PfSense with DD-WRT(WRT54G) router



  • I've got pfSense running on a Watchguard x550e and I want to use an existing WRT54G wireless router to provide wireless access.

    Here is my setup:

    WAN is set to static IP
    LAN is set to 192.168.0.1 (VLAN10)
    OPT1 is set to 10.0.10.1 (connected to LAN side of WRT54G) (VLAN20)
    No gateway is defined on OPT1 or LAN interfaces

    WRT54G (running DD-WRT) has IP of 10.0.10.3
      WAN port is disabled
      Connected via LAN port to OPT1 on pfSense x550e
      (basically like: http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
      DDWRT Router mode is set to "router" not gateway. (tried both ways)

    The 192.x subnet works fine.

    The 10.x subnet does not allow me to ping the x550e at 10.0.10.1 but I can ping the WRT54G at 10.0.10.3.
    I thought it might be related to the VLAN that I have setup on the OPT1 interface. But the 192.x subnet
    is not on a VLAN capable switch and it's working fine.

    I feel like I'm overlooking something easy here?


  • Netgate Administrator

    Slightly confused here. How are you handling the VLAN between pfSense and the dd-wrt box? Is dd-wrt tagging packets directly? You say you can ping the dd-wrt box on 10.0.10.3, where from? Inside the VLAN or behind a switch?

    Steve



  • Not all WRT54G can handle VLAN's.

    And why you have interfaces with VLAN without VLAN a capable switch?



  • @stephenw10:

    Slightly confused here. How are you handling the VLAN between pfSense and the dd-wrt box? Is dd-wrt tagging packets directly? You say you can ping the dd-wrt box on 10.0.10.3, where from? Inside the VLAN or behind a switch?

    Steve

    DD-WRT has the capability to tag packets but I don't have that turned on in DD-WRT. My thinking is that the WRT54G will be treated like an
    unmanaged switch. If I plug a non-vlan-aware switch into a port on a vlan switch it works fine but devices on that non-vlan-aware switch only have access to that vlan subnet. I think the 802.1q spec calls for this behavior, allowing it to be backward compatible with "dumb" switches. In this case the WRT54G should work on the 10.0.10.x subnet. I'm wondering if pfSense is maybe not quite working in that regard? I can turn on VLAN tagging per port on the WRT54G but I don't think it's VLAN related.(see below)

    My setup is x550e to LAN port on WRT54G and WRT54g LAN port to Laptop. I can ping the WRT54G from the laptop but cannot ping the x550e. As a test I setup a forth port on the x550e at 10.0.9.1 with no vlan, changed all the IP's on the wrt54G and laptop to the 10.0.9.x subnet and I get the same result. So that makes me think this is not vlan related.

    I'm also wondering if DDWRT is not really acting like a normal switch due to it's routing capabilities and that is interfering with the VLAN forwarding somehow. I can add a managed switch with a 10.x vlan setup on it between the x550e and wrt54g but was trying to avoid that.

    Not all WRT54G can handle VLAN's.

    And why you have interfaces with VLAN without VLAN a capable switch?

    This WRT54G has been used with VLAN's before and I'm just testing for a setup I want to use with an unmanaged vlan switch as described above.



  • DDWRT works just fine as a dumb wired/wireless switch or managed switch if you turn off the firewall and the DHCP and any vpn servers/clients you may have installed on it.  I have one sitting here doing exactly that right now.  Not sure how it will behave plugged into a VLAN switch though with its VLAN functions off.  I don't tend to use VLAN arbitrarily just to be doing it, as is now apparently the trend.


  • Netgate Administrator

    If you don't have anything between the X550e and the wrt54g and you are not using VLANs in dd-wrt then how can the packets from the wrt54g be tagged in order to arrive at the VLAN interface in pfSense? You need to either have a managed switch in between or get dd-wrt to tag the outgoing packets. The problem with non-managed switches and VLANs is that their behaviour is unknown. Some will strip the tags, some drop the packets, some forward packets with the tags intact. The wrt54g, like most soho routers, actually uses VLANs internally to separate the ports thus it's behaviour maybe something else. It's always better to define the devices behaviour by correctly configuring VLANs than relying on some default action.
    When you setup the non-vlan interface did you add an appropriate firewall rule? Anything in the firewall log?

    Steve



  • Could you post a drawing?



  • @stephenw10:

    If you don't have anything between the X550e and the wrt54g and you are not using VLANs in dd-wrt then how can the packets from the wrt54g be tagged in order to arrive at the VLAN interface in pfSense? You need to either have a managed switch in between or get dd-wrt to tag the outgoing packets. The problem with non-managed switches and VLANs is that their behaviour is unknown. Some will strip the tags, some drop the packets, some forward packets with the tags intact. The wrt54g, like most soho routers, actually uses VLANs internally to separate the ports thus it's behaviour maybe something else. It's always better to define the devices behaviour by correctly configuring VLANs than relying on some default action.
    When you setup the non-vlan interface did you add an appropriate firewall rule? Anything in the firewall log?

    Steve

    I believe that 802.1q spec allows for non-vlan-aware switches to be plugged into a vlan access port and it does work
    unless I've just gotten lucky in the past with my choice of hardware. I hear what your saying about undefined behavior
    so I guess I'll add  a vlan switch to test things out. Thanks for your input.

    Not sure how it will behave plugged into a VLAN switch though with its VLAN functions off.  I don't tend to use VLAN arbitrarily just to be doing it, as is now apparently the trend.

    I'm not doing it arbitrarily, I see separating the wireless subnet from the rest of the network as a very good thing.

    Could you post a drawing?

    Yes, I'll do that, a picture might make it more clear to me as well.


  • Netgate Administrator

    You can certainly connect non-vlan aware devices to an access port, that's what access ports are for. The problem here is that the port on the X550e is effectively a trunk port. To make this work, without a managed switch to translate between tagged and untagged ports, you need to have the wrt54g tag the packets. That should be relatively easy to do although I've not tried it with dd-wrt myself.

    Steve



  • Thanks, for some reason I was thinking they were access ports. That explains it.