Always-on VPN not working with Protectli and Slate AP

HareSpray

My situation is that I'm attempting to segment my network into always-on VPN on one side and no VPN on the other. I'm using Michael Bazzell's Extreme Privacy 5th Edition as my guide and downloaded the config XML file for pfSense from inteltechniques.com/firewall. I have a modem/router/access point from my ISP that will act as the non-VPN wifi. That device's DHCP pool start/end: 192.168.1.64-253. I'm running pfSense 2.7.2 on a FW6D Protectli. I have Proton VPN configured on the LAN port with a kill switch. When I connect a laptop directly to that port I'm able to see the VPN IP assigned and test the kill switch successfully. The LAN's DHCP pool start/end: 192.168.1.10-63. I also have a Slate Plus GL-A1300 access point that I plan to use on the LAN port for always-on VPN connectivity. My problem is that after configuring the Slate to AP only mode and connecting it to LAN, it slowly flashes a blue light looking for a connection. When I plug it into any of the OPT ports it connects fine, broadcasting an IP. All of the OPT ports use firewall rules using gateway WAN_DHCP, while LAN uses VPN1_VPN4. What could be causing this issue? I'm trying to avoid buying a second access point and turning of all wifi and DNS on my ISP's modem/router, but I will if I have to.

Gertjan

@HareSpray said in Always-on VPN not working with Protectli and Slate AP:

The LAN's DHCP pool start/end: 192.168.1.10-63

What is your pfSense LAN IP ? 192.168.1.1 ?
What is your pfSense WAN IP ? An IP from this pool : "192.168.1.64-253" = also in the 192.168.1.x/24 network ?
That can't work. Your router (pfSense) can't route between interfaces with identical networks.

HareSpray

@Gertjan said in Always-on VPN not working with Protectli and Slate AP:

What is your pfSense LAN IP ? 192.168.1.1 ?
What is your pfSense WAN IP ? An IP from this pool : "192.168.1.64-253" = also in the 192.168.1.x/24 network ?

The IP that pfSense gets from my ISP's modem/router is 192.168.1.142. You're correct, the LAN IP on pfSense is 192.168.1.1. Is the fix for this to change either the ISP's device IP and DHCP start/end or the pfSense LAN IP and subnet range away from 192.168.1.x?

Gertjan

@HareSpray
Exact.
If you want to keep the original "192.168.1.x/24" on your LAN, now your pfSense LAN, then change your ISP LAN (and its DHCP pool) to, for example, 192.168.10.1/24 with a pool like 192.168.10.10->192.168.10.20.
Your pfSense should obtain a WAN IP using its DHCP-client like 192.168.10.x (nad gateway 192.168.10.1) where x will be in this ISP router's DHCP pool.

HareSpray

@Gertjan Thanks for your reply. I changed the pfSense LAN IP to 192.168.6.1 and the range from 10-250. However, that didn't resolve the problem. When I connect the Slate AP to that port, the blue light on the front slowly blinks and there is no connectivity. I also tested using port OPT2 and changing to gateway VPN1_VPN4 and have the same results with no connectivity. It seems that the Slate doesn't like the VPN gateway setup on the pfSense. But I'm baffled as to why it works via Ethernet to a laptop. I'm no expert in networking but it seems like this is a fairly straightforward setup.

Gertjan

@HareSpray said in Always-on VPN not working with Protectli and Slate AP:

When I connect the Slate AP to that port

Probably not needed, but did you check the IP and IP settings this AP uses ?
This AP probably has a GUI also, so you should change the IP settings : for example :
192.168.6.2 network 255.255.255.0 gateway 192.168.6.1 - DNS 192.168.6.1
If it uses DHCP, and you should cehck if it got a lease from pfSense ? This will also give you it's IP.

Ajnyway, now you know why I prposed to change the LAN settings of the upstream router, not the pfSense LAN. I'm a fan of 'KIS'.

Don't know anything about Slate APs or blue blinking light.
And it was a long time ago I stopped using VPN stuff. I do use the OpenVPN server of pfSense, so I can access pfSense safely from the outside.

HareSpray

@Gertjan I have allowed pfSense's DHCP to dole out the IP for the AP. I tried assigning an IP as you recommend but it didn't help. I've also ordered another AP to see if there is something about the software there that's causing the issue.