VPN Wifi Router Upstream Of SG1100
-
I'm a pfsense newbie so be kind. I'm basically trying to create port isolation or a private VLAN with my netgate sg1100. I've tried everything I can think of.
I need the SG1100 to route VLANs from a smart switch to an ExpressVPN AirCove WiFi router so the AirCove will register the MAC addresses and so the hosts will receive IP addresses from the dhcp server. The Aircove will allow me to place hosts on a VPN, exclude them from a VPN, or not allow internet access at all but it's done at the L2 level.
I've gotten close but the problem seems to be the fact the LAN port has to be on a different subnet than the WAN port.
I configured the sg1100 as a router on a stick and it almost worked but it still had some strange behaviors. I had to disable NAT, allow all traffic on the WAN port and DNS forward too.
Maybe I'm asking too much for this device.
Does anybody have any suggestions or has anybody done anything similar?
-
@uptheirons Use PfSense as router (sg1100), setup ExpressVPN as an OpenVPN client, create a new interface from the OpenVPN client, create a new ExpressVPN gateway for use inside the tunnel only, select it as default gateway... Express VPN must have a PfSense guide, anyway.
I know that is not what you want, but it's not PfSense's fault: your AirCove router is an all-in-one device. It is not designed to have a firewall between it and its clients. You are basically trying to use the sg1100 as a MAC filter. That is not possible. PfSense is used for routing and L3 filtering, aka firewall-ing.
The AirCove is not itself meant for such environments, anyway. It is basically a set-and-forget, basic VPN-at-home box.
-
@uptheirons Let aside the fact that, because of the VPN, you cannot even place PfSense in front of it. They are (for all practical purposes) totally incompatible.
-
The AirCove will do basically the same thing as my ISP. It will hand out a gateway IP to the SG1100.
I don't think it's asking a whole lot from the SG not to do NAT, forward the VLAN request for IP, DHCP and DNS information and send that information back to the appropriate VLAN through the trunk port.
I don't need the SG to do anything related to MAC addresses except keep the ARP table of MAC and IP association. The AirCove does all the heavy lifting as far as MAC addresses go. If it hands out an IP it will record the MAC address and then it can do it's job.
-
@uptheirons Look, PfSense is a Layer 3 device. You want Layer 2 services. Not compatible. Each subnet in PfSense has it's own ARP table. Any MAC leaves a PfSense WAN is going to be the MAC of the WAN NIC. PfSense is not a layer 2 switch. Not even a layer 3 switch.
The closest you can get is by creating a bridge in PfSense, and lose all filtering (pf) functions, but by then the device has no point. You need a managed switch.
Look at it another way. The only type of device that passes MAC's of other devices through it's ports is a switch. If the AirCove doesn't support VLANs, but has 4 ports (I suspect), instead of creating a trunk on the switch, use port-based VLANs (not 801 based) and connect one ethernet pre VLAN from the switch to AirCove. Can't think of anything else.
Or, just lose the AirCove (use it as an AP or something, with DD-WRT) and use the SG1100 in it's place for ExpressVPN. You will get a much better firewall that way in the end, anyway.
-
This post is deleted! -
This post is deleted! -
-
Pfsense does hybrid functions or else it wouldn't have built in VLAN support.
I understand I need a managed L3 for what I want to do. My purpose for the experimentation was to try and make pfsense the substitute router portion of an L3 since it has VLAN capabilities. A poor man's L3 if you will.
The AirCove is a rebranded GL.iNet router and built upon OpenWRT. However it uses the lightway protocol which is proprietary and works much faster than the other protocols I've experimented with on open source VPNs.
I'll keep the AirCove for that reason alone and ditch the SG for routing.
I've got another reason to keep the SG but I would've liked for it to be all inclusive instead of having to buy an L3 switch.
Edit: Lightway is open source however Express created it and I don't know of another router that uses it.
-
@uptheirons If you know all that, then surely you know the specs of SG1100, and thus, that it lacks a switch IC, let alone ports. Then, before even getting an account here, you must have known that you cannot use the SG1100 for what you are asking, all by your lonesome. What is then, I ask, the point of this thread, even. Since you knew all that from the start.
-
@uptheirons Also, for what you want to do, you need a managed L2, VLAN capable switch. Good day.
-
The SG being pfsense, being BSD I thought would be more configurable. I've never had any real experience with BSD so I didn't know what it actually would or wouldn't do and the user manual doesn't make it any more clear. Most people who use pfsense either have to come to forums like this to get information or they have to go through hundreds of pages or videos of pfsense recipes or tutorials to achieve the results they're looking for. The fact the switch is on a chip makes it confusing out of the gate.
Managed L2 isn't going to do routing and anything that's not VLAN aware like the AirCove won't work over a trunked port.
-
@uptheirons ... DHCP is a Layer 2 protocol. That means it uses frames (L2, MAC Address) not packets (L3, IP address). Routing is a L3 process. Only. Doesn't preserve MAC addresses.
-
The switch is ALWAYS on a chip. PfSense (and netgate devices, except 1, I think), being firewall appliances (a Layer 3 device) do not need switches (to have a switch chip on them), because they do not perform it.
@uptheirons said in VPN Wifi Router Upstream Of SG1100:
The SG being pfsense, being BSD I thought would be more configurable. I've never had any real experience with BSD so I didn't know what it actually would or wouldn't do and the user manual doesn't make it any more clear. Most people who use pfsense either have to come to forums like this to get information or they have to go through hundreds of pages or videos of pfsense recipes or tutorials to achieve the results they're looking for. The fact the switch is on a chip makes it confusing out of the gate.
No, friend. It's just that there are people that have a great deal of experience setting up networks, there are people who do not and want to learn and people who just cannot understand that they have no such knowledge yet.
-
-
Nobody is arguing the difference between L2 and L3. You said I needed a managed L2 switch which won't do me any good for routing vlans on different subnets.
And there are such things as dhcp relay agents to get IPs from different subnets. Pfsense actually has that feature.
People with a great deal of experience setting up networks would know that...friend.
