Internal NAT with Nest Wifi

GoettaGrip

I have Nest Wifi (not the best idea I've had, I know) behind pfSense. The WAN interface on the primary Nest Wifi router is connected to a port in vlan11, where all of my wired devices sit. The LAN interface on the primary Nest Wifi router is connected to a port in vlan10. The WAN ports on the other Nest Wifi routers connect to ports in vlan10. I do not like the performance of the Nest mesh so each of the secondary Nest Wifi routers connect directly to the primary over vlan10. This works great for the wireless network. My wired devices are all in vlan11. The wireless devices can all reach the wired devices just fine as the primary Nest Wifi router performs the NAT to a wired vlan IP address, and the fpSense provides the routing. But, wired devices cannot reach the wireless devices (such as printers and webcams) as the Nest Wifi routers only allow port forwarding and no inward routing.

I am trying to find a way to use the pfSense to NAT wired vlan to the wireless vlan interface IP on the pfSense. It looks like I should be able to do this but so far have not found the correct settings. Has anyone been able to do something like this with pfSense?

Gblenn

@GoettaGrip said in Internal NAT with Nest Wifi:

I have Nest Wifi (not the best idea I've had, I know) behind pfSense. The WAN interface on the primary Nest Wifi router is connected to a port in vlan11, where all of my wired devices sit. The LAN interface on the primary Nest Wifi router is connected to a port in vlan10. The WAN ports on the other Nest Wifi routers connect to ports in vlan10. I do not like the performance of the Nest mesh so each of the secondary Nest Wifi routers connect directly to the primary over vlan10. This works great for the wireless network. My wired devices are all in vlan11. The wireless devices can all reach the wired devices just fine as the primary Nest Wifi router performs the NAT to a wired vlan IP address, and the fpSense provides the routing. But, wired devices cannot reach the wireless devices (such as printers and webcams) as the Nest Wifi routers only allow port forwarding and no inward routing.

I am trying to find a way to use the pfSense to NAT wired vlan to the wireless vlan interface IP on the pfSense. It looks like I should be able to do this but so far have not found the correct settings. Has anyone been able to do something like this with pfSense?

I think your problem is that you have connected your Nest devices using the WAN ports. That means you engage the firewall in them and it will block any attempt to get through to a wireless device.
Instead, simply connect the LAN port on each Nest device to VLAN 10 ports in your switch. Also, make sure to turn off DHCP in your Nest device(s). They are now simple AP's and will work as switches between the wireless network and your wired network on VLAN 10.

Assuming you have everything setup in pfsense for VLAN 11 and 10, with DHCP servers for each. Now you can create rules to block all traffic from WiFi (VLAN 10) to LAN (VLAN 11), if that is desired. You could also set up rules to block VLAN 11 to 10 but allowing access to specific devices on VLAN 10 (your printer and webcams).

IF Nest is VLAN capable you can extend your VLAN into the WiFi network as well. Meaning you can create VLAN's also in the WiFi network, to e.g. separate Cameras from smartphones and laptops etc. But that requires you to set up VLAN's in the Nest device, using the same VLAN ID's as you use in pfsense.
And the switch ports to which the Nest devices are connected, need to be set up as Trunk Ports and be members of all VLAN's you want to use on WiFi.

This means that the firewall in the Nest device is in use, and youI'm thinking that the idea you have with VLAN 10 and 11 is to be able to control access between LAN and WiFi devices?? And that will is definitely possible but what you can n

GoettaGrip

@Gblenn thanks for the response. Google does not provide a means of disabling DHCP. I tried setting the scope to just 1 reserved address and then using a different DHCP server but Nest appears to be blocking DHCP packets from the wireless network. You had a good idea but Google is determined to control their environment. I had heard rumors they were going to offer support for multiple VLANs but that hasn't materialized yet. I will keep picking at it. It's not a show stopper, just an annoyance.

Gblenn

@GoettaGrip Well, that kind of supports your thoughts about Nest wifi not being the best idea ever...

Anyway, I see the point of limiting the DHCP scope to just one IP, and that should absolutely work. And apparently people report this as a way forward. And I don't really see why or how Nest would block DHCP requests on the switch side (LAN port).

The key then would be to NOT to use the WAN port at all on your Nest devices. The LAN port(s) are connected to the internal switch in the Nest device and wifi is "just another port".

However, I see that there is another alternative mentioned, and that is bridge mode. Since you are not using mesh and all your access points are connected via cable, this may work fine as well.

Then you DO connect Nest with the WAN port. And this will work since bridge mode disables the firewall/NAT and DHCP in the device. https://support.google.com/googlenest/answer/6240987?

Gblenn

One more thing... you have to make sure to assign your Nest device(s) different IP's from pfsense.

They way you set it up with only 1 IP in the range, IF your Nest router still has 192.168.1.1 as it's IP (same as pfsense), it will interfere with your wifi devices trying to reach pfsense.

GoettaGrip

Hello @Gblenn

I did manage to fix my issue. I live in the Cisco world and Nest does not. I had higher expectations for Nest. When I realized I had to "dumb" down my network and expectations I got creative. As I was looking all of this over I realized that while I had assigned a vlan 10 IP address to pfSense I was not able to reach that IP from within vlan 10. I happened to look at the switchport pfSense was plugged into and noticed it was a trunk port but was configured as native vlan 10. This was left over from a previous experiment. I removed the native vlan configuration and then I was able to hit that IP. Further testing showed I could route traffic between vlan 10 and the other networks.

Back to the Nest. Google does not yet support vlans on Nest wifi, but looks like they do on Nest wifi Pro. I am wondering if now that I have fixed the main problem if I can go back to earlier thoughts and use pfSense as the DHCP server instead of the Nest router and employ your thoughts about using just the LAN ports on the Nest routers. I wasn't able to force them into bridge mode as the current configuration has that disabled. But now that I figured out what was blocking progress before I can go back to this and try to get them into bridge mode.

Again, thanks for the help and thoughts.

Gblenn

@GoettaGrip Great that you managed to resolve it... And yes I would expect that you should be able to make things work now by using the Nest devices as dumb AP's using the LAN ports. VLAN on wifi may be nice to have but it's not a necessity.
One way of separating things over wifi could be to set one of the Nest devices to 2.4Ghz only and place that on a separate VLAN only for your IoT devices. Then the other two can run 5Ghz only, on a different VLAN. Using different passwords will safeguard against any users accidentally connecting to the wrong wone.

And as long as the switches are VLAN capable this would keep 2.4 and 5 Ghz separate from each other.