Configure pfSense with a router connected to the LAN interface
-
Hello,
I have a Netgate SG1100 and I am trying to configure it to route traffic to my WiFi network. The WiFi is on a different subnet connected by a LinkSys WiFi router. Previously I had the WiFi router doing NAT so all traffic going through the firewall came from the router's IP. I want to monitor traffic from specific devices on my WiFi, so I turned off NAT on the WiFi router. Now traffic is coming from IPs on the WiFi subnet which is not the same subnet as the firewall's LAN interface.
Here's what I did:
-
added the WiFi router as a gateway
-
created a static route to forward traffic bound for the WiFi subnet to the wireless router
At this point I can see that the WiFi subnet has been added to the automatic NAT rules (that seems good). I did a packet capture on the WAN interface and I can see traffic from the WiFi subnet being forwarded out the WAN interface and responses coming back, but the inbound traffic is not forwarded out of the LAN interface.
Is there something else I need to do to allow the WiFi subnet traffic through the firewall? I'm running pfBlocker, but I don't see how that could be causing the problem. Any help is appreciated. Thanks.
rc
-
-
@recoveringchemist said in Configure pfSense with a router connected to the LAN interface:
Is there something else I need to do to allow the WiFi subnet traffic through the firewall?
Did you adjust the rules on the lan to allow this downstream network? By default it would just be "lan net"
Keep in mind your going to run into asymmetrical routing problems if anything on your downstream network will be talking to or from the lan network..
Since your pfsense lan net has now become a transit network.. No hosts should be on a transit network.
You would be much better off prob just using your wifi router as AP now you can see all your wifi clients IPs. Or if you really want it on another segment, then create a new segment on pfsense and use that as your transit, or just connect your wifi router as AP to this other segment.
With another segment and just as AP being prob the best solution.
-
@johnpoz I was on the fence about configuring the WiFi router as an AP, because I though changing DHCP servers would be disruptive. But I bit the bullet did it. The transition was surprisingly smooth and things seem to be working. Thanks for the tip!
-
@recoveringchemist said in Configure pfSense with a router connected to the LAN interface:
The transition was surprisingly smooth
Things don't care where they get an IP from dhcp.. They will ask for a renewal - when they don't get it they when the lease runs out they will do a discover. And get an IP from the new dhcp server. Or the new dhcp server will see their renewal request and if not use and your using the same IP range as the other dhcp - give them what they ask for if its available..
dhcp is not some required thing that needs to be on every second or minute.. You can turn it off normally for hours or even days.. As long something new isn't asking for an IP you can run for whatever the length of your leases were set for, I hand out like 4 day leases ;) so worse case even if my dhcp server was off for 2 days (50% of the lease time) I would be ok, etc. Clients normally start asking for renewal when their lease reaches 50%.
Worse case when you even change IP ranges - just reboot the device and it will get an IP from the new dhcpd.
Changing dhcp server or even whole IP ranges should really never be a problem when you use dhcp.
Biggest issue is when you use static IPs on the devices and you want to change IP ranges ;) then you have to touch every device - this is why dhcp is preferred setup, you can change anything you want - gateway, dns, etc.. and client will just get this info when they renew, or they ask for an inform, etc... If you want a device to always have the same IP - set it via a reservation on the dhcpd, etc.
-
@johnpoz In my case switching my WiFi router to an AP forced all of my WiFi devices to change subnet at the same time. I was concerned that some might not make the transition smoothly. I had to reboot a couple of my IoT devices to get them to request a new IP, but the impact was minimal. I was concerned that behavior might be more widespread.
