Static route
-
Please, what is going wrong?
pfSense IP 192.168.10.1
WIFI router IP 192.168.10.10
WIFI router LAN IP 192.168.40.1I want to switch OFF NAT on WIFI router and pass traffic to pfSense ( pfSense NAT in manual mode)
I'm understood that need to make rule on NAT outbound , but no any idea which rule and where. You can right in russian, for this moment don't have russian keyboard.
-
@Antibiotic
Are you sure, that the Wifi router doesn't nat?
In this case pfSense wouldn't see the IPs behind in upstream traffic.Yes, you need to manually add an outbound NAT rule on WAN for the subnet behind the Wifi router.
Just copy a WAN rule, e.g. the one for 192.168.30.0/24 and change the source network to 192.168.40.0/24.
If you want to run IPSec on the wifi devices you also need a rule for ISAKMP with static port 500.BTW: There is no need to have the outbound NAT in manual mode. Hybrid mode should work fine for you.
-
@viragomann But except NAT rule, the rest rules is correct? regarding my IP examples? First screenshot with static route gateway?
-
@Antibiotic
The static route is correct.
But the firewall rules will only allow internet access if the Wifi router does NAT.
If not, you have to add a pass rule for 192.168.40.0/24. -
@viragomann Switched OFF NAT on WIFI router and get this rule on NAT:
Start working))) Can me switch OFF also DCHP server on WIFI router? -
@viragomann Second question, how to set permanent IP for WIFI router, its going via DCHP lease of pfSense?
Lets say , have for this ethernet point DCHP range 192.168.10.10-192.168.10.20, but sometimes WIFI router changing IP from 192.168.10.10 to other! -
@viragomann What i have now in gateway status on main, is it normally?
-
@Antibiotic said in Static route:
Can me switch OFF also DCHP server on WIFI router?
Depends on the router, but as far as I remember, I read, that this is not possible.
Why want you do this? Do you want pfSense to do DHCP for the wifi?
If so the wifi router would need relays DHCP requests, and I think, it's not capable of this.If you want to pfSense to administer the wifi, best practice would be to set the wifi router into AP mode. I guess, this should be possible.
Second question, how to set permanent IP for WIFI router, its going via DCHP lease of pfSense?
Go to Status > DHCP leases, find its entry and hit the "add static mapping" action button. State an IP of your choice for it. Remember that the IP has to be outside of the DHCP range.
The gateway offline indicates, that the device is not responding to pings. Go to the gateway settings and disable the monitoring.
-
@viragomann I mean, it's no any conflicts if pfSense as main will do NAT but WIFI router will do DCHP for local subnet behind this router but not pfSense?
-
@Antibiotic
No. -
@viragomann Ok , thank you my friend for an assistance!)))) Have a good day! All now, looks working)))
-
@viragomann said in Static route:
ISAKMP
But if me planning to use OpenVPN on WFI router, do need to create any more rules? in case of NAT will disable on WIFI router?or its only for IPsec
-
@Antibiotic
This rule is only for IPSec. It needs a static outbound port, so a rule is required to achieve this.Your current rule set on the wifi interface allows any port to any destination in the internet anyway. So there is no additional rule needed.
Consider that it also allows access to the LAN. Maybe this is not desired and you want to block it.
-
@viragomann said in Static route:
Consider that it also allows access to the LAN. Maybe this is not desired and you want to block it.
Can you suggest rule example for this? Have a dedicated NIC for WIFI router connected to pfSense ( pfSense have 4th NIC's and all home network on different NIC's of pfSense)
-
@viragomann Also have an option on WAN page of WIFI router (Forward local domain queries to upstream DNS) Upstream DNS my pfSense. Is it better to set ON this option or does not matter? in case of NAT doing pfSense!
-
@Antibiotic
I use an RFC 1918 alias, which I had add all private network ranges to.
Add a block or reject rule and use this alias as destination. Put this rule above of the allow-any rule.
Also have an option on WAN page of WIFI router (Forward local domain queries to upstream DNS) Upstream DNS my pfSense. Is it better to set ON this option or does not matter?
Seems to apply to local domains only. This might assume, that you have domains configured on the router.
If it's possible, I would set pfSense as DNS in the DHCP settings of the wifi router, so that the devices send requests directly to pfSense.
-
@viragomann Ah, thank you
-
@viragomann Could you please assist with OpenVPN, don't understanding where is my mistake with settings?
https://forum.netgate.com/post/1161108