pfSense Accessing my Access point Router

raadms

my pfSense running on version 22.01. my LAN IP is "192.168.3.1" connected to an Access point router as bridge mode, thus pfSense is handling the DHCP. However, the management page of the access point on different subnet "192.168.5.1" which I cannot ping. On the other hand, pfSense has assigned an IP address to the router and it is 192.168.3.10, and still cannot ping it from my pfsense. my ultimate goal is to access the "access point management page" via OpenVpn.

JKnott

@raadms

When you use a router that way, pfsense would not be providing an address as normally that router would be manually configured with an IP address. You should be able to go into the settings of the router to change the IP address. It might be easier if you disconnect it from the network and connect a computer to it.

raadms

@jknott said in pfSense Accessing my Access point Router:

s of the router to change the IP address.

yes you are totally right, actually if I am connected to the router's wifi I can access it. but my idea is to get to the router's page via OpenVpn. and to accomplish this pfSense must be able to access/ping the router's ip address.
Below is the router's IP form pfSense DHCP server. please note it says status offline. However, it is online and accessible.
alt text

JKnott

@raadms

As I said, you have to change the address of that router so that it's within the pfsense subnet.

So, connect to it and make the necessary change.

raadms

@jknott Thank you for your reply. The access point I am using is AX3 from HUAWEI. And the bribe mode will not allow me to have the Lan ip on the same subnet of the wan which is in my case the pfSense.
alt text

stephenw10

You can try adding a VIP in pfSense in the same subnet as the AP mgmt IP.

You might need an outbound NAT rule to access it from any other subnet on pfSense. The AP probably only allows connections from that subnet.

Steve

JKnott

@raadms said in pfSense Accessing my Access point Router:

And the bribe mode will not allow me to have the Lan ip on the same subnet of the wan

Maybe you have to offer a bigger bribe.

Actually, I'm wondering how you have things set up. If you're using it as an AP, with the LAN side disconnected, then you shouldn't have any conflict. Are you running something through the WAN port? Perhaps you should fully describe how you have it set up.

BTW, I'm not familiar with that device.

raadms

@stephenw10 said in pfSense Accessing my Access point Router:

n outbound NAT rule to access it from any other subnet on pfSense. The AP probably only allows connections from that subnet.

Thank you Steve,
I have tried this with no luck, if I created a VIP, then the VIP will be directed me to pfSesnse main page. I think the only way to reach the PA management page is via the AP's wan IP address which was assigned by pfSesne DHCP server, which is on the same subnet of my pfSense. however, if you look for my previous reply. pfSense shows a status of offline thus pfsense cannot ping it. I only can, if I were connected over the Wi-Fi then I'm able to reach AP management page via both subnet,(192.168.5.1, or 192.168.3.10). again my goal is to reach this page via OpenVPN.

Thank you and much appreciate it.

raadms

@jknott said in pfSense Accessing my Access point Router:

@raadms said in pfSense Accessing my Access point Router:

And the bribe mode will not allow me to have the Lan ip on the same subnet of the wan

Maybe you have to offer a bigger bribe.

Actually, I'm wondering how you have things set up. If you're using it as an AP, with the LAN side disconnected, then you shouldn't have any conflict. Are you running something through the WAN port? Perhaps you should fully describe how you have it set up.

BTW, I'm not familiar with that device.

hahahaha Good one, that was Apples auto correct. :)

so here is an explanation of my setup.

I have Netgate SG-1100 version ( 22.01-RELEASE (arm64))
1- Wan: connected to my ISP modem. which has my public IP address.
2. LAN: connected to my AP router.
a. LAN IP: 192.168.3.0/24
b. DCHP server enabled and works fine where I can see all device connected to my network via AP device.

AP Setup:

WAN port connected to my pfSense and it has an IP address (192.168.3.10)
AP management page has an IP address of (192.168.5.1)

Note: the AP management page can be accessed from both IPs (192.168.3.10, OR 192.168.5.1) with one condition to be connected to the AP's wi-fi.
please see below pic from my AP page.
alt text

Thank you,

JKnott

@raadms

So, you have the WAN port connected to your LAN. This means it's LAN side cannot have the same address range as the pfsense LAN. Just disconnect the WAN port and connect the LAN side to your network. You might have to configure a static address on the WAN side, but that can be anything in a RFC1918 range, other than what you use on your LAN.

stephenw10

Yeah, it sounds like the AP is just blocking connections to it's management page from the WAN side. It may be bridged but it's not AP mode.
So, I agree, just connect pfSense directly to it's LAN side as you would with any other wifi router:
https://docs.netgate.com/pfsense/en/latest/recipes/external-wireless-router.html#turning-a-wireless-router-into-an-access-point

Steve

JKnott

@stephenw10

All routers should normally block access to the management page from the WAN side. You don't want to make that available to the world without using a VPN.

stephenw10

Indeed. Bridge mode is not Access Point mode, which would be better here if it had one.

raadms

Thank You so much @stephenw10 @JKnott ,

perfect now I have connected my LAN pfSense to the AP LAN port and have it as a static IP as (192.168.3.2). now I can ping the AP device from LAN pfSense as below pic.

alt text

However, Im still cannot ping that IP from OpenVPN as below. although I have created a firewall rule on both lan and vpn from any to any(Open firewall) and still no luck.
and again I really appreciate your efforts gents, I hope I am not asking to much :).

alt text

stephenw10

The router/AP needs a route back to the OpenVPN subnet in order to reply and it probably doesn't have one. If you can't add a static route to it or set it's default route to pfSense on the LAN you can always set an outbound NAT rule in pfSense to catch that specific traffic. That way the AP sees the traffic as coming from the pfSense LAN IP and can reply.

Steve

raadms

@stephenw10

Thank you @stephenw10 , actually when it comes to NAting I get lost if it is not too much if you may explains it to me how to apply it. really appreciate it.

Thanks again,

stephenw10

In Firewall > NAT > Outbound first set the mode to Hybrid.

Then add a rule on the LAN. Make it as specific as possible to avoid catching other traffic. So I would do at least:

Source: OpenVPN subnet
Destination: Access Point/Router IP address.

Steve