Routing Issue (moving from DD-WRT)

droobie

I currently have the following config.

1> Router as 10.0.0.10, it's a Cisco 1841 with a bonded T1 link attached to it and it splits the public Class C into 2 /25's, one of which goes into the DD-WRT appliance.
2> DD-WRT WAN Side 10.0.0.3, DD-WRT LAN side a public IP address.
3> 10.1.3.0/24 routing through the DD-WRT appliance to access stuff behind the DD-WRT appliance on that subnet.
4> Same thing as #3 for 10.0.3.0/24.
5> 10.1.3.1 and 10.0.3.1 are the gateway for these #3 and #4 devices behind the DD-WRT appliance.  They're bound to the br0 bridge interface for the LAN side.

I tried making a Proxy ARP LAN Virtual IP of 10.1.3.1/24  and then a LAN static route 10.1.3.0/24 via 10.0.0.10.  This doesn't seem to work.

Is there any way I can do this?  I'm aware that there is no IP Alias support for the NICs in PFSense (which is a real bummer) and would probably stop me from doing #5 and might kill this dead in the water.

QoS doesn't work properly on DD-WRT, but this setup works otherwise.. I'm a bit torn… :)

Thanks in advance.

cmb

Your description is hard for me to follow. Can you post a network diagram?

droobie

Hope this is big enough, looks small on my screen but my res is out of control.  Basically I'd want to replace the DD-WRT device so I could put in a PFSense one to do better QoS, VPNing, etc.

The CPE works a lot like cable modems do, where the device has an IP for maint and the customer sees a public IP on their side.

The LAN side of the DD-WRT box is bridged, so we can just assign the 10.x.x.1 to the bridge in the startup script.

It all works as it is, but I'd love to use PFSense instead for a lot of reasons.  I think this problem probably has come up before, but I'm not sure the easy way out.  If PFSense supported IP Aliases on the interface, that'd probably fix it, but there's 'gotta be a better way'.

Thanks for your help in advance.

cmb

Ok, this makes more sense now.

I think the easiest thing is to probably put three physical interfaces where the DD-WRT's LAN interface goes. Put one subnet on each interface, even though it's the same broadcast domain so it's pointless to do so, because that's by far the easiest way to do this, and possibly the only way without some serious hacking.

That'll cause some ARP spam in your logs, you can silence that on the Advanced page.

droobie

I wish I could do that. :)  the machine I'm using is limited to the 2 interfaces I have unless I wanted to get a Quad NIC or something esoteric like that.  I could just throw IP Aliases against the LAN NIC (basically how it's set up in DD-WRT), but I saw that IP Aliases are generally frowned upon here (to the point of being unsupported).

The public IP range is basically relayed through the 10 network too (a bridged type situation, not a routed one), so basically it ends up being.

PC LAN SIDE <–->  10.1.3.1/24 <----> 10.1.3.29/24 (for instance) Modem <--->  65.x.x.159 (Customer PC)

I think 3 NICs would probably break this, since the 65.x.x.128/25 would be on its own interface instead of coming through with the 10.1.3.0/24 traffic?

Thanks for your help.

mrsense

@droobie:

I wish I could do that. :)  the machine I'm using is limited to the 2 interfaces I have unless I wanted to get a Quad NIC or something esoteric like that.  I could just throw IP Aliases against the LAN NIC (basically how it's set up in DD-WRT), but I saw that IP Aliases are generally frowned upon here (to the point of being unsupported).
{…}

Just an idea: how about configuring one of the ports as VLAN trunk and hook it up to managed 8 port switch?  I've done it with m0n0wall when I needed more ports and I don't see why it would not work with pfsense.

droobie

I do have a Cisco C2924XL-EN that's going to be going in at that location.

I'd have to make the port attached to the LAN side of the PFSense machine be 3 VLANs (Multi-VLAN mode) and then the ports for my radio base stations (that need access to all 3 networks) as members of those 3 VLANs as well?

I haven't done much work with VLANs unfortunately, so I apologize in advance.

mrsense

@droobie:

I do have a Cisco C2924XL-EN that's going to be going in at that location.

I'd have to make the port attached to the LAN side of the PFSense machine be 3 VLANs (Multi-VLAN mode) and then the ports for my radio base stations (that need access to all 3 networks) as members of those 3 VLANs as well?

I haven't done much work with VLANs unfortunately, so I apologize in advance.

Configure port 1 (for example) on Cisco switch as trunk, tagged VLAN1, VLAN2 and VLAN3.  Plug in pfsense , configured for VLAN1, VLAN2 and VLAN3, to port 1.  Assign port 2 to VLAN1 untagged, port 3 to VLAN2 untagged, port 4 to VLAN3 untagged.  Connect your APs to ports 2-4.  AP should not be configured for specific VLAN since ports are untagged.

droobie

Hm that's interesting.  I think I'd have to change that a little because all of these networks have to be accessible to each other (for instance AP1 needs access to all 3 networks, as does AP2), but I think you've given me some food for thought and I think I can make it work.

I appreciate the help, thanks. :)

jahonix

@droobie:

I think I'd have to change that a little because all of these networks have to be accessible to each other

That can be handled by the ruleset within pfSense then. But you can control every portion of it if you go the VLAN way.
On the other hand, quad NICs are quite cheap on eBay… (http://cgi.ebay.de/ws/eBayISAPI.dll?ViewItem&item=270122654207)

droobie

Cool, I'll have to give it a go, thanks for both of your help. :)

stoneguy

I have used IP alias with no prob at all. I have a embedda device, with 6 nic (actualy a 1GHZ celeron machine with a 40G disk and 512 MB ram with no VGA or keyboard, just a com port) I try to use as less interfaces as possible.

I have 3 vlan in to the WAN port, and some IP's there. This is tagged trough a layer 2 connection to our MPOI.
I also use BGP at WAN (and have manualy installed quagga) (just started testing out the new BGP package. NICE! :P

The Lan port is connected to the same switch as the WAN port, and is vlaned out with 6 vlan's, Office, Customer1-4, and managment. The office segment is having an 192.168 range, the customer net a 10.30 range for DHCP and a offical X.X.X.X net, (blocking internet until ether

1: a VPN connection with a static username is established
2: The user login to the hotspot with Paypal, visa etc
3: A device with a static offical IP is connecting.

and a 172 range for managment.

The managment vlan is to the backhoul wireless net, and is for managment. All devices between Pfsense and CPE is bridged in some way (but has some vlan to get rid of some broadcast)

the 3. nic in use is an internal vlan for managment stats (SNMP ->mrtg, openNMS etc)

There is no problems at all with this configuration.

Why use the cisco?  cant u just put the Pf sense as the only device?

droobie

@stoneguy:

Why use the cisco?  cant u just put the Pf sense as the only device?

It has my 2 T1 cards in it… I have no choice in that matter... :)