Simple question, need help with config.
I am trying to set up a public access point.
Right now I am running pfSense 2.0 alpha (latest)
I have two NICs (one WAN, one LAN)
the WAN is connecting to my ADSL modem via DHCP (PPPoE on modem due to pfSense and AT&T PPPoE compatibility)
Anyway, what I am needing to do is have the network of the AP separate from my local network.
What I am doing is:
Two VLANs on the LAN NIC
–> VLAN1 (ip: 10.0.0.1) to be used for my LAN gateway
--> VLAN2 (ip: 10.0.2.1) to be used for the AP gateway
The AP router is set up as:
WAN Connection (Static):
--> IP: 10.0.2.2
--> GW: 10.0.2.1
and on the pfSense I am trying to add a route from the 10.0.2.0 network to the 10.0.0.1 gateway (WAN) with a rule to drop any packets from 10.0.2.0/24 to ! 10.0.0.1
Would this work? It does not seem to... If anyone could give a pretty good explanation how they would go about doing this, it would be much appreciated.
Also, what I would ultimately like to do is reroute the traffic from the 10.0.2.0/24 network through a transparent proxy.
I am iffy with setting up VLAN gateways, etc...correctly.
First, never use VLAN id 1, it's often reserved for management and many switches won't accept traffic tagged with that VLAN id. It's not clear if you're doing that or not.
Secondly, I have no idea about using ATT DSL or PPPoE (it doesn't exist in any real way here) with pfSense, but is there any way you can do away with the dual NAT? That's a messy configuration, and often causes issues, but if you can't get around it, well…
I would set it up like this:
VLAN10 (10.0.0.0/24) - LAN:
o pfSense interface on a tagged port (10.0.0.1)
o default VLAN for all other (untagged) switch ports
VLAN20 (10.0.5.0/24) - WLAN:
o pfSense interface on a tagged port (10.0.5.1)
o AP LAN on an untagged port (10.0.5.2)
Change subnets as you want, but from your original post it looked like you were using 10.0.2.0/24 on both the WAN and WLAN which obviously wouldn't work. I picked 10.0.5.0 for the WLAN side and assume you're using 10.0.2.0 for the modem/pfSense interface. Though really I'd try hard to avoid this extra NAT and get a proper WAN IP for pfSense.
If your 'AP' is actually a wireless router, connect pfSense to one of the LAN-side ports and disable DHCP. Don't use the WAN side for anything.
You will then need to create rules on both interfaces to allow or drop traffic, I think you're on the right track there. Remember that traffic is checked as it arrives at pfSense, and the default is to drop all traffic that's not destined for an Internet host.
Thank you so much for the quick reply!
I am having issues selecting a gateway for my VLAN10…
"Select a existing Gateway from the list or add a new one. "
There are no gateways listed, however I have my default "WAN" gateway.
maybe this is an issue with pfSense 2.0 ALPHA?
I am also not able to add new gateway.
why not simply put the wifi on a seperate subnet and you can use a firewall blocking rule to block wifi subnet from lan