VLAN & access router
-
Hi
Can you please help me with my home network ?
I created 3 VLAN's from main network I can't access router GUI.My network:
Modem => pfSense => routeron pfSense and router I have created 3 VLANs:
- 192.168.500.1 => main network (for trusted devices) (has access to quest & IOT netowrk)
- 192.168.600.1 => for quests (can't access main one neither IOT netowrk)
- 192.168.700.1 => IOT (can't access main one neither quests network)
my pfsense adress is: 192.168.100.1
my router adress is: 192.168.100.2When I am connected to main network (192.168.500.1) I can access pfSense but I can't access router.
Can you pleae advice, what should I do to access router GUI from my main VLAN? To be specific, what shoud I do to access from 192.168.500.1 netork my router with adress 192.168.100.2 ?Thanks in advance.
-
@wool3095 said in VLAN & access router:
on pfSense and router I have created 3 VLANs:
Why would create them on both? If your downstream router is routing these networks - the the only network to pfsense between your pfsense and your downstream router would be a transit network, ie this 192.168.100 network it seems.
Pfsense would have no use for vlans on it for these other networks. The only thing it needs is routes to them, and need to create rules on the transit that allows the downstream.
Happy to help but your going to need to provide some more details - what is this downstream router from pfsense? How do you have everything connected? Do they all run through some layer 2 switch, is this downstream router a L3 switch doing routing?
edit here is a good drawing for doing a downstream router on pfsense.
-
Hi Johnpoz
I tried to make a drawing ( do not know how to post it correctly as you did, but I managed :) )
Link to drawing
Hope it explain.ps.
My home set up is not very complicated. -
@wool3095 ah if your just using some old wifi router as AP then wouldn't really call it a router.
Does that router actually support vlan tags for your different ssids? And I wouldn't run vlans over a dumb switch.. You can sometimes get away with it, but its not best practice that is for sure. Are you plugging anything else into that switch while the dumb switch might not strip tags, it doesn't understand them so any multicast or broadcast is going to go out all its ports, so you don't really have actual isolation.
Do your clients get the IPs on your different networks from pfsense dhcp.. When you connect to the different ssids?
If the router your using for your AP doesn't allow for a gateway, then you wouldn't be able to connect to it from another network.. Or if some netgear - just sort of ran into that same issue here for someone else.
You can get around that with outbound nat - I go over that in the above thread linked too.
-
Hi
Yes, Router works well with VLANs so all my 3 networks works well, I have different devices right now connected to each network and all works like a charm. So yes, all of my clients on 3 different networks get IP addresses and are connected to internet.
Switch is right now optional. As info that is small 5 port switch, basically router is plugged in and Raspberry Pi (currently not used - so I do not know if it got IP address).
I can take a way Switch, that is not a problem (it was used more in the past, now is optional).I will need to check if that router allow gateway. I will investigate and revert back.
-
@wool3095 You can prob use the dumb switch - just pointing out its not good practice to run vlans over a dumb switch because it does not understand them and any multicast or broadcast will just go out every port.
if you were going to just use it as an extension wouldn't be a big deal if only pfsense and your AP were plugged into it. Not a major concern in a home setup - but for example since the switch doesn't really understand tags.. I could plug a device into any of those ports and be on whatever vlan I want by just using a tag.. Again not prob a big concern in home setup. Just something to be aware of is all, and if you are going to start playing with vlans I would suggest you get an actual vlan capable switch to use.. They can be had for like $40 for a cheap 8 port gig, etc.
If your clients on your AP different wifi are getting put on the correct networks that is a good and your tagging is working from your AP.. As to why you can not access the gui of this now AP on 192.168.100.2 from say 192.168.500.x -- this screams the device doesn't have a gateway and doesn't know how to get back to 192.168.500.x
Or like the guy in the other thread something to do with his routers AP "mode" even though the device had a gateway, etc. You could prob work around the problem with the outbound nat setting gone over in that thread.
-
192.168.500.X, 192.168.600.X, 192.168.700.X are not valid ipv4 networks!
Largest octet is 255… -
@azdeltawye heha very true.. He is obfuscating them clearly ;)
-
Hi
Yes, networks are not correct, that are example for easy explanation nothing else.I will look a bit later at another post and revert back.
