Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing Issue (moving from DD-WRT)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    13 Posts 5 Posters 10.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      droobie
      last edited by

      I currently have the following config.

      1> Router as 10.0.0.10, it's a Cisco 1841 with a bonded T1 link attached to it and it splits the public Class C into 2 /25's, one of which goes into the DD-WRT appliance.
      2> DD-WRT WAN Side 10.0.0.3, DD-WRT LAN side a public IP address.
      3> 10.1.3.0/24 routing through the DD-WRT appliance to access stuff behind the DD-WRT appliance on that subnet.
      4> Same thing as #3 for 10.0.3.0/24.
      5> 10.1.3.1 and 10.0.3.1 are the gateway for these #3 and #4 devices behind the DD-WRT appliance.  They're bound to the br0 bridge interface for the LAN side.

      I tried making a Proxy ARP LAN Virtual IP of 10.1.3.1/24  and then a LAN static route 10.1.3.0/24 via 10.0.0.10.  This doesn't seem to work.

      Is there any way I can do this?  I'm aware that there is no IP Alias support for the NICs in PFSense (which is a real bummer) and would probably stop me from doing #5 and might kill this dead in the water.

      QoS doesn't work properly on DD-WRT, but this setup works otherwise.. I'm a bit torn… :)

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Your description is hard for me to follow. Can you post a network diagram?

        1 Reply Last reply Reply Quote 0
        • D
          droobie
          last edited by

          Hope this is big enough, looks small on my screen but my res is out of control.  Basically I'd want to replace the DD-WRT device so I could put in a PFSense one to do better QoS, VPNing, etc.

          The CPE works a lot like cable modems do, where the device has an IP for maint and the customer sees a public IP on their side.

          The LAN side of the DD-WRT box is bridged, so we can just assign the 10.x.x.1 to the bridge in the startup script.

          It all works as it is, but I'd love to use PFSense instead for a lot of reasons.  I think this problem probably has come up before, but I'm not sure the easy way out.  If PFSense supported IP Aliases on the interface, that'd probably fix it, but there's 'gotta be a better way'.

          Thanks for your help in advance.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Ok, this makes more sense now.

            I think the easiest thing is to probably put three physical interfaces where the DD-WRT's LAN interface goes. Put one subnet on each interface, even though it's the same broadcast domain so it's pointless to do so, because that's by far the easiest way to do this, and possibly the only way without some serious hacking.

            That'll cause some ARP spam in your logs, you can silence that on the Advanced page.

            1 Reply Last reply Reply Quote 0
            • D
              droobie
              last edited by

              I wish I could do that. :)  the machine I'm using is limited to the 2 interfaces I have unless I wanted to get a Quad NIC or something esoteric like that.  I could just throw IP Aliases against the LAN NIC (basically how it's set up in DD-WRT), but I saw that IP Aliases are generally frowned upon here (to the point of being unsupported).

              The public IP range is basically relayed through the 10 network too (a bridged type situation, not a routed one), so basically it ends up being.

              PC LAN SIDE <–->  10.1.3.1/24 <----> 10.1.3.29/24 (for instance) Modem <--->  65.x.x.159 (Customer PC)

              I think 3 NICs would probably break this, since the 65.x.x.128/25 would be on its own interface instead of coming through with the 10.1.3.0/24 traffic?

              Thanks for your help.

              1 Reply Last reply Reply Quote 0
              • M
                mrsense
                last edited by

                @droobie:

                I wish I could do that. :)  the machine I'm using is limited to the 2 interfaces I have unless I wanted to get a Quad NIC or something esoteric like that.  I could just throw IP Aliases against the LAN NIC (basically how it's set up in DD-WRT), but I saw that IP Aliases are generally frowned upon here (to the point of being unsupported).
                {…}

                Just an idea: how about configuring one of the ports as VLAN trunk and hook it up to managed 8 port switch?  I've done it with m0n0wall when I needed more ports and I don't see why it would not work with pfsense.

                1 Reply Last reply Reply Quote 0
                • D
                  droobie
                  last edited by

                  I do have a Cisco C2924XL-EN that's going to be going in at that location.

                  I'd have to make the port attached to the LAN side of the PFSense machine be 3 VLANs (Multi-VLAN mode) and then the ports for my radio base stations (that need access to all 3 networks) as members of those 3 VLANs as well?

                  I haven't done much work with VLANs unfortunately, so I apologize in advance.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mrsense
                    last edited by

                    @droobie:

                    I do have a Cisco C2924XL-EN that's going to be going in at that location.

                    I'd have to make the port attached to the LAN side of the PFSense machine be 3 VLANs (Multi-VLAN mode) and then the ports for my radio base stations (that need access to all 3 networks) as members of those 3 VLANs as well?

                    I haven't done much work with VLANs unfortunately, so I apologize in advance.

                    Configure port 1 (for example) on Cisco switch as trunk, tagged VLAN1, VLAN2 and VLAN3.  Plug in pfsense , configured for VLAN1, VLAN2 and VLAN3, to port 1.  Assign port 2 to VLAN1 untagged, port 3 to VLAN2 untagged, port 4 to VLAN3 untagged.  Connect your APs to ports 2-4.  AP should not be configured for specific VLAN since ports are untagged.

                    1 Reply Last reply Reply Quote 0
                    • D
                      droobie
                      last edited by

                      Hm that's interesting.  I think I'd have to change that a little because all of these networks have to be accessible to each other (for instance AP1 needs access to all 3 networks, as does AP2), but I think you've given me some food for thought and I think I can make it work.

                      I appreciate the help, thanks. :)

                      1 Reply Last reply Reply Quote 0
                      • jahonixJ
                        jahonix
                        last edited by

                        @droobie:

                        I think I'd have to change that a little because all of these networks have to be accessible to each other

                        That can be handled by the ruleset within pfSense then. But you can control every portion of it if you go the VLAN way.
                        On the other hand, quad NICs are quite cheap on eBay… (http://cgi.ebay.de/ws/eBayISAPI.dll?ViewItem&item=270122654207)

                        1 Reply Last reply Reply Quote 0
                        • D
                          droobie
                          last edited by

                          Cool, I'll have to give it a go, thanks for both of your help. :)

                          1 Reply Last reply Reply Quote 0
                          • S
                            stoneguy
                            last edited by

                            I have used IP alias with no prob at all. I have a embedda device, with 6 nic (actualy a 1GHZ celeron machine with a 40G disk and 512 MB ram with no VGA or keyboard, just a com port) I try to use as less interfaces as possible.

                            I have 3 vlan in to the WAN port, and some IP's there. This is tagged trough a layer 2 connection to our MPOI.
                            I also use BGP at WAN (and have manualy installed quagga) (just started testing out the new BGP package. NICE! :P

                            The Lan port is connected to the same switch as the WAN port, and is vlaned out with 6 vlan's, Office, Customer1-4, and managment. The office segment is having an 192.168 range, the customer net a 10.30 range for DHCP and a offical X.X.X.X net, (blocking internet until ether

                            1: a VPN connection with a static username is established
                            2: The user login to the hotspot with Paypal, visa etc
                            3: A device with a static offical IP is connecting.

                            and a 172 range for managment.

                            The managment vlan is to the backhoul wireless net, and is for managment. All devices between Pfsense and CPE is bridged in some way (but has some vlan to get rid of some broadcast)

                            the 3. nic in use is an internal vlan for managment stats (SNMP ->mrtg, openNMS etc)

                            There is no problems at all with this configuration.

                            Why use the cisco?  cant u just put the Pf sense as the only device?

                            1 Reply Last reply Reply Quote 0
                            • D
                              droobie
                              last edited by

                              @stoneguy:

                              Why use the cisco?  cant u just put the Pf sense as the only device?

                              It has my 2 T1 cards in it… I have no choice in that matter... :)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.