Please assist me with settings
-
I have network:
pfSense as main router + Asus GT-BE19000AI router in router mode.
pfSense LAN IP 192.168.10.1 and Asus router WAN static IP 192.168.10.2, Asus router internal network is 192.168.50.0/24. I did NAT disabled and firewall on Asus router for avoiding double NAT and make static route on pfSense. All working and Im able to get internet from Asus router clients, but I cant get reach Asus router clients from pfSense. Ping not working, What I did , its to allow ping on Asus router WAN and able to ping from pfSense Asus router itself but not clients behind Asus router, Is it any options to make it work? The main reason to do this because this new Asus router have separate space for native portainer with docker and I want to use pfSense Telegraf to sent metrics to Asus router influxDB with Grafana dashboard. Could be do not need for this to work access to internal Asus router network but anyway how to set this to be able reach from pfSense, Asus router internal network?pfSense plus 26.03 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@Antibiotic pfSense will need a static route to send packets to the Asus router.
https://docs.netgate.com/pfsense/en/latest/routing/static.html#example-static-route -
@SteveITS said in Please assist me with settings:
https://docs.netgate.com/pfsense/en/latest/routing/static.html#example-static-route
Already did this and static route is working fine with Asus router NAT disabled. I want to reach from pfSense my Asus router internal network , not from Asus router clients to pfSense.
-
@Antibiotic The Asus router will probably have to allow the LAN network to reach the Asus-LAN devices, in the Asus firewall rules.
-
@SteveITS A sus firewall have only this option:
Do you mean pfSense LAN network 192.168.10.0/24 to Asus network 192.168.50.0/24 -
@Antibiotic said in Please assist me with settings:
Do you mean pfSense LAN network 192.168.10.0/24 to Asus network 192.168.50.0/24
Yes the Asus WAN interface (firewall) would need to allow ICMP from 192.168.10.0/24 to 192.168.50.0/24.
-
@Antibiotic you could just use your asus as a AP, it would still be able to host services, etc. Just connect one of its lan ports to pfsense network. Disable the asus dhcp server and give the asus lan an IP on your pfsense network.
-
hey there,
as @johnpoz said...most routers can work in "ip client mode" meaning they do not function as a router anymore but as a mere switch (LAN Ports) and / or WLAN AP. Since in that mode there is no routing an not NAT and nothing...you can reach all devices connected to that ex-router directly...So: do you have a special reason for using your asus as a fully grown router, building a router cascade...making it all a bit more difficult? Or was that with no real purpose (since pfsense could separate VLANs and subnets by itself, no usage for extra hardware besides switch) and rather a design accident ;) ?
-
If I’m not mistaken, the issue you’re facing is not caused by your configuration but by a limitation in the Asus router firmware.
Even with NAT disabled, firewall disabled, and correct static routes, an Asus router operating in Router Mode does not allow routing from the WAN interface toward the LAN network.The WAN interface always treats the upstream device (pfSense in your case) as “Internet”, which means it blocks any attempt to reach LAN clients in the 192.168.50.0/24 subnet. This is why you can ping the Asus WAN IP from pfSense, but you cannot reach any clients behind it.
If you need full communication from pfSense to the devices behind the Asus, the only supported solution is to run the Asus in Access Point Mode, so it becomes part of the same LAN (192.168.10.0/24).
For the use case you described (Portainer, Docker, InfluxDB, Grafana), a separate subnet is not required. In AP Mode all services will be directly reachable, and pfSense’s Telegraf can send metrics to InfluxDB without any routing or NAT-related issues.
