[SOLVED] Setting up Tomato Wifi Router behind PFSense
-
Hi Everyone!
I can't seem to get my wireless router to cooperate and I'd be forever grateful for some help. Here's the setup I'm trying to accomplish:
Gateway –-> PFSense box ----> Wifi-Router
I have referenced these two places, but neither has helped me through to the finish:
(Main PFSense help doc for this)
(Post by someone from 2008 who was trying to do the same thing)Unfortunatley the second post petered out due to the original poster's misunderstanding of subnets.
My Tomato Wifi-Router Setup:
WAN: Disabled
LAN
IP: 192.168.0.2
Gateway: 192.168.0.1 (pfsense address)
DNS: 192.168.0.1 (pfsense address)
Subnet: 255.255.255.0
Disabled DCHP.As far as I know things should be working from these settings, so I'm pretty sure the error is coming from my PFSense config.
I have the Wifi-Router plugged into my OPT1 port, which I"m pretty sure is the problem. What settings do I need to supply in my OPT1 interface to successfully get things running?
Current OPT1 interface settings:
(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: noneThe rest of the fields are empty except for the hostname that is currently "testwifi"
I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.
It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured, but barring that what do I need to do to adjust my OPT1 settings? I can't just copy/paste my current LAN port settings can I? (I assume that copy/pasting would cause a conflict when both LAN and OPT1 try and use 192.168.0.1 as their static IPv4.)
Thanks for taking a look! :)
-
Why the OPT1?
Can we get more information about your network topology?
I am assuming you need to bridge LAN and OPT1 or make them completely serparate networks.I have a very similar setup and my pfSense config has only WAN and LAN. WAN is my ADSL modem and LAN is my RT-N66U in AP mode.
-
It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured
No, no, no.
Just put the Tomato on your LAN.
A couple scenarios:
https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131
https://forum.pfsense.org/index.php?topic=88942.msg491727#msg491727
-
Thanks for the replies Nullity and Derelict,
Yes Nullity, as you suspected I didn't give my full topography, my apologies. I already have an ASUS router plugged into the PFsense LAN port which is providing connectivity to our main un-managed switch (this is why I was asking about bridging, Derelict).
Because I already have one router using the LAN port, I was hoping to plug in the wireless router into OPT1 and set up a separate network.
Now as far as the VLAN post you linked Derelict, would that information be what I need to do in my OPT1 settings?
-
You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge.
Just plug the new AP into the unmanaged switch. I am at a loss why you think you need the Asus on LAN.
-
You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge. You don't need a bridge.
And for a good measure:
You don't need any freaking bridge!!!
-
Haha, thanks for the laugh guys, I needed that after having to come in on Saturday. :D
I didn't mean to imply in my last post I was still thinking about the bridge, though I'm glad it happened now none the less.
To address the bafflement about the ASUS router, I've disconnected it and the switch is running directly into the LAN port. Works fine.
Part of my logic for wanting to go into the OPT1 port was the possibility of having the wifi on a different ip strcture/ subnet, such as 10.0.0.x instead of the 192.168.0.x.
Example of the topography I was thinking of:
gateway –-> pfsense --> main wifi router (10.0.0.x) ---> 4 or 5 wifi routers getting their dhcp from main wifi-router all on the 10.0.0.x.
|
----> main switch on LAN port (192.168.0.x)Am I over-thinking this here? The part that I've expressed poorly is the hope of being able to separate the wi-fi onto a different subnet in the future. The idea behind it is "a separate subnet/ ip structure would be more secure." Am I missing the mark on security by wanting to separate the ethernet and wifi networks?
-
The few things I have read on the topic mirror your thoughts; separating WiFi from LAN is a smart decision if you are concerned with security.
I have no personal experience with multiple LANs though… sorry.
-
There is nothing wrong with segmenting your Wi-Fi. Depends on what you want to do.
Things like windows networking, apple zeroconf/bonjour, autodiscovery, etc, are just a lot easier to use on one broadcast domain. Set a good WPA2 passphrase, limit to AES only, put it on your LAN and rock on.
main wifi router (10.0.0.x) –-> 4 or 5 wifi routers getting their dhcp from main wifi-router all on the 10.0.0.x.
I would let pfSense do DHCP, but whatever. And I'm pretty sure you mean wi-fi bridges/APs, not routers.
To do this I would seriously consider getting a managed switch so you can put wired ports together with a wireless network on a specific VLAN without having to…wait for it...make a pfSense bridge. You could put a completely different SSID on a segmented VLAN with no access to the other VLAN. Pretty sure Tomato supports that. See that second link I posted above. D-Link DGS-1100 will do everything you need for cheap.
-
Hrm, I think part of the big concern is how we use our network.
We're a school, and were hoping to have a wireless network separated from our ethernet just for parent, phone, and tablet use. We already have this set up, it's just currently running through a separate router and not through PFsense at the moment.
I was hoping to merge it all into one, while still keeping the wifi from having access to the same network that our shared drives are on. Is that at all possible?
-
Isn't there just bushels and bushels of "free" federal just-printed-out-of-thin-air money for wi-fi in schools?
-
Probably, but we'ere a small mom and pop private school…so those funds aren't available to us.
No worries if what I was hoping for isn't a feasible model, worst case scenario would be that we have to save up for another PFsense box for the wifi if we really want the extra security.
-
We're a school, and were hoping to have a wireless network separated from our ethernet just for parent, phone, and tablet use. We already have this set up, it's just currently running through a separate router and not through PFsense at the moment.
I was hoping to merge it all into one, while still keeping the wifi from having access to the same network that our shared drives are on. Is that at all possible?Sure it's possible. Stick all those APs on a separate OPT interface via some switch. Choose a subnet big enough to accommodate the clients. Configure DHCP there. Do not run any DHCP on any of those WiFi APs. Configure the firewall rules on OPT as required (e.g., do not allow access from OPT to LAN). Done.
-
Great, glad to hear that it's possible!
I'm not 100% sure, but I think what you're describing is what I tried to do in the beginning with configuring the OPT1 port, right?
I wasn't able to configure my OPT port to successfully give my wireless router an IP (I think that was the problem at least). Here are the settings I tried (from above)
Current OPT1 interface settings:
(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: noneThe rest of the fields are empty except for the hostname that is currently "testwifi"
I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.
Once working, I'll definitely let the OPT do all the DHCP, and all wifi routers will just connect through a switch. Any ideas on why the OPT port wasn't allowing my test router to get through?
Again, thanks for the help on this…any and all recommendations are much appreciated. :)
Edit
Sorry, I didn't see your edit recommending the managed switch above, Derelict. I must have started typing a new message while you were editing and I didn't scan the previous post. I'll definitely consider getting a managed switch for the future, but for the time-being I'm really trying to squeeze all I can of what we already have.
-
Of course, where should it be getting DHCP from? Configure a separate subnet there with static IPv4. You also need to create firewall rules on OPT to permit traffic.
-
Ok, I think I'm probably suffering from a mild case of severe brain damage at this point, but I drew a blank when you asked "Where should it be getting DHCP from?"
Here is the process I'm conceptualizing at the moment:
OPT1 port (configured to serve dhcp to the wifi AP on the switch) –---> wifi switch ---> wifi AP
So I'd set the main OPT1 port config to something like this:
IPv4 configuration type: Static
Ipv4 address: 10.0.0.1Enable firewall rules to permit all traffic through OPT1
…But doing it this way, where would the option to provide DHCP from the static IPv4 be coming from?
-
So I'd set the main OPT1 port config to something like this:
IPv4 configuration type: Static
Ipv4 address: 10.0.0.1…But doing it this way, where would the option to provide DHCP from the static IPv4 be coming from?
Hmmm? You simply configure a DHCP server on the OPT interface, like you did on LAN. Services - DHCP Server - OPT1 tab.
Enable firewall rules to permit all traffic through OPT1
Thought you wanted this separated from wired. So, the destination for that allow rule should not really be any, but NOT LAN subnet instead.
-
Ok awesome, thanks for the help doktornotor! I'm still learning the fine-tuning of configuring rules correctly, so I imagine that destination: "not lan subnet" is something I'd probably miss on the first flush.
I'll be going in again tomorrow to finish up some testing and will post here to let you know if the new setup works. :)
-
Hi guys, well round two and I still don't have this thing up and running…
As a quick recap so that lots of thread scrolling isn't needed:
I'm trying to set up a seperate WIFI network on my OPT1 interface. The light on the back of the PFsense box for the OPT1 port is green instead of orange (the working WAN and LAN ports are both orange). In the Status---> Interfaces page the OPT1 section reads: "no carrier" at the top.
Current OPT1 setup:
Interfaces –-> OPT1
-'Enabled'
-Static IPv4
-IPv4 Address: 10.0.0.x
-(all other entries are blank)Firewall –--> NAT: Outbound
-Automatic outbound NAT rule generationFirewall –-> Rules: OPT1
-(Image of full OPT1 Firewall settings attached) Basically allow all except to LAN network.Services –-> DHCP Server
-'Enabled for OPT1'
-Range is set to 10.0.0.20 - 10.0.0.100
-Everything else is blankRight now, I have the OPT1 port running to a switch with a Wireless AP on it, set up like this:
OPT1 –--> Unmanaged Switch ---> Wireless AP
Wireless AP settings:
WAN:off
LAN:
IP: 10.0.0.2
Gateway: 10.0.0.1 (OPT1 address)
DNS: 10.0.0.1 (OPT1 address)
Subnet: 255.255.255.0
Disabled DHCP.Could this be a hardware problem, or am I missing an important step somewhere?
Thanks again for helping me get this set-up…although the wifi is still not working, I'm getting much more comfortable using the PFSense interface during the troubleshooting. :)
-
Config looks good.
[Interfaces: assign] is OK for OPT1 on NIC ? (no bridge stuff etc.)
Static entry for AP in [Services: DHCP server] ?
AP must be explicitly set to AP-mode ?
Rebooting both boxes did not help?
