Additional router between pfSense & computers?
-
My company is upgrading to VOIP service. They initially wanted to take away my pfSense box that I've had set up for over a year and a half. After discussing it with the VOIP company, they said that we can just add their box, a Linksys WRT54GL, running DD-WRT 2.2.something. Here is the details:
pfSense box:
3 interfaces, LAN, WAN, OPT.
WAN: Hardcoded IP, not sure what it is, something in the 72.209.x.x range, from our fiber provider. We are currntly using one IP, we have 7 or 8 more available.
LAN: 192.168.1.1/24 range
They want to do this:
Net –> pfsense --> WRT54GL --> Switch
with the IP on the LAN side of the pfSense being changed to 172.25.0.1, and the WAN side of the WRT box being 72.25.0.2. The LAN side of the WRT would be 192.168.1.1/24, and it would take over DHCP duties, as well as traffic shaping so that we have consistent QOS for our phones even if bandwidth gets high everywhere else. The have stated that it would basically be a passthrough, and that it would not be doing NAT.
I need to find out, since this is the most complicated I have ever gotten with pfSense, what I need to do in order top make sure that we have internet access.
Yesterday, when we were trying to get it to work, we set up under System --> Static routes, we set up a route from 172.25.0.1 to the WAN IP, and that did not do it. We then tried adding rules under the WAN tab to allow this, and it didn't work either. By the time it was said and done, I had to do a factory reset in order to get everyone back online so that I could leave for the day, after we had pulled the WRT54Gl box out of the mix.
I would appreciate any help in getting this thing up and going.
Sincerely,
John
-
Hi, I think you were almost there, and only missed the option:
Bypass firewall rules for traffic on the same interface
This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.This option is under System -> Advanced. Your network setup should function other than that (I take it the 72 instead of 172 for the WRT's WAN IP was a typo). So this setup:
<internet>–<72.209.x.x>--[pfSense]–<172.25.0.1>--<172.25.0.2>--[WRT54GL]–<192.168.1.1>--<[192.168.1.x clients]>
should work, provided you have entered a static route for 192.168.1.0/24 via 172.25.0.2 and enabled the above option under System -> Advanced. Of course also make sure the Firewall rules LAN tab includes a rule that allows traffic coming from 192.168.1.0/24. And the WRT needs to have 172.25.0.1 set as default gateway of course. If you still have issues, start by diagnosing from the pfSense firewall using Diagnostics -> Ping (make sure you have a client available in the 172.25.0.0/24 network that can access the router). If not, use the System console shell function to ping. Start by trying to ping 172.25.0.2, then 192.168.1.1, then some random available IP in the 192.168.1.0/24 subnet that is behind the firewall to narrow down the issue. If all that works, start the same (but in the opposite direction) from a computer in the 192.168.1.0/24 network.
Another thing, but that is besides your question: I really don't quite understand why on earth anyone would want to have a WRT54GL (running DD-WRT or any firmware for that matter) in between. I don't think there is anything DD-WRT can do that pfSense can't do (better). It doesn't sound professional to me and makes me doubt the ability of that company.</internet>
-
If their concern is only QoS, Siproxy and PPTP, you can notify the Voip company that your pfsense box will do all that and do a darn better job than DD-WRT on the 54GL.
I started off on this hobby with HyperWRT & DD-WRT on a WRT54GS (8% faster processor, double the ram & flash of 54GL) to begin with so I should know.Make overtures to them and see if they're willing to accept that and clone the HFSC curves (if any; most just set a flat service curve) onto the pfsense box instead. Makes things simpler to a certain extent anyway.