Need Help with a Setup/Hardware config

TheAncientGamer

Hi! I don't usually ask for help but this one has me a little stumped. I will try to outlay my config and what I want to accomplish. I am fairly accomplished in hardware/software but some of networking I do not yet understand.

I have an appliance that has 4 nics (igc0-3) in it and pfsense pro installed.

I have an unmmanaged switch, an EERO 6e Wireless Mesh network, Modem(WAN).

Cable internet enters the house at the Modem. The modem is plugged into port (igc0) of the appliance and works.

The Switch is plugged into (igc1) of the appliance and everything that is plugged into the switch is working fine.

I want the mesh network to be plugged into (igc2) of the appliance so that it is separate from the switch but still has access to the WAN and the rest of the devices on my network can CAST to the various devices on the LAN/OPT1/wifi network.

When I plug the EERO/wifi into the OPT1/igc2 plug it will not connect to ANY of the other networks or the WAN. It says that it is and that it has the IP 192.168.4.1 but refuses to connect to the internet or the rest of the network. I have made firewall rules to direct traffic that mirror the settings on my LAN plug but with the proper IP address for the EERO/wifi but to no avail.

Lan network is 192.168.1.1/24 and the EERO says that it is 192.168.4.1/24 but no matter what I do I cannot get the EERO to configure to the internet or anything else (red led flashing (connection failed) or white led flashing (waiting for configure). If I plug the EERO into the switch it configures and connects almost imediately, everything works but my LAN devices cannot see any of the wifi devices to cast to them unless I set the EERO to Bridge and get it on my same subnet of 192.168.1.*

The idea behind getting the EERO on the the netgate and off the switch is to take some of the load off the switch for the wifi devices (38 of them) and also levee some control over them. Does anyone have a similar setup and can help me with this. I skimmed through the articles here and could not find what I need.

tinfoilmatt

@TheAncientGamer do you see any settings anywhere in the EERO config that allows you to use the nodes in something like "access point/AP mode-only" or similar?

TheAncientGamer

@cyberconsultants said in Need Help with a Setup/Hardware config:

@TheAncientGamer do you see any settings anywhere in the EERO config that allows you to use the nodes in something like "access point/AP mode-only" or similar?

I didn't but I will take a look again. I like the idea of the EERO being able to hand out IPs to my devices on it's own. Effectively right now I have it in Bridge mode so my netgate is doing all the work. The EERO is fairly robust on it's own but not super configurable. I will report back. Thank you.

tinfoilmatt

@TheAncientGamer the topographic path of least resistance will be to make use of the pfSense host as your DHCP server. in your proposed flat LAN with subnet ID 192.168.1.0/24, that simply means pfSense will hand out 192.168.1.xxx addresses to all DHCP clients, including the individual mesh nodes themselves and any wireless clients that connect through them. (you'll also maintain the ability to statically assign any unused addresses).

in fact, using AP-only mode on the nodes (assuming that capability) might actually disable their DHCP services and they'll become DHCP clients-only themselves. depends on a whole bunch of functionality and use cases EERO may or may not have included or contemplated, intentionally or otherwise.

if, however, in AP-only mode the nodes can act as both DHCP server (served from the master node with relay on the slave nodes) and client simultaneously, you have a couple additional options depending on how complex you want to get.

TheAncientGamer

@cyberconsultants said in Need Help with a Setup/Hardware config:

@TheAncientGamer the topographic path of least resistance will be to make use of the pfSense host as your DHCP server. in your proposed flat LAN with subnet ID 192.168.1.0/24, that simply means pfSense will hand out 192.168.1.xxx addresses to all DHCP clients, including the individual mesh nodes themselves and any wireless clients that connect through them. (you'll also maintain the ability to statically assign any unused addresses).

in fact, using AP-only mode on the nodes (assuming that capability) might actually disable their DHCP services and they'll become DHCP clients-only themselves. depends on a whole bunch of functionality and use cases EERO may or may not have included or contemplated, intentionally or otherwise.

if, however, in AP-only mode the nodes can act as both DHCP server (served from the master node with relay on the slave nodes) and client simultaneously, you have a couple additional options depending on how complex you want to get.

It doesn't look like the EERO has an AP only mode. In the app, I have under DHCP & NAT networking: Automatic, Manual IP and Bridge. Right now it is Bridge which to me is acting like an AP. My pfsense/netgate is handing out IP addresses over the EERO device to all my wifi devices. I have not tried Bridge Mode with the OPT1 port, this is while the EERO is connected to my Switch. Other EERO Network settings I have: Reservations and Port Forwarding, DNS, UPnP, Then under Wireless, Client Steering, and Thread. And under Internet on the EERO I can set, WAN IP Address, Gateware EERO IP Address, IPv6 and ISP Settings <--Can't remember what is in here as Bridge mode at the moment has me locked out of looking at it.

My Wife is work from home so I cannot really mess with it at the moment as she needs the connect. This is mostly and afterdark and weekend project atm. Thanks for your insight, I appreciate it.

TheAncientGamer

@TheAncientGamer Probably most of all out of this is that I want to understand how to plug in a network device to the other two ports and have it connect to the rest of my network (LAN) and (WAN). Say, add another switch for 10G or 2.5G devices. I am missing something somewhere with the routing and am feeling pretty dumb right now that I cannot sort it out.

tinfoilmatt

@TheAncientGamer yw. bridge mode is definitely what you were looking for and found yourself.

My pfsense/netgate is handing out IP addresses over the EERO device to all my wifi devices. [ . . . ] this is while the EERO is connected to my Switch.

if there's anything specifically undesirable about this, you'll have to explain a little more. you said:

I want the mesh network to be plugged into (igc2) of the appliance so that it is separate from the switch

the' why' to that will dictate how to configure everything.

TheAncientGamer

@cyberconsultants said in Need Help with a Setup/Hardware config:

@TheAncientGamer yw. bridge mode is definitely what you were looking for and found yourself.

My pfsense/netgate is handing out IP addresses over the EERO device to all my wifi devices. [ . . . ] this is while the EERO is connected to my Switch.

if there's anything specifically undesirable about this, you'll have to explain a little more. you said:

I want the mesh network to be plugged into (igc2) of the appliance so that it is separate from the switch

the' why' to that will dictate how to configure everything.

Mainly to offload the switching of all of my IOT devices from the unmanaged switch and to be able to throttle/limit the IOT as a whole. I would also like to have my IOT and wifi devices on their own subnet just for organization purposes. Maybe I am just going about the whole thing in the wrong way? Forgive me as I am a kinesthetic learner and self-taught in all of this.

tinfoilmatt

@TheAncientGamer said in Need Help with a Setup/Hardware config:

Probably most of all out of this is that I want to understand how to plug in a network device to the other two ports

at the moment the other two ports on your pfSense host (igc2 and igc3) are by-default router interfaces, not switchports. if maintained as router interfaces, then additional firewall configuration would be necessary to get anything on any one of them (i.e. igc1-3) 'talking' to either one of the others. in strict networking terms, they are three separate Layer 3 segments each requiring its own subnet.

you replied just now to say that you're looking to achieve some level of network segmentation. that's usually never a bad goal. just know that you will be significantly technically limited in what you can do with the EERO mesh nodes acting as your APs (e.g., no VLAN tagging and certainly no SSID-to-VLAN mapping).

TheAncientGamer

@cyberconsultants Thanks! I think I will just keep it the way it is. I wrote rules for the firewall for igc2 when I was trying to config it but could not seem to get it to work. I guess I just have to hit the books and learn more before I move forward. Was hoping someone had an easy tutorial I could riff off to see if I could get it to work. I did set up VLANs (Which I still don't fully understand mind you) when I set up the appliance initially but I could not get them to work. On my old SG1100 I was working with VLANs and honestly cannot remember how I set them up in the first place but that whole system was set up with WAN/LAN/OPT1 by me and it all worked. I did copy over that config from the old box but could not get it to plug and play properly so I ended up just using the old Port Forwarding rules I had and started fresh. Thanks again for your help in all this. Have a great holiday.

SteveITS

@TheAncientGamer on eero, bridge mode is what makes the mesh act like an AP.

I skimmed the above but not sure I followed. If you want to separate the networks you can connect your main eero to a third interface with a unique subnet. It needs its own rules; LAN defaults to allow all with the two default rules but all other interfaces default to deny all.