Using the WiFi in your gateway as a seperate subnet/VLAN



  • Hello everyone,

    I'm new here, so pls don't be mean…

    I don't know if anyone else has hit this sort of thing before, but am sure lots of people use bridged connections from their pfSense boxen to their Internet gateways. Many would be using commodity gateways like the Linksys WRT54G (on cable), or some wireless ADSL modem (on PSTN) like me.  Quite possibly, many of us are not using the Wireless interfaces these systems have built-in, as we just route the data straight through to our pfSense firewalls.  That's a shame as so many of these devices include Wi-Fi, so when one doesn't use it, it just sits there wasting energy and frying our brains :)

    The choice: Turn it off, (which sometimes means opening up your router and pulling out the PCI card), or use it.  This thread is about doing the latter (I hope).

    What I am hoping, is it that it is possible to route traffic for a WiFi network back to the WAP part of the gateway (from a pfSense interface), whilst at the same time have pfSense run the PPPoE/bridged link for all the WAN traffic.

    i.e. Here is a typical setup:
    Internet
    |
    #.#.#.#/0
    ISP
    #.#.#.#/0
    |
    #.#.#.#/0
    Commodity Wireless ADSL Gateway (modem in bridged mode) or WRT54G in bridged mode
    172.16.16.254
    |  
    172.16.16.253
    pfSense (WAN set to use PPPoE), two LAN interfaces:
    192.168.0.x/24 and 192.168.1.x/24
    /||
    Client PCs

    Perhaps one needs to define and bridge a VLAN in pfSense that can route back to the gateway's LAN all the data destined for the wireless devices. Or maybe all it would take is static routes. (I am hoping someone might know better than me). Static routes would be be best, as only a few of these devices recognise VLAN traffic. Not sure how to handle security given that it'd be going over the same wire as the PPPoE traffic.

    Appending this to the above diagram, I am talking about adding a path for all Wi-Fi traffic back out to the gateway (destined for it's switch & WiFI interface, not its WAN NIC). Now a lot of commodty gateways might not be designed or wired to support this, but maybe some would? For example, those that support VLANs tend to have better routing features; built-in VPN, etc.

    I have one here at the moment that has a VoIP gateway inside too (it's a Billion 7404VGO).  Others even include Linksys WRT54G (DD-WRT/OpenWRT/Tomato) and WAG54G (w/ Pluto firmware).  I am currently trying to define different VLANs for each switch port on the back of the Billion (fw 5.74d)- i.e. one for the WAN link from pfSense to the bridged modem, 3 for a WiFi VLAN defined in pfSense. That means 2 cables to the modem. I'm still working out if the modem settings will allow the VoIP and WAP to work if their gateway is remote instead of the device's own WAN port. If I can use its WAP and/or VoIP gateway, w00t!

    Anyway it's just a thought, I haven't been able to get it going yet, so may need to use a seperate WAP as everyone else seems to.

    The slightest suggestions and/or grains of wisdom would be warmly welcomed of course.  Of course after writing all that as my first post, someone will probably chime in and say, "that is what I do with my setup, this is how it works…"

    So here's to hoping... and thank you for reading my first post! It'd be really cool if all this would work out as effectively as I'm hoping.



  • I have to admit I don't understand what you are trying to do.  Most people I see who have a commodity wireless router disable the WAN and DHCP, and plug its LAN interface into the pfsense LAN and use it as an access point.  What are you proposing that somehow improves on that?



  • @danswartz:

    I have to admit I don't understand what you are trying to do.  Most people I see who have a commodity wireless router disable the WAN and DHCP, and plug its LAN interface into the pfsense LAN and use it as an access point.  What are you proposing that somehow improves on that?

    Thanks for letting me know. I guess its a bit verbose… what I'm trying to do is get the WiFi in the wireless gateway running off of an interface in pfSense- ie the gateway connects to the web and to pfSense's PPPoE implementation to route packets to the filter, but an interface on pfsense connects back to the router part of the gateway to use that as a LAN (adn/or WLAN)... I hope that makes it clearer.

    I think the question is just whether one can do these things at once, which is why I thought defining a VLAN might be the only way to go (and even then, the gateway may not be wired to support 'multi-use'.

    However I can't get the interfaces in my dev build version of 2 working quite right (in the GUI), atm it is not clear what is not working.



  • well, okay, but that gets me back to my original question: what problem are you trying to solve?  you haven't said that the (trivially easy) solution i proposed is not right for you, so i don't know why you want to do this.  if it is because you are curious, you probably aren't going to get a lot of help, since the (free) support here is more interested in helping people with real problems (at least i fall into that category.)  i am not saying that to be snotty or anything, just the realities.



  • Thank you for your replies.

    My apologies. I should have been clearer: I am trying to get it my gateway to do 2 things… be a bridge to WAN and also a LAN switch and/or WLAN AP.  Hell if it has VoIP gateway, VPN or USB devices in it, enable them to be accesible too (via an interface on the pfSense host's LAN).  I don't want to necessarily abandon all the functionality the commodity device has in it because I want it to be my bridge to an upstream Internet gateway.  However I am under no illusions that what I am doing has the potential to provide a path around the filter, hence the VLAN and if necesary, two cables to the 'commodity device'.

    Re help, no I don't expect any- I'll report how it goes (tho so far that isn't too good)  I am trying with a VLAN atm.



  • Danswartz: Here's my take on why someone might be interested in doing this.

    Suppose you are on a restricted budget and you have a wireless modem to cable or ADSL. You have discovered the limitations of the cheap versions of such modems and have scrounged a system to run pfSense and like pfSense.  But you still need wireless access and because of your limited budget (money, slots, equipment, whatever) you want to know if its possible to use the wireless hardware support in the modem you already have but want pfSense to have some control over the wireless traffic.

    Or, maybe you are fairly new to networking and just want to see if you can make the suggested configuration work - as a learning exercise.

    Where I live its possible to get a USB wireless NIC or a PCI wireless NIC for under US$25.  One of those devices can turn a pfSense system into a wireless access point. I'd rather pay that (for me) small sum than spend the time mucking around trying to get the suggested method to work. Therefore I'd just disable the wireless interface in the modem and forget its there. Others may be cash poorer and time richer than I am so may be prepared to spend the time I'm not prepared to spend.

    My home network interface to ADSL started with a 4 port modem/router. Then I added a Smoothwall firewall to give me better control over the home network interactions with the Internet. A couple of years later a house guest and a family member bought wireless capable laptops and I changed over to pfSense since Smoothwall had very "klunky" wireless support. I did think about purchasing a ADSL modem with wireless support but it was cheaper to add a wireless interface to my firewall and I decided that managing both wireless and firewall capabilities from the one box would be much more convenient than splitting the management across two boxes with different GUIs. Besides, using the ADSL modem with wireless support would have allowed the wireless connected systems to bypass the pfSense firewall.



  • I got that, wallaby.  But the first post referenced something like a vanilla linksys, which does not have a modem, so…



  • @danswartz:

    I got that, wallaby.  But the first post referenced something like a vanilla linksys, which does not have a modem, so…

    True, but it also mentioned ADSL "gateway". The original poster said they had a Billion 7404VGO. I don't know about that particular model but at least some members of the 7404 series have ADSL support.



  • @wallabybob:

    Danswartz: …my take on why someone might be interested in this: Suppose you are on a restricted budget

    !!! come on, say it…'if you're a cheap skate u might want to do this'...  ;D @wallabybob:

    and you have a wireless modem to cable or ADSL. You have discovered the limitations of the cheap versions of such modems and have scrounged a system to run pfSense and like pfSense.  But you still need wireless access and because of your limited budget (money, slots, equipment, whatever) you want to know if its possible to use the wireless hardware support in the modem you already have but want pfSense to have some control over the wireless traffic.

    Well there are many scenarios… I am a cheapskate often <oh dear,="" my="" secret="" has="" been="" exposed="" in="" first="" post="">, but not with hardware. If I have no budget, I go old over good rather than new but crap.  I do prefer minimal hardware and smart config (a bit too much I do admit) too, as this is a way to improve one's code (and waste days aimlessly hacking...).

    The absolute reason in this case is: I don't want to have a built-in WiFi interface as the box is a ESX host and won't support it probably, pass thru USB would suck and have to be in the DRP.  Another wireless router in addition to the ADSL gateway... no, because it uses more power to load the UPS, generate heat and add ongoing cost and dependability.  (I like to have two of everything- so I don't want 4 commodity routers if instead I can have 2)
    @wallabybob:

    Or, maybe you are fairly new to networking and just want to see if you can make the suggested configuration work - as a learning exercise.

    Indeed. There are a few reasons…
    @wallabybob:

    … using the ADSL modem with wireless support would have allowed the wireless connected systems to bypass the pfSense firewall

    Hmm.  If they were on a VLAN it'd be harder, but yes security here is a major compromise.  For me, the reason is less the WiFi AP. The more I thin about it, the more I'd like to use the Billion's VoIP gateway… for others it might be USB NAS, or VPN... Anyway, you know 'what they say about justifications and statistics!'

    I'll report again once I can get a decent night's hacking done :)</oh>


Log in to reply