pfSense with OpenWRT Guest logon with VLAN

johnpoz

@ramosel said in pfSense with OpenWRT Guest logon with VLAN:

I do not have any rules blocking 8080.

But do you have rules limiting to only specific things? Simple thing to do would be to sniff the traffic and then fire up the speedtest web or app, and see where it tries to go..

If it works with specific servers - some of their servers don't use 8080, etc..

Are you routing traffic on these vlans out a specific gateway, like a vpn or something?

Ramosel

So, I just let this stew and used the Speed Test available with the Starlink console... which worked fine. Quite a few people came up with the same issue and a few posted information to show that some (not all) ISPs and hosts were definitely blocking direct Starlink traffic via the Ookla website or app. You could use a VPN and get around the blocks too. Anyway, it all seems to be working without a VPN now. So, yep, it was just a coincidence this happened as I turned up some VLANs. I thought I'd done wrong... but with all you guys helping... how could I??

stephenw10

The more I learn the more I discover I don't know.

johnpoz

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN:

The more I learn the more I discover I don't know.

So freaking true!

Ramosel

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN:

The more I learn the more I discover I don't know.

You have learned that valuable lesson early.

As a retired development engineer, I look back and can honestly say my best take on your statement and of modern technology is that the more I know about something, the worse the product was from the beginning.

stephenw10

@ramosel said in pfSense with OpenWRT Guest logon with VLAN:

the more I know about something, the worse the product was from the beginning.

ikonomn

@stephenw10
Is there any chance to make step by step guide about connecting openwrt dump access points to pfSense using vlans to isolate insecure devices such as phones cameras guests...
Thanks/
Nikos

stephenw10

Right now is a terrible time to write such a guide because depending on which architecture the openwrt device is it may or may not have been converted to DSA. And that changes the way ports and interfaces are handled significantly!

In pfSense you just create a VLAN interface on the parent NIC the AP(s) is connected to and assign that as a new interface with the appropriate firewall rules.

You would have to add that VLAN to any switches in between pfSense and the AP(s).

In OpenWRT you would:
Create a VLAN device on the appropriate eth device.
Create a bridge that includes that new VLAN device.
Assign that bridge as a new interface.
Create a new SSID and set that as attached to the new interface.

Doing that replicates the pre-configured br-lan interface but for the new VLAN.

That assumes an OpenWRT device that doesn't have a switch or at least isn't connected via the switch.

Steve

ikonomn

Thanks a lot.

Nikos

stephenw10

No worries. I'm sure we could help you get that working if you have an problems.

Ramosel

@ikonomn said in pfSense with OpenWRT Guest logon with VLAN:

@stephenw10
Is there any chance to make step by step guide about connecting openwrt dump access points to pfSense using vlans to isolate insecure devices such as phones cameras guests...
Thanks/
Nikos

I'm playing with this again on some Linksys e8450s (and it's fight back) so I've hesitated to respond to your request as I know it can be done... just not sure if wifi clients stay isolated as they pass through the VLANs into pfSense and out on the WAN.

If you use OpenWRT, there is a setting within the Wireless setup of each SSID to "isolate clients". I know the isolation works on the connected WAP as well as on multiple WAPs. But there is no setting to isolate any ethernet connections if you use the VLAN to hardwired devices... that I've found. Fortunately all those devices that need isolation are indeed, wireless.

stephenw10

Yes wireless clients will be isolated from each other is that is set on the access point. They would not be isolated from wired devices on the VLAN that AP is bridged to.

What exactly are you wanting to isolate?

Linksys e8450 looks like nice device.

Ramosel

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN:

Yes wireless clients will be isolated from each other is that is set on the access point. They would not be isolated from wired devices on the VLAN that AP is bridged to.

What exactly are you wanting to isolate?

I was just finally responding to Nikos... but I do Client Isolation on my WAP clients on my IOT VLAN... and all my wired IP Cameras are on that VLAN as well. I just have rules to to isolate the wired stuff in pfSense itself.

Linksys e8450 looks like nice device.

Yeah, I got some back channel info that one of the OpenWRT Devs is now coding for MediaTek and that some of the Linksys/Belkin stuff was going to get "extra" attention. They do seem have potential but there is a UBI memory hack from DangoWRT that works... but is suddenly causing devices to die.... almost like they've had a Covid shot too many.

Anyway... long story short, I'm having an issue getting the DSA build you and I worked on configured under Openwrt 23.05.3. Either I forgot the process, or it isn't going to work... I've even tried editing in the info in the tar backup Network file. I'll figure it out or I'll send you an e8450/rt3200

JP... yes, I'm hearing you in my head... unify, unify, unify. But I really need 4 ethernet ports on two of my remote WAPs with backhaul.