[Solved] pfSense + OpenWRT - Not getting IP and other questions
-
Hi,
I seem to have the same issue than in this post from several years ago : https://forum.netgate.com/topic/74324/vlan-dhcp-openwrt
Basically a normal VLAN and a guest VLAN, two Wifis on OpenWRT, one for each VLANUnfortunately OP didn't post his solution.
So I'd like to make sure my pfSense setup is correct.
Here is my desired setup :
I don't want to change anything in the ISP router (like putting it in bridge mode) since I don't trust the ISP (automatic updates of the box are more likely to fail in bridge mode).
Here is a screenshot of my interfaces.
I also have another question.
I'd like pfSense to connect to NordVPN; that currently works.
Both VLANs should go through NordVPN (ovpnc1 isn't offered as a choice for the parent interface). How should I do that ?Any help would be appreciated.
Edit : post restructured
-
Why have 2 routers? You're just adding problems.
-
The ISP Router is very limited in functionality and as mentioned before, I don't trust my ISP who has remote access to it.
OpenWRT will just handle Wifi and an ethernet switch (running on a TP-Link WDR4300) -
Not sure what any of that has to do with your vlan question... What happens on pfsense wan, or where pfsense might route traffic has zero to do with "not getting ip"??
Your vpn interface would not be a parent for the vlan.. Your physical interface that is connected to your switch that you have marked as trunked would be the vlan parent interface.
-
@jtommi said in pfSense + OpenWRT - Not getting IP and other questions:
The ISP Router is very limited in functionality and as mentioned before, I don't trust my ISP who has remote access to it.
I was referring to psSense and openWRT. Why do you need both? Either is a decent firewall. Does openWRT support VLANs on the WAN side?
-
@johnpoz Than I misunderstood the "parent interface" concept.
The VLAN through VPN thing was unrelated to the IP issue. I realise indeed that my question not very well structured.@JKnott I tried OpenWRT only, but the hardware of the router can't handle the VPN traffic, so my internet speed went down from about 80Mbit/s to 10. pfSense does handle the VPN and I get my normal internet speed, but the PC has no built-in wifi.
-
You should be able to use the dd-wrt box like a AP that adds the vlan tags.. Then again vlan support while is in dd-wrt it depends on the hardware its running on as well.
If your natting/routing on dd-wrt then pfsense would have nothing to do with the vlans and the connection between ddwrt and pfsense would become just a transit network. if your natting nothing else to be done - if your routing only at ddwrt then the downstream networks would have to be configured in pfsense but they would not be vlan tagged.
-
@jtommi said in pfSense + OpenWRT - Not getting IP and other questions:
@JKnott I tried OpenWRT only, but the hardware of the router can't handle the VPN traffic, so my internet speed went down from about 80Mbit/s to 10. pfSense does handle the VPN and I get my normal internet speed, but the PC has no built-in wifi.
Then why not just use pfSense? Passing through 2 routers can only hurt performance. If you need WiFi, you can configure openWRT to be used as just an access point, or just get a proper access point.
-
@jknott That's what it's supposed to be, but for 2 different VLANs
-
pfSense is tagging Internal_VLAN with VLAN ID 10 on re0
pfSense is tagging Guest_VLAN with VLAN ID 20 on re0
pfSense is sending LAN traffic out re0 untagged.
Received traffic with the same tagged/untagged status will be placed on the proper interface.
You need to make OpenWRT do the right/desired thing with that traffic. This is not the correct forum to seek assistance with that.
In general you would probably want to tell it to expect management traffic untagged, and tag the two SSIDs with 10 and 20.
-
@jtommi said in pfSense + OpenWRT - Not getting IP and other questions:
@jknott That's what it's supposed to be, but for 2 different VLANs
The proper way to do that is use an access point that supports VLANs and multiple SSIDs. Then you create a trunk port from pfSense to carry the VLANs to wherever you want them. You can also use managed switches to do this. Another advantage with APs is they'll often work with PoE, so you can put them where they provide best signal, rather than placing them where AC power is convenient.
However, if you insist on using openWRT as an access point, then buy a cheap managed switch (avoid TP-Link) and split the VLANs into individual access ports to connect the "access point".
Does that TP-link support VLANs? Perhaps you should be asking some questions an openWRT forum, as pfSense has no problem supporting VLANs.
-
If he tried to setup a guest vlan and not the actual vlans - that is where he could have a problem. He could be using openwrt as just normal router with guest vlan setup, etc.. vs as AP with tagged ssid, etc.
As stated you need help with vlans you should be on the wrt boards.. Again just because the software supports vlans does not mean the hardware your running it on.. I do recall that from when I played with dd-wrt..
-
I have progressed.
In OpenWRT everything seems to work fine.
I receive the correct IPs on the correct interfaces, I can ping pfSense.
The last issue is that I have no internet.
If I connect my PC directly to pfSense, it works and goes over the VPN client.
So I took the rule from LAN and copied it over to both VLANs, but that didn't help.
-
Your outbound NAT rules are messed up, you need to include all the source networks not only 192.168.0.0/24. Why did you even switch it into manual mode if you don't know how it works.
-
Thanks a lot.
I followed the NordVPN tutorial.
Adding my two VLAN networks worked.
