Static ARP Entries for Another Subnet



  • I have a router running tomato which I use only for WiFi it is connected to the same switch as my pfSense VM.

    I have two subnets configured on this router:

    • 192.168.1.0 with DHCP disabled on the router and enabled on pfSense
    • 192.168.70.0 virtual wireless interface (for guests really) with DHCP enabled on the router

    So:

    pfSense VM (192.168.1.1):

    • VM with two NICs (WAN/LAN)
    • LAN has active DHCP server (192.168.1.0)
    • I have configured a static route (192.168.70.0/24 Router - 192.168.1.2)

    wireless router (192.168.1.2):

    • has inactive DHCP server on (192.168.1.0)
    • but active DHCP server on (192.168.70.0)

    I added an extra route for the guest wifi 192.168.70.0 subnet so routing all works. Guests have internet access.

    My question is if I enable "Enable Static ARP entries" in pfSense DHCP Server, guests on the 195.168.70.0 subnet no longer have internet access. I obviously can't put a static mapping for the 192.168.70.0 subnet as it differs from the DHCP configured subnet of 192.168.1.0 and the GUI won't let me.

    Thoughts here?



  • I guess my question is how to add a static arp entry for another subnet.

    I tried via the command line with arp -s and I get:

    cannot intuit interface index and type for 192.168.70.3
    

    Or a way to do this with a rule?



  • So any thoughts on this?


  • LAYER 8 Global Moderator

    Doesn't work that way dude.. MAC is for the L2 your on.. having a mac for a network address that is not on your layer 2 is pointless.

    Not sure how you have your guest network setup.. Seems like a downstream network.. You should just tag guest network as a vlan.  And add that vlan to pfsense.  So now all your networks are connected to pfsense.  So pfsense will see these networks at L2 and you and you can add any static arp you want for any device on any network/vlan directly attached to pfsense.



  • @johnpoz:

    Doesn't work that way dude.. MAC is for the L2 your on.. having a mac for a network address that is not on your layer 2 is pointless.

    Not sure how you have your guest network setup.. Seems like a downstream network.. You should just tag guest network as a vlan.  And add that vlan to pfsense.  So now all your networks are connected to pfsense.  So pfsense will see these networks at L2 and you and you can add any static arp you want for any device on any network/vlan directly attached to pfsense.

    Thanks dude for the clarification, I've never wrapped the concept of VLANs around my mind. I'm not exactly sure how to implement what you suggest.

    I found this link on how to create vlans:  https://forum.pfsense.org/index.php?topic=126440.0

    I'm guessing I can tag the guest network (which is bridged to lan1 in my case) as a VLAN with tomato to a specific port of the router…but would I be able to tag two VLANs on the same port? Actually I think it can be down with tomato (as I only have one wire back to my main switch from the wifi router for both wifi (lan + guest) networks).

    I've attached the way I have it configured right now with my tomato (.2) router and pfsense (.1). On the router, wl0.1 is the virtual wifi interface (.50) bridged to LAN1. On the pfsense side of things, I added a new gateway (the wifi router) and added a static route / rule. Please see attachment.




  • I tried this by tagging the correct port on my router with vlan id 6. Then on pfsense created on interface with the same id and enabled dhcp. I can't seem to acquire an ip on my wireless devices when I connect to the appropriate virtual wireless interface. Oh, I'm running pfsense on ESXi if that matters.

    I guess one thing I don't quite get, the tagged port from the router must go directly into a separate nic on the pfsense box? as this is not case now, it simply goes in my switch (TRENDnet TEG-S80G) as I only have two nic on my pfsense box (wan and lan). The vlan parent's interface is my LAN nic.

    I'm now trying a vlan capable switch netgear gs105e…still having problems.

    EDIT: Ok had to change the VLAN ID to 4095 in esxi on my port group for the LAN interface.



  • LAYER 8 Global Moderator

    "EDIT: Ok had to change the VLAN ID to 4095 in esxi on my port group for the LAN interface."

    Yup.. If you do not set a specific vlan ID or allow all with the 4095 then the switch/port group on esxi switch will strip tags.



  • @johnpoz:

    "EDIT: Ok had to change the VLAN ID to 4095 in esxi on my port group for the LAN interface."

    Yup.. If you do not set a specific vlan ID or allow all with the 4095 then the switch/port group on esxi switch will strip tags.

    Thanks for the help. Both my regular wlan and guest vlan6 are now working and pfsense sees them and handles dhcp for both networks.

    On the router, I've configured two bridges, br0 (192.168.3.2) and br1 (192.168.6.2) dhcp is disabled on both of course and the guest wifi (.6 subnet) is bridged with br1. Also the router's default gateway is 192.168.3.1. But another minor thing I'm struggling with…

    Like I said the pfsense box has two nics, wan and lan (192.168.3.1). LAN is on interface vmx0 and the VLAN6's parent interface is also vmx0.

    Physically, the lan port of pfsense is now connected to my router's second port where I'm tagging the guest vlan for vlan6 (see photo). And the first port of the router is connected to another switch for other devices for my regular lan subnet (.3 subnet). I'm assuming that all untagged traffic makes it way fine out of port 2 or else I'd notice.

    All works as it should except I cannot ping the router (192.168.3.2) from pfsense (192.168.3.1) or vice versa, they just don't see each other yet traffic makes its way out fine. Not sure I understand why, perhaps I'm doing something wrong or there's a misconfigured rule or something? Probably better using a managed switch here right? I'm just not sure what the best approach to physically connecting all this up. Perhaps something comes to mind here?

    I also don't see the router's 192.168.3.2 entry in pfsense's arp cache, so it doesn't see it for some reason.

    ![Screen Shot 2017-10-27 at 4.23.28 PM.png](/public/imported_attachments/1/Screen Shot 2017-10-27 at 4.23.28 PM.png)
    ![Screen Shot 2017-10-27 at 4.23.28 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-27 at 4.23.28 PM.png_thumb)



  • Any thoughts on this ^. Perhaps a better way to physically hook this all up? I've got a 5-port vlan capable switch that I can use for this purpose just unclear as to the best way to hook it up with the router.


  • LAYER 8 Global Moderator

    Not sure why your creating multiple bridges for, and your running it through a switch that doesn't do vlans?

    I would leave the native lan untagged, and then create your virtual wireless networks with vlan tags.. So on your tomato box you would have your lan (192.168.3.2) as untagged and wireless could either be on this same untagged network or could be created with tags.

    if your running tragged networks through a switch that does not do vlans then your doing it wrong - no matter what jknott mention about dumb switches passing vlan tags ;)



  • @johnpoz:

    Not sure why your creating multiple bridges for, and your running it through a switch that doesn't do vlans?

    I would leave the native lan untagged, and then create your virtual wireless networks with vlan tags.. So on your tomato box you would have your lan (192.168.3.2) as untagged and wireless could either be on this same untagged network or could be created with tags.

    if your running tragged networks through a switch that does not do vlans then your doing it wrong - no matter what jknott mention about dumb switches passing vlan tags ;)

    Perhaps I'm not being clear on describing my setup, and I apologize for this.

    All the guides and docs I found all create another bridge for the guest wifi, and it would appear that it's only way to assign a VID using the GUI to a bridge.

    I'm not technically running the router through a switch that doesn't do vlans, I'm connecting the router (from port 2) to the LAN port of pfsense. The router's port 2 is tagged with vlan 6 and also allows untagged data to pass, given the image I posted above.. The switch that doesn't do vlans is actually connected to port 1 of the router for untagged data, and port 1 allows untagged data to pass. So I'm not running tagged networks through a switch that does not do vlans.

    Besides not being able to ping the router (192.168.3.2 br0) from pfsense, I also have a wifi camera on my regular wifi (.3) which I'm now noticing dropped frames - I'm not sure it's related to this somehow or due to the fact i switched over to aes from tkip. But it's troubling, I should be able to ping the router from pfsense, right?

    At this point, I'm slightly confused about the above. Like I said, I do have a 5 port vlan capable switch, would you be able to describe an alternate way to connect this with my given hardware and the vlan capable switch or should I keep it as is?


  • LAYER 8 Global Moderator

    I do not have anything running tomato… to be able to show you screen shots.  But I think all the guides talk about creating another bridge because they are using the tomato as their router and not just some gateway.

    If your connecting a port from the tomato to your pfsense box then no you don't need a smart switch between..

    You have a bridge between your wireless and your wired switch on tomato.  Have to look if I have old hardware laying around that could run tomato on.  What hardware are you running it on?  I have wdr3600 maybe it would run on.



  • @johnpoz:

    I do not have anything running tomato… to be able to show you screen shots.  But I think all the guides talk about creating another bridge because they are using the tomato as their router and not just some gateway.

    If your connecting a port from the tomato to your pfsense box then no you don't need a smart switch between..

    You have a bridge between your wireless and your wired switch on tomato.  Have to look if I have old hardware laying around that could run tomato on.  What hardware are you running it on?  I have wdr3600 maybe it would run on.

    I have tomato running on an asus rt-n66u router. Someone on another forum suggested that I'd need to tag the other vlan as well to get this working…


  • LAYER 8 Global Moderator

    You can not run more than 1 nework untagged.. On the same wire.. But if your going to create other bridges you need to connect them to your wire and this wire has to be the same wire that is connected to pfsense, etc.  But there is no reason to create another bridge because your not wanting the tomato device to keep this isolated..

    The bridge is just between the tomato wifi and the wire…  You only need 1..

    Your network that tomato is managed via, ie its lan IP the wire side of the bridge.. Does not need a vlan it can be native.  The wifi networks you create is what you want a vlan tag on, and these networks will be handled by pfsense.  With its vlan interfaces.  There is no need for an IP on the tomato device in these networks.  Zero since its not routing, its not dns - your not going to manage the wifi from it, etc.

    Keep in mind the vast majority of guides you find on the internet are for when the tomato is being the edge router to the internet and routing between all networks.. And wanting to isolate the wifi (guest) from other wired clients, etc. etc.

    This is not case when using as AP... You just want it to tag the wifi traffic for specific ssids and send it on to pfsense so pfsense can route it and firewall it.  Either to the internet or other vlans.



  • @johnpoz:

    You can not run more than 1 nework untagged.. On the same wire.. But if your going to create other bridges you need to connect them to your wire and this wire has to be the same wire that is connected to pfsense, etc.  But there is no reason to create another bridge because your not wanting the tomato device to keep this isolated..

    The bridge is just between the tomato wifi and the wire…  You only need 1..

    Your network that tomato is managed via, ie its lan IP the wire side of the bridge.. Does not need a vlan it can be native.  The wifi networks you create is what you want a vlan tag on, and these networks will be handled by pfsense.  With its vlan interfaces.  There is no need for an IP on the tomato device in these networks.  Zero since its not routing, its not dns - your not going to manage the wifi from it, etc.

    Keep in mind the vast majority of guides you find on the internet are for when the tomato is being the edge router to the internet and routing between all networks.. And wanting to isolate the wifi (guest) from other wired clients, etc. etc.

    This is not case when using as AP... You just want it to tag the wifi traffic for specific ssids and send it on to pfsense so pfsense can route it and firewall it.  Either to the internet or other vlans.

    Thanks for the explanation. I thought that I needed two bridges because I have two wifi subnets on the tomato router, on for my normal lan (.3) and one for the guest wifi (.6).

    So would you recommend that I remove the br1 (192.168.6.2) bridge then? and have the guest wifi (which is a virtual wifi interface in tomato) bridged to br0? then simply tag port with vlan6?

    In any case, I think there's a bigger problem, tomato doesn't allow me (at via the gui) to tag me than on VID per bridge. See photo.

    ![Screen Shot 2017-10-30 at 9.15.21 AM.png](/public/imported_attachments/1/Screen Shot 2017-10-30 at 9.15.21 AM.png)
    ![Screen Shot 2017-10-30 at 9.15.21 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-30 at 9.15.21 AM.png_thumb)


  • LAYER 8 Global Moderator

    This is why these devices blow..  They are designed to be the edge router, and not just an AP..  Not really designed to send the traffic vlans out the lan ports.  Can you put it in AP and tie the wan into the br0 and then just add your wifi ssid vlans to br0?

    Can you not just add your wifi with the vlan on it to br0?  And then have that vlan tagged on the port connected to pfsense?  Be it port 1, 2,3 or 4?

    If they have limits on br0, then ok create a another bridge.. But what you need to happen.. Is you need these vlans on the port that is connected to a port that is connected to pfsense.  If your going to then use this br to admin the device, then that is the IP you would use..


Log in to reply