Routing issue
-
Hello,
I am in the process of replacing a legacy cisco router on my network with a pfsense router. I have never used pfsense before, but I already greatly prefer it to cisco's offerings. That said, I am having some routing trouble and would greatly appreciate any help.
My network around this pfsense router is as follows:
- WAN X.X.X.243/29 (default gateway X.X.X.246 connects to the internet)
- LAN 192.168.1.1/24 is connected to a switch and is set aside for hosts that need a wired connection and a static IP
- OPT1 10.0.0.1/30 is connected to a cisco router/WAP (I'll get a pfsense replacement asap) that has an interface 10.0.0.2. The cisco router has the WAP inside a NAT, and the WAP uses 192.168.2.1/24 and assigns IP's with DHCP.
I'm allowing everything through the firewall. I will add rules once everything else is working.
Everything is working on the LAN – they can talk to each other, the internet, and can ping the cisco router on 10.0.0.2
The problem occurs with all my hosts using wifi. They can get a 192.168.2.0/24 address just fine, and can ping both interfaces on the cisco router. However, I get ping timeouts for 10.0.0.1 and anything beyond that. Additionally, I get ping timeouts if pfsense or anything on LAN tries to ping 192.168.2.1, let alone anything within the WAP subnet. Other traffic besides pings also does not work in these situations. Oddly enough, the cisco router can ping anything on the WAP, the pfsense router, the LAN, and the internet.
How can I reconfigure pfsense to route hosts on WAP subnet correctly? I know it's an issue with my pfsense configuration, because everything works if I plug everything back into the legacy cisco router (I have that router's configuration, if that would help.)
I apologize if this is the wrong sub to be posting this question. Like I said, I'm new to pfsense.
-
Either get rid of the NAT on the WAP (strongly preferred), or add static routes to 192.168.2.0/24 via the WAP IP (10.0.0.2).
-
That works, thanks!
I did the static route, because I am not in a position to change the wap config at this time. Why would disabling the NAT be preferable? If the advantages are worthwhile, I would be open to changing my network when I get the chance.
-
Well, multi-NAT is never desirable, breaks things plus pain to maintain. Imagine you want to open something on a computer behind the WAP. Need to do the same thing in two places at least.
-
Ok, I could see how that could become a huge pain. Thanks!
-
also imagine someone is using the wifi network for some evil torrenting; oO
On your pfsense machine your traffic graph will show the WAP_ip instead of the offenders_ip as the source/destination of lots of traffic (since you NAT everything on the WAP)