Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN, LAN + OPT1 - CORRECT WAY OF SETUP

    Scheduled Pinned Locked Moved Routing and Multi WAN
    12 Posts 3 Posters 9.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tchadrack
      last edited by

      I installed pfsense in a pc with 3 network interfaces, in the following scenario:

      Lan is the private network, and its users may access the wan using squid. (this is already working)
      (Wan is the interface connected to internet)

      finally:

      The OPT1 interface is connected to a wireless router, i am using it as an Acess point.

      I want the clients of this access point may connect to internet through a captive portal, but restricting them from the lan network.

      Lan and wan is working well, but i tried to make opt1 but was not able to make it work well

      Please, does somebody know what is the correct way of doing this?

      1 Reply Last reply Reply Quote 0
      • H
        hbauer
        last edited by

        Is dhcp running on opt1 and is your access point getting an ip address?

        1 Reply Last reply Reply Quote 0
        • T
          tchadrack
          last edited by

          @hbauer:

          Is dhcp running on opt1 and is your access point getting an ip address?

          dhcp server is enabled on opt1 interface, but is disabled in the access point.

          opt1 interface with the ip 192.168.27.254/24 with dhcp enabled

          the Access point is at 192.168.27.1/24, static, ( dhcp disabled). Gateway 192.168.27.254

          This access point is a tplink router with openwrt with this configuration:
          Uptime: 4h 44m 44s
          MAC-Address: F4:EC:38:xx:xx:xx
          IPv4: 192.168.27.1/24
          IPv6: fdd7:a463:e48a::1/60

          The network cable is connected to the opt1 interface and to 1 of the lan ports (of the access point).

          The wifi clients are getting ips from the opt1 dhcp server.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "The wifi clients are getting ips from the opt1 dhcp server."

            So your working - so what firewall rules did you put on the opt1 network.. When you create new interface there is no default rules like lan when you setup pfsense.  You have to create the rules to allow the traffic you want to allow.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • T
              tchadrack
              last edited by

              @johnpoz:

              "The wifi clients are getting ips from the opt1 dhcp server."

              So your working - so what firewall rules did you put on the opt1 network.. When you create new interface there is no default rules like lan when you setup pfsense.  You have to create the rules to allow the traffic you want to allow.

              This is a copy paste from Firewall/Rules/OPT1 :

              States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions

              IPv4 * OPT1 net * WAN net * * none

              IPv4 * * * WAN net * * none

              But not working, do you know if this is correct?

              1 Reply Last reply Reply Quote 0
              • H
                hbauer
                last edited by

                I cant test it in this moment but I believe your opt1 devices are not allowed to access the opt1 gateway in the first place

                may be add a

                IPv4 *  OPT1 net  *  opt1 addres  *  *  none

                first.

                Just a guess without any experience

                1 Reply Last reply Reply Quote 0
                • T
                  tchadrack
                  last edited by

                  @hbauer:

                  I cant test it in this moment but I believe your opt1 devices are not allowed to access the opt1 gateway in the first place

                  may be add a

                  IPv4 *  OPT1 net  *  opt1 addres  *  *  none

                  first.

                  Just a guess without any experience

                  I did add this rule but still not working.

                  I am testing from my iphone, the address is correct:

                  192.168.27.108/24, 
                  router: 192.168.27.254 (pfsense - opt1)
                  dns: 192.168.27.254

                  I can access 192.168.27.1 (openwrt - Access point) from my pc on LAN, and from my iphone.
                  I can access 192.168.27.254 ( pfsense - from the iphone)
                  But no way to access the wan from opt1 (iphone)

                  Edit: Maybe its some misconfiguration on the openwrt?

                  1 Reply Last reply Reply Quote 0
                  • T
                    tchadrack
                    last edited by

                    I've made some progress:

                    First, I created a static route in openwrt, disabled firewall, and pointed the dns to google.

                    Second, I activated the Captive Portal on pfsense in opt1

                    Now when I type www.google.com in Iphone (opt1) i see the captive portal login.

                    But When I entered the credentials, i am still unable to access the wan.

                    www.google.com  doesnt show up, with the error:

                    server stopped responding

                    I am able to contact the internet gateway, that is connected to the wan interface of pfsense. This was not possible before creating that static route.

                    Edit - After this, I added squid  to the opt1 interface, and defined 192.168.27.0/24 in allowed networks.
                    Then, the google page showed up.

                    But I still have a doubt:

                    Should not internet work without squid in opt1 interface?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      "Should not internet work without squid in opt1 interface? "

                      You do not need squid for internet to work..  I have multiple interfaces and do not have squid even installed.

                      "First, I created a static route in openwrt,"

                      What??

                      "IPv4 *  OPT1 net  *  WAN net  *  *  none            "

                      No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • T
                        tchadrack
                        last edited by

                        @johnpoz:

                        "Should not internet work without squid in opt1 interface? "

                        You do not need squid for internet to work..  I have multiple interfaces and do not have squid even installed.

                        "First, I created a static route in openwrt,"

                        What??

                        "IPv4 *  OPT1 net  *  WAN net  *  *  none            "

                        No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

                        I know that Wan (Wide Area Network) net in pfsense is not the internet itself, but just a reference to the network interface card that should be connected to the internet or another wide area network.

                        When i said i created a static route i was not talking about pfsense, but the Openwrt device that i am using as an Access Point.

                        I looked at the route table of that device and saw that the gateway 192.168.1.254 was not being referenced in that table even when i had configured as the gateway in the lan configuration (of the openwrt device).

                        That was the motive a created a new route mannually in the route table to that gateway.

                        After that  I created that rule, saved, and tested:  internet was not working but it was already possible to 'see' the hosts on the wan side. (i use another router on the wan side)

                        After that I enabled squid in opt1 and it worked,

                        I already know that the squid is not necessary for the internet to work, and that is no sense for me too, but it was what happened.

                        Furthermore, I do not want the wifi clients in opt1 net could see the hosts inside the  "lan" network, but this was happening.

                        So  to prevent it I created a new firewall rule in pfsense blocking all ipv4 and ipv6 from opt1 to lan, tested and i was working as i want.

                        I still need to make more tests, but it seems it is working the way I want.

                        My only concern now is how secure is pfsense?

                        1 Reply Last reply Reply Quote 0
                        • T
                          tchadrack
                          last edited by

                          New Problem detected.  As I said, internet in OPT1 interface works only when squid (proxy) is enabled.

                          If I disable proxy in opt1, internet is disabled completely in opt1

                          my pfsense rules in opt1:

                          Protocol Source Port Destination Port Gateway Queue Schedule Description Actions

                          IPv6 * OPT1 net * LAN net * * none

                          IPv4 * OPT1 net * LAN net * * none

                          IPv4 * OPT1 net * OPT1 address * * none

                          IPv4 * OPT1 net * WAN net * * none

                          IPv4 * *         * WAN net * * none

                          Because of this, (I think) some applications as whatsapp are not working in opt1.

                          I should I do in pfsense so that intrernet (wan) may work in opt1 without needing to enable squid?

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            So lets repeat, since clearly your not grasping this

                            "IPv4 *  OPT1 net  *  WAN net  *  *  none            "

                            No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

                            Lets say your wan is 1.2.3.4/24… Wan net is means you could only talk to devices with IP 1.2.3.1-254...  That is the WAN net, this is NOT the interent...  The internet is ANY!!!  Since pretty much the internet could be ANY public IP address..

                            You have no rule listed that would allow you to say googledns 8.8.8.8 or say forums.pfsense.org forum.pfsense.org [208.123.73.18]

                            Your internet is only working via proxy because pfsense itself can get to the internet, and with proxy your just asking pfsense - hey go to this place for me..  If you want to get there direct than you have to allow that on the firewall.

                            How hard its it put up a screenshot?  From those can not tell if those are blocked or allowed..

                            You can see here I allow ping to wlan guest address, ipv4 and ipv6
                            I allow access to my ntp servers that are on different vlans ipv4 and ipv6
                            I allow the guest to go to public DNS, I hand out google in the dhcp server for this guest wifi network.  Via rule that is allow for anything NOT rfc1918(see alias created)
                            I then block (reject actually with logging) any other access to any other firewall IP, be it lan, wan, or any other vlan IP.
                            I then allow guests to go anywhere else as long as not rfc1918, or my local IPv6 networks.

                            Where in you rules top down, first rule to trigger wins - no other rules allowed would your clients be able to go to any IP on the internet..  This is why the rules out of the box on pfsense are ANY ANY on the lan…

                            examplerules.png
                            examplerules.png_thumb

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.