• Re: Pfsense and ddwrt guest network guidance

    Referencing the above older topic, it includes a guide to openwrt AP, the replier said its apparently the same process on ddwrt, however ddwrt has some key differences to openwrt in its configuration and when I try to do the closest possible I lose access to the pfsense box.

    So basically

    ddwrt AP, this AP also is a lan switch and I will want untagged (no vlan) and tagged vlan traffic going down the same cable to pfsense.

    I have already configured the vlan on pfsense, so the issue is getting the ddwrt side to work.

    I would love to use openwrt which I think is better for this but its an asus ac68 which has no wifi drivers on openwrt.

  • Banned

    @chrcoluk said in ddwrt AP guest wifi with pfsense:

    I have already configured the vlan on pfsense, so the issue is getting the ddwrt side to work.

    Well then ask on the DD-WRT forum: https://forum.dd-wrt.com/phpBB2/

  • Netgate Administrator

    What is arriving on pfSense, if anything? Run a pcap on the interface to check.

    Hard to say what ddwrt may or may not be doing without more details of what you did and how you were testing. Even then it might be some hardware specific issue you're hitting.

    Steve


  • @stephenw10

    Ok so the situation is now this, I felt ddwrt wasnt suitable so this is the update and the question is now centered on pfsense.

    The AP is now openwrt and the trunk cable following instructions openwrt side will tag packets either as vlan 1 or vlan 9.

    vlan 1 will be internal lan with access to management functions so basically like existing lan.

    vlan 9 will be guest access, isolated subnet with no access to private lan and management functions.

    The openwrt side I believe is now configured as it should be, but this made me realised the pfsense side is probably configured wrong.

    On pfsense what I have done is added 2 vlans 1 and 9, vlan 1 is not assigned to any interface so is currently dorment, I understand vlan 0 is effectively the defacto default vlan for a non vlan specific setup.

    Openwrt has a trunk port which is basically the ethernet port which will be used to send traffic to pfsense, it will be carrying both guest and internal private lan traffic including traffic to access the management interface..

    Both vlan 1 and 9 are tagged on that port, so if I understand correctly traffic coming from my PC to pfsense to try and access its interface will be tagged as vlan 1 based on the openwrt setup but because vlan 1 isnt assigned to any interface it would fail.

    The logical solution is to change my network port assigned to LAN in pfsense to vlan 1, but this would if I am right immediately lock me out of pfsense until I swap out the cable to use the trunk port and cross my fingers the configuration is correct and works properly, if it doesnt work I am locked out of pfsense other than the console.

    But thats my config openwrt side now on the AP.

    So to recap

    openwrt as managed switch and AP.
    4 ethernet ports as untagged vlan 1, so any ethernet traffic into that switch from pc, game consoles etc. is put on vlan 1.
    Wireless network is bridged to vlan 9.
    Then 5th ethernet port is trunk port to pfsense is tagged vlan 1 and 9.

    pfsense as firewall/router
    Vlan 9 on pfsense is assigned to LAN2, which has its own subnet, and blocks traffic to LAN as well as management ports on pfsense.
    Vlan 1 is currently not assigned to anything but I believe should be assigned to LAN.


  • I ran a test.

    Set a port on openwrt switch to vlan 9 untagged.
    Connected desktop pc via ethernet to that port, and had ethernet between openwrt and pfsense on trunk port.

    I correctly got a guest lan ip from the dhcp server on pfsense thats listening on LAN2 (vlan 9).

    However there was no internet routing, the gateway ip was correctly set to the static ip configured on pfsense LAN2 interface and I could also ping the ip. But it seems vlan tagging is at least working on a basic level.

    Ok I am getting closer. I have also now enabled management access on vlan9 for now so I dont lock myself out.

    After setting unbound to listen on the LAN2 interface internet connectivity works.

    Switching back to a ethernet port that is vlan 1 untagged, kills all routing as expected, so I assigned vlan 1 to LAN, and when connecting to the vlan 1 port, I get my original ip back fo rthe private lan, but there is no other access working, no dns, no dhcp etc. Original LAN firewall rules intact so not sure whats going on now, I am hoping I dont need to keep the igb interface assigned to LAN and not needing to make a 3rd LAN interface for the private vlan.


  • since I cannot edit my above post (flagged as spam when I try)

    I meant I get no dns and no dhcp6, dhcp v4 is obviously working as I get the ipv4 via dhcp.

    Ok simply trying it again, it is almost working perfectly, all I did was reswap the cable.

    The only issue left is dhcpv6 is broken. Everything else seems to now be functioning as intended.

  • Netgate Administrator

    You don't want to use VLAN1, ever if you can avoid it:
    https://docs.netgate.com/pfsense/en/latest/book/vlan/vlans-and-security.html#using-the-default-vlan1

    Are you using two SSIDs/VAPs? One for each subnet? Or you just want the switch ports to be on the 'LAN'?

    Really you want to do that at the switch level but it you have to use separate ports in pfSense you can bridge the interfaces.

    Steve


  • It is now working 100% :)

    I will change vlan 1, to another during the weekend thanks for the heads up. I am using vlan 1 as a sort of "best permissions" vlan tho so its not as bad as if I chose it to be be my restricted vlan at least.

    So the final issues I had left which were resolved.

    1 - wireless was failing dhcp requests, this was an openwrt issue where had to switch the bridging from software switch to normal switch in its settings.
    2 - The above mentioned dhcpv6 issue was actually because I had to reinitialise my WAN to get a ipv6 on the pfsense lan bridge interface (after I changed igb1 to vlan1), once that was in place dhcpv6 woke up again.

    My setup is currently like this for the wifi.

    One VAP on 2.4ghz which is on guest VLAN.
    Two VAP's on 5ghz, one of which is on guest VLAN and the other a hidden SSID is on my private VLAN.

    The traffic is categorised at the switch level on openwrt (as you suggested).

    Currently all wired devices are on the private VLAN. One port on the switch is assigned to the guest VLAN but was left like that from testing, its not in use right now.

  • Netgate Administrator

    Nice. 👍


  • I have now discovered a problem related to ALTQ, seems to only be affecting ssh traffic so far.

    So the queue is set to qACK for acks on WAN and qOthersHigh for LAN

    As far as I can see for all other types of traffic http, ftp etc. including encrypted ftps and https, this still works properly.

    But for some reason on ssh traffic since the vlan config was implemented ack's go to the wrong queue.

    On ipv6 all ack's go to the WAN queue that matches the lan queue so e.g. qOthersHigh on both queues.

    On ipv4, the ack's goto two queues on WAN and seem duplicated, they goto the qACK queue and also the queue that matches the LAN queue so e.g. qOthersHigh.

    It is bizarre. This is the only issue noticed since I last posted tho. Still seems to be fine otherwise.

  • Netgate Administrator

    Hmm, but only for SSH? SSHing to where? Seems very odd as you say.


  • to any server, it is odd yes. Even if classified in the same rule as http traffic, the http traffic is queued properly on it's ack's whilst ssh is not.

    I will do more experiments on it later in the week.