Do I need a static router for my network?

backspacemild

Hi All,
Hope everyone is doing well.

I am looking for advice on how to solve the following issues. An an answer with the thought process captured in the reply will be really appreciated. For example, "You do not need a static route because the host is directly connected to the router in question. Take a look at [Chapter 34. Advanced Networking(https://docs.freebsd.org/en/books/handbook/advanced-networking/) > Routing Basics, for help."

Questions

1. Do I need a static route defined in pfsense to be able to ping host A from B, B1 or B2?
2. Do I need to install the sudo package before I can add a route? I ssh'ed into pfsense and tried to add a static route and got the error "route: must be root to alter routing table"?

• In the pfsense GUI, I have disabled the "admin" account by checking the option "This user cannot login". I created a new user peter-pan, and made peter pan a member of the "admins" group.
• To test, I ssh'ed into the pfsense appliance from host B2 and B1 Win11 without issues

Abridged Network Diagram

A summary of the troubleshooting steps performed

• purpose: check if I can ping hosts that are on the wired network from a host that is on the wireless network.
  • ping host B, B1 Win, B2, pfsense LAN and wireless router WAN from host A - no issue
• purpose: check if I can ping a host on the wireless network from hosts on the wired network
  • ping host A from B, B1 Win, B1 WSL, and B2 Mint - ping failed
• To continue my "linear logical troubleshooting", I pinged pfsense LAN, wireless WAN and wireless LAN from host B

• host B ---> pfsens LAN pass
• host B ---> wireless WAN pass
• host B ---> wireless LAN fail

• This tells me that my packets are leaving host B and are able to make it to the wireless WAN interface
• To double check, I used the pfsense GUI to ping the wireless WAN (pass) and wireless LAN (fail)
• Conclusion: I need to add a static route to pfsense which will send traffic for wireless LAN to the gateway wireless WAN. Is this correct?

Execution

• I ssd'ed into pfsene from host B2 and executed the command route add -net 192.168.0.0/24 192.168.100.25. Got the error "route: must be root to alter routing table"
• Using the GUI and referencing Static Routes, added a Static Route
  • gateway IP: 192.168.100.25
  • static route > destination network 192.168.0.0 and gateway (created in previous step)
• result: 192.168.100.1 (pfsense LAN) started pinging 192.168.100.25 (wireless WAN) continuously. Deleted the gateway and router and did a packet capture using the pfsense GUI to make sure that the pinging has stopped.

viragomann

@backspacemild
Why don't you configure the wifi router as access point?

If it's a router, then yes, you need a static route to reach networks behind it.

andres-asm

furthermore, you may not be able to do it, since your wireless router may not have a toggle for NAT, many home routers do not have a way to disable NAT, and in such case you won't be able to ping that host

kiokoman

@backspacemild
indeed you need a static route to the wireless router
but to be able to ping host A you need to configure a port forward for the ICMP protocol and it's not always possible, depend on the wireless router
with the static route and port forward on the wireless router you should be able to use any services available on the other side of the network

IMHO it would be better to disable routing and instead use a VLAN for the wireless access point

Jarhead

@kiokoman said in Do I need a static router for my network?:

@backspacemild
indeed you need a static route to the wireless router
but to be able to ping host A you need to configure a port forward for the ICMP protocol and it's not always possible, depend on the wireless router
with the static route and port forward on the wireless router you should be able to use any services available on the other side of the network

IMHO it would be better to disable routing and instead use a VLAN for the wireless access point

Why would you use a vlan??
Just curious what your thinking is, since as stated, all you really need to do is not use the WAN port on the wireless router. Just plug a LAN port on it to the pfSense LAN and it's just an access point. Of course, this means turning off the dhcp server on the wireless also.

kiokoman

@Jarhead
because if he is doing something like that he probably want to segment the networks. or if not he can just put the wireless AP on the switch.
For example, I definitely don't allow any wireless devices to communicate directly with my servers so i'm using vlans.

johnpoz

@kiokoman said in Do I need a static router for my network?:

ndeed you need a static route to the wireless router

No not really, but if was going to create routes to the network behind the router, he would need to do it on all the hosts on his lan network

Or he is going to run into asymmetrical traffic..

I really don't see the point of letting that old access point do any nat.. Just use it as an AP and put it on another segment on your pfsense be it physical or vlan..

Running some downstream nat router is just going to be problematic.. And there is no rules you could do on pfsense to stop these clients connected to that wifi router from talking to anything on pfsense lan.. That would have to be done on that router, and guest normally stop wifi from talking to the wifi lan, but not its wan, etc..

You be much better off just doing it correctly via another segment on pfsense and using it as just an AP.. Or if your not actually worried about communication between lan and your wifi, then just use it as AP and put on the same pfsense lan network.