OPT1 connect WAP

zemlik

hello'
I'm not very good at this and request assistance.
I have pc with pfsense with 3 network cards.
1 connects to ISP router is 192.168.0.x
2 connects to switch to local network is 10.0.0.x
3 I put Wireless access point for phone go through ISP router is attached to 172.16.1.x
I try various things in rules so phone can access internet through WAP but block access to local network.
I can ping 172.16.1.x from 10.0.0.x
phone connects to WAP OK but gets no further.

does anyone have example of rules so it works ?
zemlik

Gertjan

@zemlik said in OPT1 connect WAP:

I can ping 172.16.1.x from 10.0.0.x

Why hiding these these IP's ? They are all local - we use all the same IP's.
If your OPT1 LAN is 172.16.1.1 mask 24 then :
Your WAP has IP 172.16.1.2 mask 2 - take a static IP.
Your WAP gateway should be 172.16.1.1
Your WAP DNS should be 172.16.1.1

Disable all routing activities in your WAP.
Disable DHCP server in your WAP.

Your Phone, ones connected, should obtain an IP using DHCP from pfSense. Did you check that ?
Check on your Phone - check on pfSEnse (DHCP leases - DHCP logs)

If you setup the right rules on the interface OPT1, your Ohone will have access to the Internet.

zemlik

@Gertjan
"If you setup the right rules on the interface OPT1, your Ohone will have access to the Internet."
I would be needing rules on both 172.16.1.x and 192.168.0.x to let through, maybe that is it ?
( I put "x" because didn't look )
I understand about DHCP on pfsense not WAP.
I used to use ipfire but my pc broke and new version doesn't seem to like my new hardware and my ISP but pfsense is OK with that.
I am optimistic it will work OK.
cheers
zemlik

Gertjan

@zemlik said in OPT1 connect WAP:

I would be needing rules on both 172.16.1.x

You would be needing this :

My "PORTAL" is my renamed OPT1 interface.

Afterwards, you can add other rules to be more specific.

zemlik

hi,
I thought I understood the DHCP server but I am not seeing the option to configure DHCP server on OPT1 interface only WAN and LAN.
OPT1 has static ipaddress but how to enable DHCP server on OPT1 ?

Gertjan

First : there is no such thing as a DHCP server on a WAN interface.
A DHCP client might be attached to WAN, ok, but that's something different.

My OPT1 is called "LANNIC".
Here it is :

Not really difficult to find, right ^^

zemlik

@Gertjan

I have WAN LAN but no OPT1

Gertjan

Your WAN has a static setup - in that case "WAN" shows up. But you won't running a DHCP server on that interface.

How did you "Assign" the OPT1 interface ?
Interfaces > Interface Assignments

zemlik

@Gertjan
I have 2 network cards and one "built in" the PC.
The built in one is OPT1 I gave 172.16.1.50.
I can ping it when it is pugged in and not when it isn't so it is that one.
I plugin WAP 172.16.1.100 there so phone can access internet.
I give phone 172.16.1.1 but cannot get to internet.
that then is all static but I would like to use DHCP.
what other step should I do ?

Gertjan

@zemlik said in OPT1 connect WAP:

172.16.1.50.

Where is the / part ?

Please show the /24 - if it is /32, thus one IP => no need to propose a DHCP server because no more other IP's left => no pool ...

edit : and why x.x.x.50 on a router port ?
x.x.x.11, ok, x.x.x.254, ok but an IP in the middle of the range .... never understood that.

edit2 : and your WAP x.x.x.2 etc DHCP server running a pool from x.x.x.3 -> x.x.x.254 and you'll be good for decades. (One, actually, IPv4 will be ancient over 10 years from now).

zemlik

Ah ha there it is.
what should I do then now that is sorted to have 172.16.1.x go through WAN to get to internet ?

Gertjan

@zemlik said in OPT1 connect WAP:

what should I do then now that is sorted to have 172.16.1.x go through WAN to get to internet ?

As I said in point "edit2" in my post above.
Bring your OPT1 static IP from x.x.x.50 to x.x.x.1
Activate a DHCP server on the OPT1 : pool from (example) x.x.x.5 to x.x.x.254
... and check that a device on port OPT1 realy obtains an IP from that DHCP server instance - see Logs and Lease page.
Put your WAP on x.x.x.2 - gateway x.x.x.1 DNS x.x.x1 - stop its DHCP server and you'll be good.

zemlik

@Gertjan
OK the phone gets an Ipaddress from pfsense but isn't getting through to internet.
Does DNS want to be 172.16.1.1 or should it be something else ?
Otherwise is it only the rules that I should change to let OPT1 through WAN but block on LAN ?
and it should work without any other configuration ?

Gertjan

@zemlik said in OPT1 connect WAP:

Does DNS want to be 172.16.1.1 or should it be something else ?

Dono.
Above, you said :

@zemlik said in OPT1 connect WAP:

I give phone 172.16.1.1 but cannot get to internet.

So, what is OPT1 now ?
What IP/DNS/Gateway does your Phone gets ?

Can't see from here what you have now.

Blocking LAN from OPT1 is a one ruler - as soon as everything works first.
Like

as one of the first OPT1 firewall rules.

zemlik

@Gertjan
I changed the WAP to 172.16.1.2 and pfsense 172.16.1.1
DHCP on pfsense start at 172.16.1.5 as you say.
Phone gets ipaddress 172.16.1.5 router 172.16.1.1 DNS 172.16.1.1
so that seems to be working but cannot connect internet.
(update) well now it has decided to work.
perhaps it was Snort I just turned off.
The WAP is elderly lynksys WAP200. It thinks it is 2015 which is latest can manually select.
perhaps it was blocked by Snort because the time was mismatch.
It has worked before to get time from ipfire.
I have NTP on pfsense and ask WAP to sinc with it but doesn't seem to be doing it.
thanks for your help tho' as we have success I can fiddle and see what stops it working.

zemlik

@Gertjan
OK problem resolved. Seems I didn't have enough protocols allowed on OPT1
working now and also NTP on WAP
thanks ever so much for assist.