probably be something I return to be honest. I love google products, and hesitant to return it, but what is the point of having it if I can't even utilize my pfsense features I use most, right. I might try an orbi , which has its own 5ghz back end channel for communication between APs. I haven't figured out if the orbi supports LAGG or not. Any last minute questions before I go back to the store?



  • as they are not different names like traditional routers.I do believe the controller handles forcing clients to use the faster of the two .

    Actually, having the same name on both channels has been common for a long time.  Also, I don't believe there is any mechanism where the controller can force a client to use a different band.  That's generally a client function, where it looks for a new connection, when the current one is getting weak.


  • Rebel Alliance Global Moderator

    "I don't believe there is any mechanism where the controller can force a client to use a different band"

    Lets not call it "force" but it can be steered to the 5ghz.. This is called band steering, and to be honest pretty any actual AP will support this.  And pretty much every even soho router should as well with any sort of decent firmware.  Sure you can set your client to only use specific bands, and you can tell your client to prefer one band over the other.

    But with band steering the controller can prevent the client from even connecting to 2.4 if knows the client supports 5ghz via a probe request seen on the 5ghz he can prevent that client from connecting to on the 2.4 band, etc.



  • Hmmm…  I hadn't heard of band steering, so I checked.  Here's what Cisco has to say:

    "Wireless devices use two kinds of scanning techniques: passive and active. In a passive scan the wireless client quickly sweeps each channel listening for beacon frames sent by APs advertising their wireless networks. In an active scan the wireless client sends probe requests on each channel to solicit a probe response from APs advertising their wireless network. The end user then sees the list of available wireless network connections. "

    So, hidden SSIDs.

    "Note: Some wireless devices use passive scanning instead of active scanning because it consumes less power. A single band 2.4GHz wireless client that employs passive scanning may not be able to detect the wireless network with Band Steering enabled because the beacon frames do not advertise the wireless network.

    If certain wireless clients are unable to detect the wireless network they may be using passive scanning. In these cases configure the network to use Dual band operation, not Dual band operation with Band Steering."

    Looks like it brings some problems.  At least, the users will have to know the SSID somehow.  Also, some devices are battery limited.  Active probes mean shorter battery life.


  • Rebel Alliance Global Moderator

    That is 1 way to do it…  You can also prevent the device from connecting to 2.4.. Its not really a "standard" and there are many different ways to skin the cat..

    Have you been in a cave under a rock?  How have you not heard of band steering? ;)

    http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/ARM/Band_Steering.htm

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-band-steering-feature-and-how-does-it-help-us/ta-p/172154

    How Band Steering Works
    • Controller maintains a list of 5 GHz-capable devices, which is shared with APs.
    • If a client connects to the 5 GHz band, it is added to the list of 5 GHz-capable devices.
    • If a known 5 GHz-capable device transmits probe or auth request on the 2.4 GHz band, the device is dropped initially.

    https://www.draytek.com/en/faq/faq-wlan/wlan.wireless-lan/what-is-band-steering/

    I use band steering on my unifi, I do not have any issues with my only 2.4 connecting or seeing the ssid.  But devices that are 2.4 and 5 are almost always on the 5 unless they do not meet the min rssi I have set, etc.