Pfsense with no WAN and a gateway on the LAN. Traffic issues from WIFI subnet.
-
Hi guys we have just moved from having a dedicated firewall handling our internet connection to instead having this hosted via our internet/WAN supplier.
I still need to use pfsense to give our IP Addresses to our LAN via DHCP which works fine. The LAN IP for pfsense is 192.168.0.5 and our supplier router which is the gateway to get to the internet and our WAN subnet is 192.168.0.1. I have added this as a gateway to the LAN interface is pfsense and if I set my PC to use pfsense as a gateway I can still get to the internet OK so seems to work well.
the problem is though is our WIFI network which is connected to a optional interface in pfsense has a subnet of 192.168.15.0/24 and pfsense has a static IP on this interface of 192.168.15.5. DHCP is enabled on this interface and I can connect to our WIFI APs and get an ip in the correct range such as 192.168.15.158 however no traffic is getting from the WIFI network out to the internet. When I do a tracert the traffic all times out from 192.168.15.5?
I have disabled the firewall so just using for routing, I also even tried bridging the networks but nothing seems to work.
Our LAN traffic is actually not going through pfsense by deafault as they are given 192.168.0.1 as their gateway and I am using option 121 to specify some specific routes to go via pfsense or other and this is working fine. Our LAN must stay with the 192.168.0.0/24 subnet as we have other hosted services on the lan which we need to access direcly such as VM hosted RD servers and when this traffic goes through pfsense I get constant disconnects due to the extra hops or something like that.
All is working great EXCEPT the WIFI traffic atm. Any ideas on what I can do?
Thanks in advance.
-
The ISP router probably has no route to 192.168.15.0/24 via 192.168.05 so it cannot reply. It also may not NAT traffic from the wifi subnet as it leaves.
The correct way to handle that is to add that route to the ISP router. However if you cannot do that you may need to add an outbound NAT rule to pfSense LAN interface so it NATs wifi traffic to 192.168.0.5.Steve
-
Thanks, that makes sense I guess.
I deleted the bridge and enabled the option below, and I seem to be gettign traffic through and can browse OK now, I will do some more testing.
'Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below)'
Thanks very much for the fast reply. Much appreciated!
Scott.
-
Yes, bridging the interfaces would allow the ISP router to 'see' the wifi subnet directly but it would still need an IP in that subnet to respond from which it does not have.
With the outbound NAT rule as you have it you are passing all the wifi traffic across the LAN subnet which means, unless you have blocked it in pfSense, wifi clients will be able to access any LAN client which you might not want.
Steve