[SOLVED] Setting up Tomato Wifi Router behind PFSense

RickJ

Hi Everyone!

I can't seem to get my wireless router to cooperate and I'd be forever grateful for some help. Here's the setup I'm trying to accomplish:

Gateway –-> PFSense box ----> Wifi-Router

I have referenced these two places, but neither has helped me through to the finish:

(Main PFSense help doc for this)
(Post by someone from 2008 who was trying to do the same thing)

Unfortunatley the second post petered out due to the original poster's misunderstanding of subnets.

My Tomato Wifi-Router Setup:

WAN: Disabled

LAN
IP: 192.168.0.2
Gateway: 192.168.0.1 (pfsense address)
DNS: 192.168.0.1 (pfsense address)
Subnet: 255.255.255.0
Disabled DCHP.

As far as I know things should be working from these settings, so I'm pretty sure the error is coming from my PFSense config.

I have the Wifi-Router plugged into my OPT1 port, which I"m pretty sure is the problem. What settings do I need to supply in my OPT1 interface to successfully get things running?

Current OPT1 interface settings:

(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: none

The rest of the fields are empty except for the hostname that is currently "testwifi"

I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.

It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured, but barring that what do I need to do to adjust my OPT1 settings? I can't just copy/paste my current LAN port settings can I? (I assume that copy/pasting would cause a conflict when both LAN and OPT1 try and use 192.168.0.1 as their static IPv4.)

Thanks for taking a look!  :)

Nullity

Why the OPT1?
Can we get more information about your network topology?
I am assuming you need to bridge LAN and OPT1 or make them completely serparate networks.

I have a very similar setup and my pfSense config has only WAN and LAN. WAN is my ADSL modem and LAN is my RT-N66U in AP mode.

Derelict

It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured

No, no, no.

Just put the Tomato on your LAN.

A couple scenarios:

https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131

https://forum.pfsense.org/index.php?topic=88942.msg491727#msg491727

RickJ

Thanks for the replies Nullity and Derelict,

Yes Nullity, as you suspected I didn't give my full topography, my apologies. I already have an ASUS router plugged into the PFsense LAN port which is providing connectivity to our main un-managed switch (this is why I was asking about bridging, Derelict).

Because I already have one router using the LAN port, I was hoping to plug in the wireless router into OPT1 and set up a separate network.

Now as far as the VLAN post you linked Derelict, would that information be what I need to do in my OPT1 settings?

Derelict

You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.

Just plug the new AP into the unmanaged switch.  I am at a loss why you think you need the Asus on LAN.

doktornotor

@Derelict:

You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.

And for a good measure:

You don't need any freaking bridge!!!

RickJ

Haha, thanks for the laugh guys, I needed that after having to come in on Saturday.  :D

I didn't mean to imply in my last post I was still thinking about the bridge, though I'm glad it happened now none the less.

To address the bafflement about the ASUS router, I've disconnected it and the switch is running directly into the LAN port. Works fine.

Part of my logic for wanting to go into the OPT1 port was the possibility of having the wifi on a different ip strcture/ subnet, such as 10.0.0.x instead of the 192.168.0.x.

Example of the topography I was thinking of:

gateway –-> pfsense --> main wifi router (10.0.0.x) ---> 4 or 5 wifi routers getting their dhcp from main wifi-router all on the 10.0.0.x.
                          |
                          ----> main switch on LAN port (192.168.0.x)

Am I over-thinking this here?  The part that I've expressed poorly is the hope of being able to separate the wi-fi onto a different subnet in the future. The idea behind it is "a separate subnet/ ip structure would be more secure." Am I missing the mark on security by wanting to separate the ethernet and wifi networks?

Nullity

The few things I have read on the topic mirror your thoughts; separating WiFi from LAN is a smart decision if you are concerned with security.

I have no personal experience with multiple LANs though… sorry.

Derelict

There is nothing wrong with segmenting your Wi-Fi.  Depends on what you want to do.

Things like windows networking, apple zeroconf/bonjour, autodiscovery, etc, are just a lot easier to use on one broadcast domain.  Set a good WPA2 passphrase, limit to AES only, put it on your LAN and rock on.

main wifi router (10.0.0.x) –-> 4 or 5 wifi routers getting their dhcp from main wifi-router all on the 10.0.0.x.

I would let pfSense do DHCP, but whatever.  And I'm pretty sure you mean wi-fi bridges/APs, not routers.

To do this I would seriously consider getting a managed switch so you can put wired ports together with a wireless network on a specific VLAN without having to…wait for it...make a pfSense bridge.  You could put a completely different SSID on a segmented VLAN with no access to the other VLAN.  Pretty sure Tomato supports that.  See that second link I posted above.  D-Link DGS-1100 will do everything you need for cheap.

RickJ

Hrm, I think part of the big concern is how we use our network.

We're a school, and were hoping to have a wireless network separated from our ethernet just for parent, phone, and tablet use. We already have this set up, it's just currently running through a separate router and not through PFsense at the moment.

I was hoping to merge it all into one, while still keeping the wifi from having access to the same network that our shared drives are on. Is that at all possible?

Derelict

Isn't there just bushels and bushels of "free" federal just-printed-out-of-thin-air money for wi-fi in schools?

RickJ

Probably, but we'ere a small mom and pop private school…so those funds aren't available to us.

No worries if what I was hoping for isn't a feasible model, worst case scenario would be that we have to save up for another PFsense box for the wifi if we really want the extra security.

doktornotor

@RickJ:

We're a school, and were hoping to have a wireless network separated from our ethernet just for parent, phone, and tablet use. We already have this set up, it's just currently running through a separate router and not through PFsense at the moment.
I was hoping to merge it all into one, while still keeping the wifi from having access to the same network that our shared drives are on. Is that at all possible?

Sure it's possible. Stick all those APs on a separate OPT interface via some switch. Choose a subnet big enough to accommodate the clients. Configure DHCP there. Do not run any DHCP on any of those WiFi APs. Configure the firewall rules on OPT as required (e.g., do not allow access from OPT to LAN). Done.

RickJ

Great, glad to hear that it's possible!

I'm not 100% sure, but I think what you're describing is what I tried to do in the beginning with configuring the OPT1 port, right?

I wasn't able to configure my OPT port to successfully give my wireless router an IP (I think that was the problem at least). Here are the settings I tried (from above)

Current OPT1 interface settings:

(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: none

The rest of the fields are empty except for the hostname that is currently "testwifi"

I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.

Once working, I'll definitely let the OPT do all the DHCP, and all wifi routers will just connect through a switch. Any ideas on why the OPT port wasn't allowing my test router to get through?

Again, thanks for the help on this…any and all recommendations are much appreciated.  :)

Edit

Sorry, I didn't see your edit recommending the managed switch above, Derelict. I must have started typing a new message while you were editing and I didn't scan the previous post. I'll definitely consider getting a managed switch for the future, but for the time-being I'm really trying to squeeze all I can of what we already have.

doktornotor

Of course, where should it be getting DHCP from? Configure a separate subnet there with static IPv4. You also need to create firewall rules on OPT to permit traffic.

RickJ

Ok, I think I'm probably suffering from a mild case of severe brain damage at this point, but I drew a blank when you asked "Where should it be getting DHCP from?"

Here is the process I'm conceptualizing at the moment:

OPT1 port (configured to serve dhcp to the wifi AP on the switch) –---> wifi switch ---> wifi AP

So I'd set the main OPT1 port config to something like this:

IPv4 configuration type: Static
Ipv4 address: 10.0.0.1

Enable firewall rules to permit all traffic through OPT1

…But doing it this way, where would the option to provide DHCP from the static IPv4 be coming from?

doktornotor

@RickJ:

So I'd set the main OPT1 port config to something like this:
IPv4 configuration type: Static
Ipv4 address: 10.0.0.1

…But doing it this way, where would the option to provide DHCP from the static IPv4 be coming from?

Hmmm? You simply configure a DHCP server on the OPT interface, like you did on LAN. Services - DHCP Server - OPT1 tab.

@RickJ:

Enable firewall rules to permit all traffic through OPT1

Thought you wanted this separated from wired. So, the destination for that allow rule should not really be any, but NOT LAN subnet instead.

RickJ

Ok awesome, thanks for the help doktornotor! I'm still learning the fine-tuning of configuring rules correctly, so I imagine that destination: "not lan subnet" is something I'd probably miss on the first flush.

I'll be going in again tomorrow to finish up some testing and will post here to let you know if the new setup works.  :)

RickJ

Hi guys, well round two and I still don't have this thing up and running…

As a quick recap so that lots of thread scrolling isn't needed:

I'm trying to set up a seperate WIFI network on my OPT1 interface. The light on the back of the PFsense box for the OPT1 port is green instead of orange (the working WAN and LAN ports are both orange). In the Status---> Interfaces page the OPT1 section reads: "no carrier" at the top.

Current OPT1 setup:

Interfaces –-> OPT1
-'Enabled'
-Static IPv4
-IPv4 Address: 10.0.0.x
-(all other entries are blank)

Firewall –--> NAT: Outbound
-Automatic outbound NAT rule generation

Firewall –-> Rules: OPT1
-(Image of full OPT1 Firewall settings attached) Basically allow all except to LAN network.

Services –-> DHCP Server
-'Enabled for OPT1'
-Range is set to 10.0.0.20 - 10.0.0.100
-Everything else is blank

Right now, I have the OPT1 port running to a switch with a Wireless AP on it, set up like this:

OPT1 –--> Unmanaged Switch ---> Wireless AP

Wireless AP settings:

WAN:off
LAN:
IP: 10.0.0.2
Gateway: 10.0.0.1 (OPT1 address)
DNS: 10.0.0.1 (OPT1 address)
Subnet: 255.255.255.0
Disabled DHCP.

Could this be a hardware problem, or am I missing an important step somewhere?

Thanks again for helping me get this set-up…although the wifi is still not working, I'm getting much more comfortable using the PFSense interface during the troubleshooting.  :)

hda

Config looks good.

[Interfaces: assign] is OK for OPT1 on NIC ? (no bridge stuff etc.)
Static entry for AP in [Services: DHCP server] ?
AP must be explicitly set to AP-mode ?
Rebooting both boxes did not help?

RickJ

Hi hda,

-Hrm…I have no recollection of the interfaces: assign section, that might be the step I'm missing. NO bridges at the moment though...or ever...no bridges...(see above posts)

-Didn't add a static entry for the AP, I'll try that out for sure.

-Not sure about AP Mode...using Tomato on a linksys e2500, and haven't seen any special customization recommendations aside from the standard setup I posted above...

-Rebooting doesn't solve it atm, hopefully the fix is one of the above.

Thanks for the suggestions, anything new to try is welcome since I'm totally stumped. I've left the office for today, so I'll have another go tomorrow morning and post an update then!

Derelict

No.  You want to REJECT traffic from OPT1 net to LAN net, then PASS traffic from OPT1 net to any.

In general for a protected, public segment:

PASS the specific local traffic you need them to access (DNS servers, etc)
REJECT the specific traffic you don't want (to other local networks, to the firewall itself)
PASS everything else (the internet)


Derelict

Thanks again for helping me get this set-up…although the wifi is still not working

You're plugging one of tomato's LAN ports into the switch right?  Not messing around with any VLANs right?

define "not working"

Do you not get associated over wi-fi with the tomato?
Do you not get DHCP?
Can you ping 10.0.0.1 by IP?
Can you ping outside (like 8.8.8.8 or your ISP's gateway) by IP?
Can you resolve names?

The above are in the general order that things have to be working.  If you can't do one, you need to fix that before moving on.

Can you ping 10.0.0.2 from pfSense Diagnostics > Ping?
Anything in the Status > System Logs, DHCP to indicate leases being allowed or rejected or ??

RickJ

Ok thanks Derelict, I've attached an updated Firewall Rules pic, I think it's updated to correctly pass traffic as you described so let me know if it's still incorrect.

As to the WiFi setup itself:

-Yes, tomato is plugged in from a LAN port into switch
-The tomato wifi signal is getting sent out
-Do not get DHCP from wifi signal (no IP being assigned to client machine)
-Cannot ping 10.0.0.1 from client machine, get these results: at first, "no route to host," followed by "host is down"
-Cannot ping outside from the client machine
-Cannot resolve names

Results from Diagnostics > Ping:

PING 10.0.0.2 (10.0.0.2): 56 data bytes

–- 10.0.0.2 ping statistics ---
10 packets transmitted, 0 packets received, 100.0% packet loss

Results pertaining to 10.0.0.x from System Logs, DHCP:

Mar 9 13:12:01 dhcpd: Listening on BPF/re1/00:30:18:a6:dd:24/10.0.0.0/24
Mar 9 13:12:01 dhcpd: Sending on BPF/re1/00:30:18:a6:dd:24/10.0.0.0/24

I added a static IP to the tomato AP under DHCP Server just in case, but hasn't seemed to fix anything. Still getting that OPT1 is down on the interfaces panel. From the looks of it there must be SOMETHING missing from the OPT1 port config…I can't think of any other reason the port is still not registering a carrier in Status > Interfaces.

Could this be a hardware issue? The box I put together has 1 Intel i211AT Gigabit LAN and 4 Realtek RTL8111E-VL-CG Gigabit Ethernet Controllers. Our WAN is on the Intel, and our current LAN is on the first Realtek port. I should be able to add OPT1 on the second Realtek port correct (or do I need another NIC for separate wifi)?


hda

@RickJ:

…
I should be able to add OPT1 on the second Realtek port correct (or do I need another NIC for separate wifi)?
...

So your re1 NIC is set on OPT1 ?

How is Interfaces (assign) report ? [Interfaces: Assign network ports]
What choices do you have there?

RickJ

Yep, re1 NIC is set on OPT1.

Added a screenshot of current NIC assignments under Interfaces > (assign) , all NICS have a different MAC address assigned.


Derelict

@RickJ:

Ok thanks Derelict, I've attached an updated Firewall Rules pic, I think it's updated to correctly pass traffic as you described so let me know if it's still incorrect.

As to the WiFi setup itself:

-Yes, tomato is plugged in from a LAN port into switch
-The tomato wifi signal is getting sent out
-Do not get DHCP from wifi signal (no IP being assigned to client machine)

Sounds like you have a layer 2 issue.

If you assign a static address to the wireless client in the right range and you can ping pfSense, you have a DHCP issue instead.  I think you might need help with tomato more than pfSense.  Sorry.  No experience with it.

snip

I added a static IP to the tomato AP under DHCP Server just in case, but hasn't seemed to fix anything. Still getting that OPT1 is down on the interfaces panel. From the looks of it there must be SOMETHING missing from the OPT1 port config…I can't think of any other reason the port is still not registering a carrier in Status > Interfaces.

I take it back.  You have a layer 1 issue.

Could this be a hardware issue? The box I put together has 1 Intel i211AT Gigabit LAN and 4 Realtek RTL8111E-VL-CG Gigabit Ethernet Controllers. Our WAN is on the Intel, and our current LAN is on the first Realtek port. I should be able to add OPT1 on the second Realtek port correct (or do I need another NIC for separate wifi)?

As has been suggested, what is in Interfaces > (assign)??  Start with the basics.  I don't know why you're messing with the AP if you have no carrier on your ethernet interface.

So you've messed with the MAC addresses or what?  Why?

RickJ

I think I ninja'd you Derelict, added a post just before you describing interfaces >assign

I think we're on the same page, since this morning I'm thinking it's a layer 1 issue. I didn't manually change any of the MAC addresses, was just stating the obvious that they were different for each entry.

Edit

For clarity, I've added what my OPT1 entry looks like in Interfaces > OPT1 in case you can see something glaringly missing


Derelict

That looks fine.

And you have a DHCP server enabled on OPT1 handing out IPs in 10.0.0.0/24?

If you plug a laptop directly into OPT1 do you get link/DHCP?  If so, you need to figure out why you don't get link from your switch.  You should not need a crossover cable or anything like that.

RickJ

Yep, enabled OPT1 on DHCP server, handing out on 10.0.0.0 subnet (pic below for verification)

When directly plugged into OPT1 the laptop gets no DHCP, can't ping anything.


Derelict

You sure you have the right re port?  Other than that, sorry.  No idea.  Maybe the realtek driver sucks.

RickJ

Oh my goodness.

My co-worker labelled all the re ports friggin BACKWARDS! So, after all that meticulous configuration, when I plugged the wire into the correct port, everything started working instantly. I'm going to have to do something terrible to him for this…it never even occurred to me that he wold label the ports incorrectly.

That said, thank you so much for your help Derelict, I really appreciate it. Without going through all these steps the config wouldn't have been set correctly had I had the correct port plugged in at the beginning.

A million thanks, and now I'm going to celebrate, and then beat my co-worker with the PFSense manual until justice has been served.

Nullity

@RickJ:

Oh my goodness.

My co-worker labelled all the re ports friggin BACKWARDS! So, after all that meticulous configuration, when I plugged the wire into the correct port, everything started working instantly. I'm going to have to do something terrible to him for this…it never even occurred to me that he wold label the ports incorrectly.

That said, thank you so much for your help Derelict, I really appreciate it. Without going through all these steps the config wouldn't have been set correctly had I had the correct port plugged in at the beginning.

A million thanks, and now I'm going to celebrate, and then beat my co-worker with the PFSense manual until justice has been served.

Haha. Glad to see this resolved.

Hell, I occasionally get confused about my pfSense interfaces and I only have 2 of them.  ::)

Timp1

@RickJ:

Hi Everyone!

I can't seem to get my wireless router to cooperate and I'd be forever grateful for some help. Here's the setup I'm trying to accomplish:

Gateway –-> PFSense box ----> Wifi-Router

I have referenced these two places, but neither has helped me through to the finish:

(Main PFSense help doc for this)
(Post by someone from 2008 who was trying to do the same thing)

Unfortunatley the second post petered out due to the original poster's misunderstanding of subnets.

My Tomato Wifi-Router Setup:

WAN: Disabled

LAN
IP: 192.168.0.2
Gateway: 192.168.0.1 (pfsense address)
DNS: 192.168.0.1 (pfsense address)
Subnet: 255.255.255.0
Disabled DCHP.

As far as I know things should be working from these settings, so I'm pretty sure the error is coming from my PFSense config.

I have the Wifi-Router plugged into my OPT1 port, which I"m pretty sure is the problem. What settings do I need to supply in my OPT1 interface to successfully get things running?

Current OPT1 interface settings:

(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: none

The rest of the fields are empty except for the hostname that is currently "testwifi"

I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.

It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured, but barring that what do I need to do to adjust my OPT1 settings? I can't just copy/paste my current LAN port settings can I? (I assume that copy/pasting would cause a conflict when both LAN and OPT1 try and use 192.168.0.1 as their static IPv4.)

Thanks for taking a look!  :)

RickJ's post almost got me to success.  I have an R7000 wireless router running Shibby Tomato v1.28 and plugged into the LAN port on my wired only PFSENSE appliance.  In addition to RickJ's advice, I realized I needed to go into Advanced/Routing.  Under the Miscellaneous tab, I had to switch the Mode from 'Gateway' to 'Router'.  Once I did that, everything magically started working. In my case, my appliance is set to 192.168.1.1, the R7000 is set to 192.168.1.11

kcallis

@Timp1:

@RickJ:

Hi Everyone!

I can't seem to get my wireless router to cooperate and I'd be forever grateful for some help. Here's the setup I'm trying to accomplish:

Gateway –-> PFSense box ----> Wifi-Router

I have referenced these two places, but neither has helped me through to the finish:

(Main PFSense help doc for this)
(Post by someone from 2008 who was trying to do the same thing)

Unfortunatley the second post petered out due to the original poster's misunderstanding of subnets.

My Tomato Wifi-Router Setup:

WAN: Disabled

LAN
IP: 192.168.0.2
Gateway: 192.168.0.1 (pfsense address)
DNS: 192.168.0.1 (pfsense address)
Subnet: 255.255.255.0
Disabled DCHP.

As far as I know things should be working from these settings, so I'm pretty sure the error is coming from my PFSense config.

I have the Wifi-Router plugged into my OPT1 port, which I"m pretty sure is the problem. What settings do I need to supply in my OPT1 interface to successfully get things running?

Current OPT1 interface settings:

(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: none

The rest of the fields are empty except for the hostname that is currently "testwifi"

I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.

It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured, but barring that what do I need to do to adjust my OPT1 settings? I can't just copy/paste my current LAN port settings can I? (I assume that copy/pasting would cause a conflict when both LAN and OPT1 try and use 192.168.0.1 as their static IPv4.)

Thanks for taking a look!  :)

RickJ's post almost got me to success.  I have an R7000 wireless router running Shibby Tomato v1.28 and plugged into the LAN port on my wired only PFSENSE appliance.  In addition to RickJ's advice, I realized I needed to go into Advanced/Routing.  Under the Miscellaneous tab, I had to switch the Mode from 'Gateway' to 'Router'.  Once I did that, everything magically started working. In my case, my appliance is set to 192.168.1.1, the R7000 is set to 192.168.1.11

I am migrating from my TL-Link WA901ND to my Netgear Nighthawk R7000. The one thing that worked nicely for me on the TL-Link was the ability to seamlessly broadcast 4 SSID's, use the same VLAN Ids and then connect it to my switch which connected to my 3 port pfSense APU. After many attempts to factory reset my R7000, I have had nothing but issues. First off, after I create new bridge interfaces (br1, br2, br3), after I create the VLAN, I found that the VLAN 1 is required for br0 (the default LAN interface on the R7000. Unfortunately, I need the br0 interface to have a VLAN 05 which is in-line with the configuration on my pfSense box.

With the TL-Link WA901ND, since there is only one interface, once I create the 4 SSID's, it comes to my edge switch as a trunk with all of the VLANs that I defined passed to the switch. So where with the R7000, this has been a rocky road! Has anyone successfully change the VLAN ID for the default interface to anything besides VLAN 1?

Any pointers would be greatly appreciated!

Grimson

@kcallis:

Any pointers would be greatly appreciated!

Ask here: http://www.linksysinfo.org/index.php?forums/tomato-firmware.33/ this is not a pfSense problem.