Looking for help re-arranging my network



  • Hey, guys. TheBetterSort, here. I'm new to this forum and I joined primarily to ask you guys a few questions because it's been driving me insane.

    I have a rather complex network right now, without pfSense, but I'm seriously running out of processing power on my routers. So I figured I'd re-purpose an older PC to use as a router with pfSense.

    So far so good.

    Right now I have a main router (E4200v1) running DD-WRT. This router is currently doing everything. Switching, Hosting 2 Wireless APs, Filtering, VLANs, Port Forwarding, Acting as a Media server. It's doing it all.
    I also have another router (an older Belkin) running it's stock firmware. This router is acting as Wireless AP and as a Switch for other devices.

    Now what I'd like to do is connect the Internet to my pfSense box, use it as the primary router. Then have a Cat5e going from it to my DD-WRT router to have that router acting like a switch and AP, and then have another cat5e running from that one (dd-wrt) to it (belkin) and using that as another switch and AP.

    I tried this, and I't doesn't seem to be working properly. For one thing the pfSense system is unusable if the LAN IP is set to 192.168.1.1. Even if all the other routers are turned off, and all the systems are set to use DHCP, it's not accessible and clients can't access the internet or the web configurator. If I set the LAN IP to 192.168.3.1, and start the DHCP pool at 192.168.3.100 accordingly, everything works fine. I don't understand why this is happening and it's not ideal. There are many systems that are already configured to have a 192.168.1.XXX IP, and set to use a 192.168.1.1 gateway and I'd rather not change that.

    Also, If I turn off WAN and DHCP on the DD-WRT router, I lose the ability to go to it's configuration page (I set it to 192.168.3.2), and the wireless adapters never come on so I have no wireless. The Switching functionality seems to work fine enough though.

    So do any of you fine chaps know what I could do to both these router to get them working as they should?
    Thanks in advance for reading this and generously offering your help.



  • I would suspect a routing problem. If you have the WAN side hooked up on the DD-WRT machine, it would like to route as opposed to switch. If the DDWRT has the same network on both sides, routing will not happen. The same goes for pfSense. If WAN and LAN on the pfSense machine is in the same network, no routing will happen. Only the switch plugs should be used on the APs if you want pfSense to do all the routing. That is just a guess though, we will need more information to help much further.


  • Banned

    How's the DD-WRT box set up? If it's gateway, it will not ever work. You'd do yourself a much better service buying a dumb switch.

    Also, If I turn off WAN and DHCP on the DD-WRT router, I lose the ability to go to it's configuration page (I set it to 192.168.3.2)

    Yeah, that's perfectly normal and expected. Suggest reading this: http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

    and the wireless adapters never come on so I have no wireless. The Switching functionality seems to work fine enough though.

    You got it misconfigured. Again, no info here… so, good luck.



  • The DD-WRT router is set up as router, not gateway, and the wireless adapters are set up as Access Point only.

    Also, do you have any idea why 192.168.1.1 doesn't work?


  • Banned

    Probably because having two routers on the same network won't exactly fly. You are serving completely nonsensical information via the DD-WRT DHCP server.


  • Rebel Alliance Global Moderator

    What is your pfsense wan IP?  Is it public or 192.168.1.0/24 as well?

    also if 192.168.1.1 does not work as lan IP on pfsense.. then you have issue with wan side using the same network maybe?

    You have something else stepping on that IP on your lan side?  Did you set a static arp for that ip on your client your trying to use to connect to pfsense when its IP is 192.168.1.1

    I would suggest you look at your clients arp table when you try and access pfsense when its 192.168.1.1

    btw: I run my pfsense lan at 192.168.1.253 because 192.168.1.1 and .254 are very common default Ips, so if I bring up a new toy on the network say a new wireless router or something I am going to use as AP, pogoplug, anything really that has network interface, managed/smart switch, etc.  I don't want the possibility of something stepping on pfsense lan IP with its default that matches up, etc.



  • @doktornotor:

    Probably because having two routers on the same network won't exactly fly. You are serving completely nonsensical information via the DD-WRT DHCP server.

    But It's always worked with the DD-WRT and the Belkin, now all of a sudden it doesn't work with pfSense.
    The DD-WRT's DHCP server is disabled. As is any Gateway functionality, and the WAN is disabled too. This should let it work as simply a switch/AP.
    They have different IPs (192.168.3.1 for the pfSense and 192.168.3.2 for the DD-WRT) and the DD-WRT install docs for setting it up in this mode said to leave it in the same subnet as the main router.

    So, really I have no idea why it isn't working.
    Also, as to your link about accessing the modem; the DD-WRT isn't connected to the WAN port, the modem is. But I have no reason to ever use the modem setup page. the DD-WRT is connected to a LAN port like any other client. I should be able to access it normally, but I can't.

    @johnpoz:

    What is your pfsense wan IP?  Is it public or 192.168.1.0/24 as well?

    also if 192.168.1.1 does not work as lan IP on pfsense.. then you have issue with wan side using the same network maybe?

    You have something else stepping on that IP on your lan side?  Did you set a static arp for that ip on your client your trying to use to connect to pfsense when its IP is 192.168.1.1

    I would suggest you look at your clients arp table when you try and access pfsense when its 192.168.1.1

    My pfSense WAN IP is public. It's connected directly to my modem and resolving with PPPoE. And when I was doing my initial test with pfSense, I didn't have any other router or switch or anything even connected. I connected a PC directly to the LAN port. It got served an IP, but was unable to ping the gateway, or access the internet.



  • I have an idea.  Since at the house here I tend to use "old junk" I think I could walk you through it. 
    I have two DDWRT linksys routers acting as switchs and AP on my network, so I've been through it.
    You have to take it in little bytes and not huge chomps.

    1.  Make sure pfsense is working fine and handing out DHCP on its LAN side before hooking up your DDWRT to it.
    2.  You will basically have to turn off every setting in your DDWRT.  It shouldn't do any routing, firewalling, SPI or anything and it will have to get a static IP.  You will also need to turn off any servers you have running on them.  I'll send you a how-too link on that.  Cool?

    And you will also deactivate the WAN on the DDWRT so that it gives you all its ports available as gigabit switch.

    (As a side benifit, these will end up with some VLAN capability - You can experiment with that later)

    (Yeah - Your slightly managed DDWRT switch's IP will be on the same subnet as the pfsense lan you connect it too.  OUTSIDE PFSENSE DHCP RANGE)
    make sure the DHCP range you specified on pfsense LAN leaves space for static assignments.


  • Banned

    @TheBetterSort:

    But It's always worked with the DD-WRT and the Belkin, now all of a sudden it doesn't work with pfSense.

    Because it's not been the same at all? You connected yet another router in there (instead of just ditching the DD-WRT thing altogether). At least that's what I get from the confused description. I'd suggest to get rid of useless devices needlessly complicating things. At least until you get your basic setup working.



  • @kejianshi:

    I have an idea.  Since at the house here I tend to use "old junk" I think I could walk you through it.  
    I have two DDWRT linksys routers acting as switchs and AP on my network, so I've been through it.
    You have to take it in little bytes and not huge chomps.

    1.  Make sure pfsense is working fine and handing out DHCP on its LAN side before hooking up your DDWRT to it.
    2.  You will basically have to turn off every setting in your DDWRT.  It shouldn't do any routing, firewalling, SPI or anything and it will have to get a static IP.  You will also need to turn off any servers you have running on them.  I'll send you a how-too link on that.  Cool?

    And you will also deactivate the WAN on the DDWRT so that it gives you all its ports available as gigabit switch.

    (As a side benifit, these will end up with some VLAN capability - You can experiment with that later)

    Thank. But I'm already stuck in step 1. It doesn't hand any DHCP with 192.168.1.1.
    and as for Step 2; I used http://www.dd-wrt.ca/wiki/index.php/Wireless_Access_Point (the Long Vesion part) to set this up.

    But if you have another how-to, I'd be interested in trying that too. Was it this complicated when you tried it?

    @doktornotor:

    Because it's not been the same at all? You connected yet another router in there (instead of just ditching the DD-WRT thing altogether). At least that's what I get from the confused description. I'd suggest to get rid of useless devices needlessly complicating things. At least until you get your basic setup working.

    It's not needlessly complicating things. I have devices that are wired to 2 different rooms, and hence have routers that I'm using as switches in 2 different rooms. This isn't complicated at all. It should be straightforward to set up.



  • Actually - DDWRT does make super slick switch and wireless AP if you turn of all the crap the will cause issue.  I wouldn't trade mine for a new dumb switch and a shiny new AP.  No way.  But there is lots of opportunity to screw yourself in the settings.


  • Banned

    @TheBetterSort:

    Thank. But I'm already stuck in step 1. It doesn't hand any DHCP with 192.168.1.1.

    Does it hand out IPs once you have disconnected the useless DD-WRT thing?

    @kejianshi:

    Actually - DDWRT does make super slick switch and wireless AP if you turn of all the crap the will cause issue.

    Yeah. If. Apparently not what's been done here.



  • @doktornotor:

    @TheBetterSort:

    Thank. But I'm already stuck in step 1. It doesn't hand any DHCP with 192.168.1.1.

    Does it hand out IPs once you have disconnected the useless DD-WRT thing?

    As I mentioned before, No. It will only hand out IPs if I change the IP to something other than 192.168.1.1.
    This is with NOTHING ELSE connected.


  • Banned

    @TheBetterSort:

    As I mentioned before, No. It will only hand out IPs if I change the IP to something other than 192.168.1.1.
    This is with NOTHING ELSE connected.

    Eh. Have you rebooted the devices (the DHCP clients)?



  • @doktornotor:

    @TheBetterSort:

    As I mentioned before, No. It will only hand out IPs if I change the IP to something other than 192.168.1.1.
    This is with NOTHING ELSE connected.

    Eh. Have you rebooted the devices (the DHCP clients)?

    Yes.

    edit: After rebooting the pfSense box itself, now it will accept devices as 192.168.1.1.


  • Banned

    Well, then post some screenshots of the configuration. I'd once again urge you to consider that you can only have one and exactly one DHCP server on any one network normally. Definitely STILL not convinced even about this being the case, considering "Also, If I turn off WAN and DHCP on the DD-WRT router, I lose the ability to go to it's configuration page…"



  • Please tell me exactly how your internet flows.  From the ISP > Modem > PFsense. 
    How many NIC ports does pfsense have?

    (This is a physical machine?  I'd hate to find out on page 4 of the thread its a VM)

    Also, tell me how you went about assigning WAN and LAN?
    Are you 100% sure you don't have your WAN and LAN cables swapped on pfsense?  Thats crazy easy to do.
    Unplugging a cable then plugging it back in should show which interface was affected.  That will make it easy to know if you swapped them by accident.
    If you plug and unplug a cable into both ports seperately and the other end is attached to a computer it will tell you which interface that is. For example em0.
    Make sure the interface you are calling LAN is actually correct.
    Once, I even accidentally assigned LAN to a firewire interface…  YES it can happen.

    Assuming they are not swapped.  Did the WAN get an IP from your ISP?

    If it did, lets get into IP assignment on the LAN

    did you make its IP 192.168.1.1?  did you tell it to use DHCP on that interface?  And then did you assign a DHCP range that doesn't overlap with the IPs your DDWRT switches will use?  for instance  start at 192.168.1.55 and end 192.168.1.155  (leaving big gaps before 55 and after 155 for static maps)?

    If there is something wrong with those assignments you can reassign interfaces or IPs via the pfsense console.  (I assume there is a monitor/keyboard attached)



  • doktornotor is right.  Configuring the DDWRT correctly as switch REQUIRES shutting off its DHCP as final step. If you don't get all those services turned off, it will break pfsense.  You will later be able to access the DDWRT menues via static IP you should have assigned it.  What you do is as you are disabling this and that service in DDWRT, at every screen you SAVE settings (NOT APPLY).  Then after you are sure all the setting are correct.  Firewall all set to off, no SPI, no routing, no DHCP, no services like VPNs active and everything.  And you have set a static IP.  Then you APPLY settings and reboot DDWRT.  Hope you wrote down its static IP, admin username and password because that is where you will access it on the LAN.

    If you made even the slightest deviation from this, you will only break your network.



  • This is my configuration. And yes, the WAN got a public IP.
    I set the LAN IP to 192.168.1.1 (this works now), I started DHCP and gave it a range of 192.168.1.100-192.168.1.254

    And yeah, there's a monitor and keyboard attached.



  • Have done anything with the outbound NAT? Again, if you traceroute from a computer on the LAN to say 8.8.8.8, what do you get?



  • Your network is arranged fine.
    If pfsense hands out DHCP after a reboot and workd without DDWRT attached the DDWRT is a problem.

    Need to make sure all services on it are off.  It will work, although it needs to be exactly correct.



  • Alright, I'm going to set it all up again. I'll be back in a few minutes when I get internet access again.

    Thanks, all.



  • Another little trick I do is I save several configurations of DDWRT.

    I set it up as a basic wireless router then I save the config on thumbdrive.
    I set it up as a wireless router and with a Openvpn Client to pfsense then I save the config on thumbdrive.
    I set it up as switch and wireless AP then save the config on thumbdrive.

    Then later, if I get ready to go somewhere, I can just restore the openvpn client config grab it and go.
    When I'm back home, restore the switch/AP settings.

    Very convenient.  If you don't miss some little setting and break pfsense.



  • Alright, I changed some settings and now things are working ALMOST as they should.
    From here on out, they're DD-WRT config problems.

    The wireless radios never come up. So I have no wireless.
    Also, could you please give me step by step instructions on how to get to the DD-WRT configuration page when it's set up this way?

    The pfSense box's IP is 192.168.1.1 and the DD-WRT switch's IP is 192.168.1.2



  • well - I always go to http://192.168.1.2 or https://192.168.1.2

    (hope you didn't turn off access to the administration)

    After that, you can turn on wireless and set that up.  (I use E2000s for this.  They are "slower" but super compatible)

    I have several nice high dollar switches in the basement that are plugged directly into pfsense.  I have dual CAT6 cables to all rooms in the house.  I usually attach a DDWRT to those in the rooms on the second and third floor for additional switch ports and AP and because I like to have wireless N if I want it.



  • I tried that, but It doesn't work. It times out. I can't ping it either.

    And yes, web administration and remote administration are both on.

    Please don't tell me I have to restart again.


  • Rebel Alliance Global Moderator

    "DD-WRT switch's IP is 192.168.1.2"

    So why would you need to ask how to access its configuration page if you set its IP??  How do you think you would access it??  How were you accessing them/it before??



  • DDWRT will just sit there like a big dumb SH$% if it doesn't get its IP from pfsense.  Is it getting an IP?  Can you access the pfsense menu to check?
    (This has turned into more of a DDWRT issue than pfsense issue, so not best site to get that answer.  But I know the answer so I'll answer)
    Technically bad form though I suppose.



  • "I can't ping it either".  Makes me think SPI firewall is still running.  I've never actually tried to ping mine but I'll give it a shot. 
    Also, incase you handled the deactivation and allocation of the wan port wrong on DDWRT, put all cables on only the "LAN" ports.  And try.

    Ping works for me…  And Web GUIs


  • Rebel Alliance Global Moderator

    Its a LAN PORT, that can be a dhcp server it sure an the hell is not using dhcp to get an IP address.. If you set it up to 192.168.1.2 then that is what you would access it on.  If you can not ping it, it has nothing to do with the firewall - since that is from the wan side you would have to enable it to answer ping.  Lan answers ping out of the box.

    Your firewall is not going to be doing anything on dd-wrt because it only works between the lan/wlan bridge and the internet - it does not do anything between wlan/lan - so you might as well just disable it to save resources, etc.

    If you set it IP correctly, and are connected to its lan ports with correct IP on that same network then if you can not ping it - you setup its IP wrong, you have a bad cable or your box your using is not correct ip, etc..  Or port is bad on dd-wrt lan or our pc..

    Troubleshoot layer 1, then 2 then 3 – its really easy ;)  is your cable good..  Do you see mac?  etc..

    Setting up a router as ap is like a 2 min thing.. You assign it an IP, disable its dhcp server - connect to its IP and setup wlan..  If you spend more than 5 minutes tops you got something major wrong!



  • Yeah - I can sympathize…  Even knowing exactly how something should be, I've been baffled by some pretty stupid stuff before.  Soooo simple like "why the hell did I plug my WAN cable into my LAN port...  When did I do this?".  Stuff that makes me want to slap myself.

    Oh - And yesterday my wife upon learning that my laptop screen "turns and swivels" turned it 720 degrees...  Trashed it.

    That must have taken some serious stubborn twisting.

    $4000 Laptop...  My GOD must I explain the definition of "swivel"?



  • I can confirm that I turned the SPI firewall off and set it's IP to 192.168.1.2, and that I set the WAN port to Switch.

    I really don't know what's going on. Wireless still doesn't work either.



  • Well - I'm not there so I can't do it personally.  I promise you, some setting is wrong.  Maybe try doing a hard 30/30/30 reset and start from fresh.
    I'm going to read that link you sent and make sure their directions are correct.


  • Rebel Alliance Global Moderator

    so you set wan to switch - so your using wan?  Us a actual LAN port!!

    Again there is nothing too this, if your having issue than a HARD reset might be in order..  Just reset your dd-wrt router..  Change its IP to your 192.168.1.2, turn off its dhcp server, connect it to your network via one of its lan ports =  shazam is a AP..  that is all there is too it!  Its at best 2 minutes..

    You can tweak and play with other setting later like turning of spi, moving wan port to lan, etc.

    connect your pc to its lan port nothing else - if after you change its IP to 192.168.1.2/24 and your pc is on 192.168.1.0/24 and you can not ping it - then you didn't change its IP right ;)



  • Also, I set it's IP to static 192.168.1.2 so how would pfSense give it an IP?

    But it's not showing up in the pfSense DHCP leases, I guess with good reason.
    I REALLY don't want to do a reset. Like REALLY. With a  passion.

    Is there a way to check ALL clients connected to pfSense (not just DHCP)

    @johnpoz:

    so you set wan to switch - so your using wan?  Us a actual LAN port!!

    I am. I just included that bit of information because I'm sure I did. but everything is connected to actual LAN ports.


  • Rebel Alliance Global Moderator

    So your Pc is connected to lan port of dd-wrt router, your pfsense is connect to different lan port on dd-wrt router.  Your PC got an IP from pfsense dhcp??

    On 192.168.1.0/24 and you can ping pfsense lan port..  But you can not access dd-wrt on 192.168.1.2??

    Then you did not correctly set its IP..  Or you have a mac address issue, or dd-wrt is broken ;)  since its switch ports are currently working any your cables are good if you can talk to pfsense through your dd-wrt lan ports.

    Why are you apposed to hard reset?  It takes 2 minutes to set it up as AP from default..

    and this just confuses the shit out of me
    "Also, I set it's IP to static 192.168.1.2 so how would pfSense give it an IP?"

    So you think pfsense should be giving your dd-wrt router an IP??  What??  I am confused at this statement I can not tell if your just not getting the basics or what?  As to checking devices that pfsense can see - just ping from pfsense if you want…  But no pfsense is not going to list every device on the network..

    edit: did you muck around with any other dd-wrt configs like putting ports in vlans or anything like that?



  • @johnpoz:

    So your Pc is connected to lan port of dd-wrt router, your pfsense is connect to different lan port on dd-wrt router.  Your PC got an IP from pfsense dhcp??

    On 192.168.1.0/24 and you can ping pfsense lan port..  But you can not access dd-wrt on 192.168.1.2??

    Then you did not correctly set its IP..  Or you have a mac address issue, or dd-wrt is broken ;)  since its switch ports are currently working any your cables are good if you can talk to pfsense through your dd-wrt lan ports.

    Why are you apposed to hard reset?  It takes 2 minutes to set it up as AP from default..

    That's exactly what's happening. Both on the same subnet. PC got served an IP from pfSense through DD-WRT Lan port.

    Ughh. I'll do a hard reset then.



  • Short answer is yes. You could continue without a reset.
    However if there is a typo or something in there, you would end up wasting hours or days vs minutes on the reset.

    Other advice.  In that DDWRT document.  Use the long version.

    Also:

    Instep 3:  All the so-called optional stuff is mandatory and turn off NTP in DDWRT

    Open the Setup -> Basic Setup tab

    WAN Connection Type : Disabled
        Local IP Address: 192.168.1.2 (i.e. different from primary router and out of primary router's DHCP pool)
        Subnet Mask: 255.255.255.0 (i.e. same as primary router)
        DHCP Server: Disable (also uncheck DNSmasq options)
        (Recommended) Gateway/Local DNS: Make sure you use 192.168.1.1 here if thats what you set as pfsense LAN!!!!!!
        (Optional) Assign WAN Port to Switch (visible only with WAN Connection Type set to disabled): Enable this if you want to use WAN port as a switch port
        (Optional) NTP Client: Enable/Disable (if Enabled, specify Gateway/Local DNS above)

    in step 7, none of that is optional.  Its mandatory.

    Open the Services -> Services tab

    (Optional) DNSMasq: Disable (enable if you use additional DNSMasq settings)
        (Optional) ttraff Daemon: Disable
        Save

    in step 9, all those recommended settings are not recommended.  They are mandatory.

    Open the Administration -> Management tab

    (Recommended) Info Site Password Protection: Enable
        (Recommended) Routing: Disabled (enable if you need to route between interfaces)
        Apply Settings and connect Ethernet cable to main router via LAN-to-LAN uplink*
        Reboot router to be sure all settings have been applied.
        You may have to reboot your own PC or do "ipconfig /release" + "ipconfig /renew" from the Windows command line.

    If you were to follow this guide, omitting the "optional" settings, it wouldn't work for you.



  • Look up at my setting I added in previous comment also.

    (Recommended) Gateway/Local DNS: Make sure you use 192.168.1.1 here if thats what you set as pfsense LAN!!!!!!


  • Rebel Alliance Global Moderator

    "They are mandatory."

    BS – sorry but you sure an the hell do not need to put wan port into your switch ports, nor do you have to setup gateway or dns on your lan..  In what case does the web ui or dd-wrt need to know how to get off its network to be a AP??

    And you sure and the hell do not need to disable routing -- your not using it, but does not mean it can not be ON...

    Those settings are all tweaks and not "mandatory" that is for damn sure -- Give it an IP you can access is not even really required!!  the only thing required is turn off its freaking dhcp server or your going to have problems!!!  But it really does not need an IP on the current network if your wireless is setup how you want it all ready.. Or you don't mind putting a pc on its network to access the gui, etc..

    Not sure where your getting mandatory anything from those settings - your just trying to confuse him or make it seem more complicated??