Nework Layout & Routing Help… please :)

  • I have a plan in my head, but I could use some help putting it all together!

    I would like to integrate pfSense into my network to begin moving tasks away from DD-WRT.

    Currently, DD-WRT is providing these essential tasks besides firewall & NAT:
    Multiple wireless SSIDs
    SSH remote client access

    I would like to start with pfSense installed on either a VM or USB and controlling the VLANs and wireless APs - interfacing with a managed switch. For either install the host machine would start off with only a single NIC. The DD-WRT router should still be taking care of the initial SPI firewall tasks, NAT, and SSH for remote client access. pfSense will be responsible for the security between VLANs and wireless APs.

    Is this feasible? What routes would I need to setup in order for my SSH client to terminate at the main router (DD-WRT) and be able to traverse the internal network behind pfsense?

    I was initially thinking in terms of VLANs:
    DD-WRT router    VLAN10
    Main Network      VLAN20
    Aux Network      VLAN30
    Guest AP            VLAN40
    pfSense              Trunk 10-40

    I could really use some guidance on how I should set this up so routing would work the best. Also does pfSense need to have a "WAN" port for it to work or could I treat the line to the router as just another VLAN? Does DD-WRT need to be aware of each VLAN for routing to work? Would any of this work if I had to replace DD-WRT with an "el cheapo" home router with standard firmware - static routes, maybe or pfSense would then need a WAN port and I would have double NAT? This is one area where my routing skills come into question!

    Further, one of my goals was to have some mission critical devices connected directly to the DD-WRT router so they would be accessible remotely via SSH regardless if something should happen to pfSense or the managed switch. I would also need to access these devices from the "main network" VLAN. Will routing to them be an issue?

    I've attached a simple image laying it out.
    Thanks for any help!

  • You can do this and it will work, but it makes no good sense to do this way.  Why would you want your important core stuff closer to DDWRT than pfsense?

  • Well… the idea is DDWRT is already protecting these devices as is with it's firewall and by keeping it there I never have to worry about a pfsense issue (take into consideration the hardware it runs on) or the switch it's connected to going down to prevent me from being able to reach them from the Internet.

    Can you aide me with configuring the routing for this?

  • You have things all backwards in my opinion.  With pfsense and DD-WRT running in the same space, its DD-WRT that you need to worry about.  I have both and I'd never make DD-WRT my primary router / "Firewall" unless my pfsense crashed.

    Other than that minor flaw in your thinking, every thing you saw will work fine.

    You have pfsense on top, so it and all its clients would be able to see "down" through the network to everything connected to the DD-WRT without any special routing or config.  Thats just the nature of NAT.  Devices on top can see down into everything and devices on bottom, without port forwards, can't see up without port forwards.

    What is it you need help with?  Just the VLANs?

  • I understand what you're saying, but I don't have a box that I can keep on 24/7 without having to reboot every now and then. So until I do I'll just keep DDWRT running along, but the idea is to have only pfSense at some point which is why I want to start migrating over.

    Can you tell me how I should setup the link between pfSense and DDWRT - should I configure it as a WAN or basic VLAN?
    Thanks for the help, kejianshi!

  • Interesting - I've not had to use my WAN/LAN as a single port yet.  I've always had a dedicated WAN and on the LAN configured multiple VLANs.
    Your Managed switch will need some VLAN tagging done.  You will need to tag the port coming from the DD-WRT to the switch to include a VLAN group. Lets arbitrarily call that 10 so that port will need a PVID 10 and include tagged VLAN 10.  So 10 will go to "WAN".  Now, You will need a LAN, so we can call that 20.  All the ports connected to things other than pfsense and DD-WRT will need to include tagged VLAN 20 and get PVID 20.  The port between pfsense and the switch, I'd call it a trunk and make it include tagged VLAN 10 and 20.  I'd call all the other ports except the one connected to pfsense "access".  Terminology varies from switch to switch.

    In pfsense you will need to add a VLAN 10 and make it your gateway and a VLAN 20 and make it your LAN.

    They will both use the same MAC/Interface.

    That should get you headed in the right direction.

    If you say what switch you are using, someone can probably tell you exactly what buttons to push.

    People do what you are trying to do all the time but instead of connecting to DD-WRT, they connect to modem directly, so treating the connection to DD-WRT as if it were a modem, like 10,000 people can tell you how this is done.

    Everything connected to pfsense and riding those vlans will be double NATed, so your system isn't ideal but will work.

  • @kejianshi:

    Everything connected to pfsense and riding those vlans will be double NATed, so your system isn't ideal.

    That is what I wanted to avoid if I could, but wasn't sure if it was possible? What about turning NAT off in pfsense and setting up a static route in DD-WRT? Would that work to eliminate the double NAT issue?

  • In that case, what is the role of pfsense in your configuration?  Useless dongle/additional point of failure/latency increaser?
    What is it you want pfsense to accomplish for you?

  • At this point I wanted more granular control of VLANs via a GUI. Like I said though I will be migrating over to just pfSense over time.

  • If you just want granular control via VLANs via GUI, you can do that with just a VLAN switch.  Most have GUIs and will allow VLAN segregation, VLAN tagging etc. You can even set up VLANs segregated out inside of DD-WRT.

  • The level of switch that I'm buying won't give me the ability to block/allow access to/from VLANs down to the node IP & port. I want to move my VLANs away from DD-WRT and phase it out.

  • Then you need to move directly to pfsense.  Whats the issue with your pfsense hardware again?

  • Netgate Administrator

    Whilst I agree with Kejianshi that moving to pfSense as your primary router would be a better solution I can understand your reasons for keeping DD-WRT. Moving from one working setup to some thing different is always best accomplished one step at a time. There have been countless threads here where people have replaced a complex configuration on some other firewall with pfSense all in one go and then struggled for hours troubleshooting.

    It's possible to use pfSense just to route/firewall between your VLANs without NAT. You'll need to add some static routes to dd-wrt so it knows where to send traffic. As I said above though, one step at a time! Set it up as double NAT to start off with and take it from there.

    In pfSense there are really only two types of interface, those with a gateway defined and those without. Since pfSense needs at least one gateway the first interface you assign will have one and is labelled 'WAN'. The second interface, by default, will be the internal interface and is labelled 'LAN'. Those are just labels though. Subsequent interfaces are defined as internal (Lan type) or extrenal (Wan type) only by weather or not they have a gateway and can be labelled anything you like. The only interface that has any special properties is the 'LAN' which has firewall rules allowing outbound traffic by default. All other interfaces must be given appropriate rules to allow traffic. I hope that didn't come across too confusing!  ;)


    Edit: typo

  • @stephenw10:

    It's possible to use pfSense just to route/firewall between your VLANs without NAT. You'll need to add some static routes to dd-wrt so it knows where to send traffic.

    Thanks, Steve.
    Would I need to setup a static route for each VLAN (subnet) routed by pfSense or just (1) for the VLAN between pfSense and the router?

  • Netgate Administrator

    You would need one for each subnet behind pfSense.
    Get it working with double NAT first then experiment.  ;)


  • Thanks, Steve!

Log in to reply