pfSense, dd-wrt AP, how to access iot subnet from main subnet?

bthoven

I have pfSense and TPLink Archer C9v1 as access point. The main private network is 192.168.2.x. The AP run dd-wrt.

I want to create two new Virtual Access Point (VAP), one for guest with subnet 192.168.4.x, and another one for my iot devices with subnet 192.168.5.x. The original intention is to use VLAN4 for guest and VLAN5 for iot, with dhcp, dns, and firewall rules on my pfSense. However, dd-wrt on my AP seems not working well with VLAN. So eventually, the guest and iot subnets are defined in dd-wrt, with dhcp on dd-wrt by following the guide here:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1047143#1047143

Now what I get it working is:
192.168.2.x - main private network (with main 2.4 and 5ghz wifi), dhcp and dns on pfSense
192.168.4.x - guest network (with VAP, wl0.1 on 2.4ghz), dhcp on dd-wrt
192.168.5.x - iot network (with VAP, wl0.2, on 2.4ghz), dhcp on dd-wrt
each subnet are fully isolated, all subnets can access internet. Devices inside subnet guest and iot cannot access to each other.

As I need to access devices/hosts in iot subnet (192.168.5.x) from my main network (192.168.2.x), but now I can't.

Any recommendation as to how I can accomplish my last need (for now)?

Thank you.

stephenw10

So you ended up without VLANs connecting those subnets to pfSense?

Are you routing that traffic or NATing it in dd-wrt?

If you add a static route to 192.168.5.0/24 via the dd-wrt WAN interface and have firewall rules to allow that traffic in dd-wrt and on the pfSense LAN you should be able to access it directly.

Or by setting up port forwards in dd-wrt but that would get ugly quickly.

Disabling outbound NAT in dd-wrt and doing that from all 3 subnets in pfSense would be preferable if you really can't use vlans.

Steve

bthoven

Thanks, I inserted my reply in your original questions below.
@stephenw10 said in pfSense, dd-wrt AP, how to access iot subnet from main subnet?:

So you ended up without VLANs connecting those subnets to pfSense? (Yes)

Are you routing that traffic or NATing it in dd-wrt? (yes, only for 192.168.4.x and .5.x)

If you add a static route to 192.168.5.0/24 via the dd-wrt WAN interface and have firewall rules to allow that traffic in dd-wrt and on the pfSense LAN you should be able to access it directly. (Could you give more details how to do it?)

Or by setting up port forwards in dd-wrt but that would get ugly quickly.

Disabling outbound NAT in dd-wrt and doing that from all 3 subnets in pfSense would be preferable if you really can't use vlans. (I'm not quite sure how to do this)

Steve

stephenw10

So to be clear the DD-WRT device is running as a router at this point?

It has a WAN IP in the pfSense LAN subnet and the 192.168.4.x and .5.x exist only behind it?

Steve

bthoven

@stephenw10 said in pfSense, dd-wrt AP, how to access iot subnet from main subnet?:

So to be clear the DD-WRT device is running as a router at this point? (Yes, for .4.x and .5.x only. The main lan .2.x is still managed (dhcp, dns...)by pfSense)

It has a WAN IP in the pfSense LAN subnet and the 192.168.4.x and .5.x exist only behind it? (Yes)

Steve

stephenw10

Ok, that's going to be ugly however you do it because of asymmetric routing.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html#common-scenario

Can you move the dd-wrt device onto a different subnet/interface?

VLANs really would be waaaay better here.

Steve

bthoven

@stephenw10 said in pfSense, dd-wrt AP, how to access iot subnet from main subnet?:

Ok, that's going to be ugly however you do it because of asymmetric routing.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html#common-scenario

Can you move the dd-wrt device onto a different subnet/interface?

VLANs really would be waaaay better here.

Steve

Hi Steve,
Actually, that was what I originally intended to do, ie. vlan, dhcp, dns, all managed by pfSense; but I can't connect my end-devices to the virtual access points that are associated with the VLANs . I did this exercise with two other smaller APs running dd-wrt and openwrt, and it worked fine; but not with my Archer C9v1 dd-wrt. That's why I resorted to this less ideal solution; which is fine for me, except the ability to access them from my main LAN.

stephenw10

Ok but can you move the dd-wrt device, with the two subnets behind it, onto a different pfSense interface?

Doing that will eliminate asymmetric routing issues which will otherwise be a headache.

Steve

bthoven

@stephenw10 Can I do that without VLAN setting on the dd-wrt side?

stephenw10

Yes, if you have a spare NIC in your pfSense box.

bthoven

Thanks I have 2 spare NICs, but I tried to avoid having two APs, if possible. Thank you.

stephenw10

Ok but it you have the dd-wrt device connected on a different NIC to the LAN you will avoid asymmetric routing between LAN and either of the two subnets behind it. I suggest you do that and set up static routes in the pfSense to point to dd-wrt in the new subnet.
If you can disable outbound NAT in dd-wrt and have pfSense do that instead it will give you better visibility on the traffic.

Steve

bthoven

Steve...thanks a lot for all your suggestions.

bthoven

Just to update that now my dd-wrt access point can have virtual AP, for iot devices, associated with VLAN and obtain dhcp/dns from pfSense. The main LAN network (wired and wireless) can access my iot devices; but not vice versa, as I required.

The solution is to run a patched wlconf and startup script on dd-wrt, as described in the dd-wrt forum:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317181&postdays=0&postorder=asc&start=0

stephenw10

Nice.
Worrying having to apply a patched command though. Might break if you ever update dd-wrt.
Have you tried OpenWRT on that hardware?

Steve

bthoven

@stephenw10 Openwrt has inadequate support on Broadcom chip. Partly support 2.4ghz wifi and do not support 5ghz band at all, etc....