Pfsense and Router

viragomann

@antibiotic
As @chpalmer already suspected, your secondary router seems not to be configured as a router for the devices connected to it.
Obviously all connected ports of it are member of the LAN bridge (br-lan). Otherwise pfSense would could only hand out DHCP leases for the devices behind it if you have enabled to DHCP relay on the OpenWRT.

If you want to run it as router, connect its WAN to pfSense, let the home router do the DHCP server for the devices connected to it (wifi or other) or enable the DHCP relay and disable the outbound NAT.
Then you have to configure the outbound NAT for the network behind the router on pfSense manually, cause pfSense doesn't know this network and add a static route on pfSense for the network and point it to the home routers WAN IP.
Then you will also see the IPs behind the home router on pfSense and can filter them.

But if you whole intention is to use it for wifi and to connect other devices to its switch, you don't need to switch it in the router mode can and leave the connection as it is.

Antibiotic

@viragomann said in Pfsense and Router:

Otherwise pfSense would could only hand out DHCP leases for the devices behind it if you have enabled to DHCP relay on the OpenWRT.

I think DHCP relay working , beacuse can see DHCP leases for the devices behind WiFi router. But Firewall - NAT Rules are completely empty on this router. Is it normal? If my whole intention is to use it for wifi and to connect other devices to its switch.

viragomann

@antibiotic
We tried hard to find out if your OpenWrt is configured as a router or as a switch. But we cannot tell you. You should know this, since you had set it up .

But simple to determine:
router: wifi devices are in a different subnet than the LAN interface.
switch: they are within the same subnet (L2)

PatRyan

For the home router it sounds like you are using it to be your WiFi access to the network. If that is the case then set it as an Access Point in OpenWRT. That should disable DHCP on the router and still offer WiFi. Keep your connection to the pfSense box as a LAN to LAN connection. Set your router (which is now an Access Point) to get its IP from DHCP or set a static IP.

Your Access Point should now serve up WiFi and pass through requests for IP addresses to the pfSense box DHCP. This arrangement will collect the WiFi connections and pass them on to the pfSense firewall.

So for what is connected to what:

1. Connect pfSense box to ISP on it’s WAN port
2. Connect the WiFi Access Point (no longer a router) to pfSense via LAN port
3. WiFi clients will connect to Access Point

stephenw10

It sounds like you're using the OpenWRT device just as a switch as access point. And in that case what you're seeing is expected and I would change nothing.

Steve

Dobby_

@antibiotic

With OpenWRT you will be able also to create a so called WiFi extender or WiFi repeater, if you have done so, you
may be running now into the so called hidden station problem to point it to the not able to see the OpenWRT device from your pfSense.

So in normal it would be the best thing to set up pfSense
at the WAN (behind ISP Modem) and setup the OpenWRT
as a WiFi AP in my eyes. So the AP gets also a IP address
and this will be normally static. All the routing is done by the pfSense alone.

Antibiotic

Big thanks' to all for useful tips!