Connect two subnets across pfSense



  • I am using pfSense 2.4.5 as a firewall and router on a computer with two NICs: LAN (192.168.2.1) and WAN (192.168.10.151). The WAN side gets its IP address from my ISP's on-site Ubiquiti LiteBeam radio (192.168.10.1). I cannot change anything on the LiteBeam. The LiteBeam is connected to pfSense via about one hundred feet of buried Ethernet cable. Everything works fine with this setup.

    Recently I added a Ubiquiti outdoor mesh AP to begin extending WiFi across the farm. I inserted an unmanaged outdoor switch (Ubiquiti Nanoswitch) between pfSense and the LiteBeam so I could connect the mesh AP to pfSense. This means the mesh AP is part of the WAN-side subnet (192.168.10.0/24) and gets an IP address via DHCP from the LiteBeam. However, I manually change its gateway and DNS IP to 192.168.10.151 so its traffic goes through pfSense and it can be managed with UniFi.

    This works but is not ideal because each device connected to the mesh AP must be given new port forwarding and firewall rules to access the computers on LAN side. Is there a way to reconfigure this network so that the clients of the mesh AP are part of the LAN?

    -I don't think bridging via a transparent firewall is an option because I don't have extra network interfaces.
    -I don't want to bury a new Ethernet cable from the mesh AP to my LAN switch.
    -I don't think a point-to-site VPN is an option because eventually there will be clients of the mesh AP that can't run a VPN client such as Arduino microcontrollers. Maybe there's a way to set up a site-to-site VPN? I really don't know much about L2TP.

    The only other option I can think of is to add a second mesh AP at the house that is wired to the LAN switch and connects to the original outdoor mesh AP via WiFi. I'm not worried about reduced network bandwidth for the mesh AP clients so maybe this is the best option even though I'd rather not buy more hardware.

    Happy 4th of July and thanks for any ideas.



  • @pyrocumulus said in Connect two subnets across pfSense:

    . I inserted an unmanaged outdoor switch (Ubiquiti Nanoswitch) between pfSense and the LiteBeam so I could connect the mesh AP to pfSense. This means the mesh AP is part of the WAN-side subnet (192.168.10.0/24) and gets an IP address via DHCP from the LiteBeam. However, I manually change its gateway and DNS IP to 192.168.10.151 so its traffic goes through pfSense and it can be managed with UniFi.
    This works but is not ideal

    hi,

    it definitely does not work(!) and you are well saying that this is not ideal

    in this "lineup", both pfSense and AP upstream are LiteBeam, so AP is not protected by pfSense

    the AP must be placed after pfSense on either a separate interface (which is not present now) or a VLAN, which can be part of the LAN's physical interface

    if you buy a cheap Intel multi-port NIC and you can expand your pfSense box, the solution is easier

    if you do not have the option to lay more cables, so your options are limited
    like:
    https://www.ui.com/airmax/nanostationm/
    https://www.tp-link.com/us/home-networking/powerline/
    (I do not recommend this so much)

    @pyrocumulus "I manually change its gateway and DNS IP to 192.168.10.151 so its traffic goes through pfSense "
    (the pfSense WAN and the AP are on the same subnet)

    this is confusing, why do you need to specify the GW and DNS IP for / to the dual-NATed pfSense WAN IP?



  • @DaddyGo Thanks for the reply. I agree, my current set up is definitely not ideal and I'd like to get the mesh AP behind pfSense. It does work, however, as long as the firewall has the correct rules to allow each client to access the LAN.

    I could move pfSense to an appliance which could be located outside but that's more money than I want to spend and it probably shouldn't be sitting outside anyway. I'm sure a NanoStation would work as well but it would be nice to take advantage of the wired Ethernet connection if I can.

    What if I swap the unmanaged NanoSwitch for a managed EdgeRouter? Could I then use VLANs to connect the two subnets?

    As for specifying the GW and DNS IP for the mesh AP: I need to do this in order for the mesh AP to show up in UniFi which is hosted from within the LAN. Otherwise it is stuck using the LiteBeam as its gateway because the LiteBeam is running a DHCP server. I suppose changing the DNS server doesn't matter.



  • @pyrocumulus said in Connect two subnets across pfSense:

    What if I swap the unmanaged NanoSwitch for a managed EdgeRouter? Could I then use VLANs to connect the two subnets?

    of course ☺
    routing between VLANs may work
    -inter VLAN routing

    • static route
      -etc.

Log in to reply