Allow IPs on another subnet straight to the WAN gateway
-
@Jarhead i will give it a try on saturday and will let you know. CP210s probably support VLANs but i'm not sure about the other 2 APs. Will update you asap.
-
@Jarhead Here's what i did:
- turned the Fritz LAN to 10.0.0.x/24 and had pfS WAN static on 10.0.0.2 with Fritz as gateway on 10.0.0.1
- turned pfS LAN to 192.168.0.x/16 and set a DHCP pool from 192.168.1.1 to 254 (for now,as a test)
- made a firewall rule on pfS LAN to allow all/any (for now,as a test)
...and boom! I can see the static IPs on 192.168.0.x which come from the service machines but if I connect to the LAN as DHCP client i'm given an 192.168.1.x address.
So now i need to herd the clients inside the DHCP subnet so that they cannot even ping 192.168.0.x IPs.
I also need to make inaccessibile all the 192.168.0.x IPs which aren't already assigned, so that (i.e.) I can't connect to the lan with a static address in the 192.168.0.x subnet and escape the dhcp.
-
@Troniclab And how are you planning to do that??
They are all on the same subnet now. There's nothing to stop them from talking to each other. That traffic wouldn't even hit a router since it's all layer 2.
You need to use the other interface for either the 1.x or 0.x subnets.
Do the AP's support vlans? -
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
-
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
I can bind 4 of the cameras to the CP210 but unfortunately one of them is behind the emitter and too far to be caught in the backfiring wifi beam
-
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
Also they can only be ASSIGNED to a Vlan,they cannot manage one
-
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Troniclab said in Allow IPs on another subnet straight to the WAN gateway:
@Jarhead All but one AP support VLANs. Unfortunately it's the one hosting 5 cameras plus one CP210 emitter
Also they can only be ASSIGNED to a Vlan,they cannot manage one
Ok, you're confusing the s**t out of me now.
Basically what you want is a "guest wifi" network, correct? They have Internet access but no access to anything else, ie cams.You want the "admin network" (ie employees/workers) access to everything, correct?
If so, why would you change to a /16 subnet? That doesn't change anything you had except made it a bigger subnet.
What do you mean "manage" a vlan?
You need to be able to send 2 vlans throughout the whole network. So you're gonna need to replace those 2 switches and configure the AP's.
If you can't do that you'll need to separate the 2 networks with separate AP's. There's not a lot of options for separating layer 2 traffic -
@Jarhead i was afraid you'd say that.. Unfortunately i came to the same conclusion myself..but, again, the cp210 only have the option to be assigned to a vlan (1,2,3...)..but the vlan would be the SAME anyway for both visitors and ipcams. I honestly can't see a way out. If only there was the option of "guest wifi" to channel the dhcp clients into..
-
@Troniclab What is the cp210? Do you have a link for the manual?
-
@Jarhead cpe210,sorry, misled you.
-
@Troniclab So then you should be good. But you'll need to replace the two switches so you can "trunk" the ports to the AP's.
You'll have to send 2 vlans throughout the network and you'll have two ssid's. One guest and one management.Can you log in to one of the cpe210 and check the firmware?
Might have to update it but from a quick Google you should have a "layer 2" menu where you can config vlans -
@Jarhead firmware says as follows
2.2.3 Build 20201110 Rel. 60634 (4555)At the moment all the 210s are in AP mode and enabling multi-ssid shows a table that has a "vlan" column so, i guess they can route different SSIDs to different vlans.. I couldn't see the option because (obviously) I had only one ssid running..and the machine was like "dude,there's only one road, I can't route elsewhere" ;-)
So, getting rid of the 5 and 8 port unmanaged switches and getting a 16 ports managed one I can throw everything at the firewall and it will be able to select what is what, right?
Being the whole operation pro-bono/non-profit, I was thinking about a tplink easy smart switch like this one: TL-SG1016DE.
It has an integrated management console for vlans
Which should be just fine without costing much. I had a bunch of them installed in a multi-apartments condo having vlans for every apartment to avoid wannabe hackers nosing around. Could you take a look and see if it's what we need for this application? If so, I'll buy it immediately and start reconfiguring all the SSIDs of the park. -
@Troniclab Yeah, that will work. Not the greatest but I've used them and it'll do.
-
@Jarhead switch arrived this morning, will install the configuration tool in the office pc and set its IP in the lan subnet.
Once all the machines are connected to the firewall through the switch, I should put the Fritz on DMZ and manage port forwarding from the firewall itself, right? There are some ports i need open for UPS, NAS, RDP, etc.. -
@Troniclab Yup. You're gonna have to trunk the ports connected to the AP's. Set up the vlans in the AP's with the correct ssid's.
You should probably just start with ANY ANY rules on both subnets to test, then block as needed. -
@Jarhead OK, will try with the only segment of the network I can easily access also by hand, so that if anything goes wrong I can reset the machines and try again. Once that segment is functional I'll apply the same procedure to the other ones that hopefully will work as well. Will keep you posted.
-
I am officially getting frustrated. I was setting an IPCam to the new ssid and now the pfsense machine randomly reboots.. Cutting me off the webgui and making me lose the cam for good. I don't know wtf happened.
-
@Troniclab
Update: had to reset the camera and start over.
On pfsense
-assigned vlan 1 and 2 to the lan interface
On the switch
-created 802 based vlan 2 with untagged ports 1 and 13 (the one going to the ap
On the ap
-created secondary ssid assigned to vlan 2
On the cam
-link to the new ssid..cam is not pingable any longer.
I get it back if I reassign the secondary ssid to vlan 1
Probably something wrong in the switch settings..my knowledge is limited, so far I only used port-based vlans.. -
@Troniclab I thought you said you have 3 nics in pfSense, didn't you? I haven't gone back and read this thread again but if you did, just use both for each subnet. No need for a vlan in pfSense, but if you want to do it that way, then you can leave the "LAN" as default and just add 1 vlan to it. This way your LAN traffic will be untagged and the vlan will be tagged.
In the switch, the interface going to pfSense will be tagged with the vlan id you used in the router, and untagged with vlan 1. You need to do 802.1q vlans.
Do the same thing on the port going to the AP you're testing with.
The best thing you can do is test this right from the switch with wired devices before you add in the AP's. To do this, set one port as pvid 2 (assuming you used vlan id 2) and untagged with vlan 2. This is after you did the above "trunk" to pfSense. Then plug one device into the vlan 2 port, it should get an address, if you enabled DHCP on it, and have Internet access. Then plug another device into another port that has vlan 1 untagged on it. Should get an address and have Internet. They should both be able to access each other. Then add firewall rules to block as needed.
Where you're at up to now, you have the 2 subnets in pfSense. They both go to the switch over the trunk. They are both broken out to 1 port (or more) on the switch and can be used per each network.
Once you have this working, add the one AP and make sure it works the same as the wired devices. Then add the rest. -
@Jarhead I need to put everything on hold: pfsense machine randomly reboots and then gets stuck sending offline the whole network. I have to find out what/why happens. Will come back to you as soon as I have a stable firewall.