Pfsense + dd-wrt as bridge in stead of router



  • Dear,

    I have dd-wrt router with two SSID's (used how-to : http://www.pennock.nl/dd-wrt/Multiple_BSSIDs.html) configured as follows:

    private.wifi.office.it2go.eu
    IP-range : 192.168.100.1/24
    Security : none

    public.wifi.office.it2go.eu
    IP-range : 192.168.200.1/24
    Security : WPA2

    Now, i have a pfsense router online that binds my 2 VDSL connections (a 30/4.5mbit connection and a 25/3.5mbit connection).  The IP range of my pfsense router is 10.0.0.1/24.

    I want to make sure that the dd-wrt router is a bridge, and the DHCP server on my pfsense router gives the IP's out (with a other ip range : private ip range as 10.1.0.1/24, private as 10.2.0.1/24).  Which changes do i have to made on my pfsense router and my dd-wrt router?  I believe i have to work with VLAN's or something?  Can anyone help me with setting this up?

    Posted on dd-wrt.com forums and pfsense.org forums.

    Thank you!
    Kris



  • On pfsense side nothing if you put the dd-wrt as a bridge.

    On another side not if you find a wireless card pfSense supports multiple BSSIDs too.



  • @ermal:

    On pfsense side nothing if you put the dd-wrt as a bridge.

    On another side not if you find a wireless card pfSense supports multiple BSSIDs too.

    What kind of wireless card can i use for example?  (so i can take a look at the price of it)
    With the situation right now i tought i had to make vlans or something so that pfsense's dhcp server can divide the ip's.  Because the private SSID has to be another IP range than the public SSID.  And those two IP ranges has to be different of the cabled network.  On this moment it all work, but the dd-wrt router divides the ipaddresses itselfs, i want to use the pfsense router to do that (otherway there is a double nat etc)

    Like i said:

    • wired network : 10.0.0.1/24 (that's ok right know : that's my pfsense router)
    • public SSID : 10.1.0.1/24
    • private SSID : 10.2.0.1/24


  • Oh in that case you need vlans on pfSense and on the dd-wrt as well on the port linking to the pfSense.
    Than a bridge on dd-wrt or pure routing.
    Do not forget dhcp server config on pfSense for each vlan.



  • @ermal:

    Oh in that case you need vlans on pfSense and on the dd-wrt as well on the port linking to the pfSense.
    Than a bridge on dd-wrt or pure routing.
    Do not forget dhcp server config on pfSense for each vlan.

    Ermal,
    First of all : thanks again for all your answers and your time!  As i've mentioned i tought i had to use vlans.  Little problem : i've never work with that before and i don't know exactly how to fix it at all…  Could you please help me to set up the 2 vlans (1 public, 1 private) and how to set the right dhcp server config for each vlan?

    I've posted my current config in case you want to know more about my pfsense setup.. (http://krisken.dommel.be/pfsense/config.xml)

    Thanks again
    Kris



  • Or if someone elke can help me with this issue?



  • I can't help you with the dd-wrt configuration except to support Ermal's suggestions.

    I think you will have to configure the dd-wrt to use VLANs on one of its ports (the "WAN" port?, in which case to avoid double NAT you will probably have to bridge the dd-wrt WAN port to the wireless LANs).

    On the pfSense side, you could use another NIC (VLAN capable) to connect to the dd-wrt (a straight through cable will probably work but you might need a cross over cable) and configure VLANs on that interface to correspond to the dd-wrt VLANs.

    To learn more about VLANs you could read the Wikipedia article on VLAN and some of the linked pages (especially VLAN FAQs and QpenWRT guide to VLANs), look for VLANs in the pfSense documentation collection (follow the documentation link from the home page) and search the pfSense forums (for example, an article on configuring VLANs in a netgear switch was recently posted).

    If you are still looking for help on pfSense you will probably need to ask much more specific questions.



  • New to pfSense 2.0 the ath and ral drivers support some form of multiple stations. I have no experience with this and so can't comment on whether this would be suitable for your requirements. There is a little more information on the FreeBSD 8.1 man pages for ral and ath. (FreeBSD man pages are accessible from http://www.freebsd.org/cgi/man.cgi). Where I live PCI cards known to these drivers can be purchased for less than the local equivalent of US$20. (In the case of the ath driver, I don't know that the card I'm thinking of has the necessary capability for supporting multiple SSIDs. The man pages suggests the capability is chipset specific.)

    If dd-wrt can be configured as ermal suggested you would probably get a function setup that route than you would if you attempted to use the above described wireless capabilities of pfSense.



  • @wallabybob:

    In the case of the ath driver, I don't know that the card I'm thinking of has the necessary capability for supporting multiple SSIDs. The man pages suggests the capability is chipset specific.

    I haven't heard of it being chipset-specific so far; it has worked with all cards using ath that I've heard of anyone trying it on.  There may be at least some kind of minimum requirement, though, like AR5212 or higher (which probably covers almost everything Atheros that anyone is selling, of those supported by ath).



  • Which router do you have running DD-WRT?  Not all routers that run DD-WRT have internal LAN switches that are VLAN capable.  Each router will have a different means of assigning the switchports for VLANs due to differing port and interface names.



  • @Efonne:

    @wallabybob:

    In the case of the ath driver, I don't know that the card I'm thinking of has the necessary capability for supporting multiple SSIDs. The man pages suggests the capability is chipset specific.

    I haven't heard of it being chipset-specific so far; it has worked with all cards using ath that I've heard of anyone trying it on.  There may be at least some kind of minimum requirement, though, like AR5212 or higher (which probably covers almost everything Atheros that anyone is selling, of those supported by ath).

    The section of the man page I was referring to says: Multiple hostap virtual interfaces may be configured for simultaneous use on cards that use a 5212 part. Since other chipsets are mentioned in the man page it seems like this particular capability might be specific (or believed to be specific) to the 5212.



  • So far I have at least not heard of any 5212 or above chipset that does not support that feature (it has worked on all that I've heard it has been tried on), but I have not heard of anyone trying it on anything below that either.



  • @dreamslacker:

    Which router do you have running DD-WRT?  Not all routers that run DD-WRT have internal LAN switches that are VLAN capable.  Each router will have a different means of assigning the switchports for VLANs due to differing port and interface names.

    WRT54GL (linksys)



  • @krisken:

    @dreamslacker:

    Which router do you have running DD-WRT?  Not all routers that run DD-WRT have internal LAN switches that are VLAN capable.  Each router will have a different means of assigning the switchports for VLANs due to differing port and interface names.

    WRT54GL (linksys)

    That should work fine.  Just google for: DD-WRT VLANs
    One of the first few hits has a guide on setting up the switch port for VLANs on the WRT54 series.
    Here:  http://www.geek-pages.com/articles-for-geeks-mainmenu-2/1-latest/26-8021q-trunking-on-the-linksys-wrt54gsl-with-dd-wrt

    Then hobcobble the guide in your post to use the bridges to bridge each virtual BSSID to a VLAN instead.

    i.e.  Say you have VLAN 10 & 20 for private and public respectively then
    br0 members:  VLAN 10 and et0
    br1 members:  VLAN 20 and et0.1 (virtual BSSID for public)

    Then select a port for the trunking and add VLAN10 and 20 to it.  You will also want to remove the lines related to DHCP since you want pfSense to handle that.


Locked