Install to netbook, dd-wrt router, two wireless networks?
I have been having some trouble getting this set up:
Internet–>pfSense on netbook (internal NIC)-->usb NIC-->dd-wrt router
dd-wrt router then acts as switch for 3 wired devices (desktop, voip, and printer) and creates two wireless networks, one bridged to the wired devices, one only to internet.
Any detailed help is appreciated. I have tried following a few tutorials and posts , but cannot seem to make it work, particularly the second ("un-bridged") wireless network.
I think the two biggest obstacles are not having a third NIC, so the tutorials all describe making an OPT1 interface, but this is also my LAN. Also do I then make a vLAN for the unbridged?
Do I just need to get a third NIC?
With just two NICs you will need to use VLANs to isolate the two wifi APs effectively. You could probably also do some sort of tunnelling from dd-wrt but that's probably even more complex. ;)
I assume you have disabled all the DHCP and NAT functionality in dd-wrt?
Yes dhcp and NAT are disabled on the dd-wrt.
Wasn't sure if I needed to make a vlan on both pfsense and dd-wrt.
that's probably even more complex
Pretty sure the whole thing is over my head, but I'll plug away intermittently.
Keep at it. :)
At the very least you'll learn quite a bit just by trying.
You need to configure DD-WRT to tag traffic coming from the virtual access point with your VLAN tags, say VLAN 10. Then in pfSense you add a VLAN interface with the same number. You can then configure your firewall rules appropriately to allow/disallow traffic.
One thing to be aware of is that some NICs have a problem with tagged and non-tagged traffic at the same time. They will simply reject the non-tagged traffic. It's a small proportion of NICs though, I've never seen it happen. It is advised, therefore, that you avoid having tagged and non-tagged traffic on the same interface. You could do this by tagging all traffic from DD-WRT but with different tags and then using only VLAN interfaces in pfSense. However this is probably something you can look at somewhere down the road. ;)
I have VLAN isolated VAP's working in Atheros DD-WRT. Never could get them working in Broadcom DD-WRT. I strongly recommend just buying an AP made for this. Right now, I'm recommending the EnGenius EAP-600.