[SOLVED] Access OpenWRT VLAN switch interface via pfSense router subnet
-
Hi there, after a lot of research and testing/trying I decided to ask some support from some network experts to help me out in a configuration which I have been struggeling aprox. 3 weeks.
OK, some additional explanation before the issue what I'm trying to resolve.
I'm planning a hotspot network which will consist of an Intel Jetway NF9D IPC running a pfsense 2.1.5 router/firewall, one ASUS RT-N16 soho router running OpenWRT barrier breaker 14.07, also two TP-LINK soho routers, an TL-WR1043ND and TL-WDR3600, these last two also run the mentioned OpenWRT firmwares. pfSense operates as a router/firewall , the ASUS RT-N16 as a VLAN switch using OpenWRT firmware, and the other 2 devices will be configured as access points.
My problem is the following, I have set up on the pfsense router a WAN network(re0 interface), a LAN network with 192.168.1.0/24 subnet(re1), and a VLAN trunk with 192.168.3.0/24(with VID3, re2), 192.168.4.0/24(with VID4, re2), 192.168.5.0/24(with VID5, re2) networks. On the ASUS router I have configured the OpenWRT firmware to operate as a VLAN switch (it has VLAN 802.1Q support), I left the first port (from the left to the right) for local management(192.168.1.0/24) so the second port from the left to the right (LAN 3 port on the back of the router) is a trunk port (internal switch port with number 2), the cpu on this port is also set to "tagged" mode to be able to access the vlan switch's configuration interface(OpenWRT interface), the third port(LAN 2-switch port 3) is for the 192.168.3.0/24 subnet, this is an untagged(or access) port, the forth is for 192.168.4.0/24 subnet. I have also created an interface on the ASUS router(VLAN switch) for the 192.168.3.0/24 subnet which has got 192.168.3.2 static IP address. On the pfsense router configuration interface I left out the 192.168.3.2 address, the dhcp pool start from 192.168.3.3 because pfSense and OpenWRT both runs their own dnsmasq services, on the ASUS router(OpenWRT VLAN switch) the dhcp is disabled too.
So if I connect a windows client device on the LAN 2 port(internal switch port number 3) this is the 192.168.3.0/24 subnet(access/untagged port on the ASUS VLAN switch) I can access the internet, I can ping the pfsense router VLAN addresses(192.168.3.1/4.1/5.1 pfsense router IP addresses) and the LAN network address (192.168.1.1/24), also I can access the GUI using these addresses(LAN and VLAN) from the OpenWRT VLAN switch(ASUS router). I have tried to ping the the VLAN switch address(192.168.3.2) from the pfsense router via shell and GUI too, it works fine.
Here is the problem finally, I wanted to access the VLAN switch address(192.168.3.2) from the pfsense router LAN subnet(192.168.1.0/24) via a windows client(connected to the LAN subnet, re1 interface), using http, https protocol (in a browser), ssh protocol via putty, but it doesn't work, neither ping request. So if you guessed something is missing and I can't figure out what, so I need help here.
Probably you may ask why I want to accomplist this configuration, well I want to locally access the VLAN switch, and the two APs management interface using the VLAN3 subnet(192.168.3.0/24) from the LAN subnet on the pfSense router(192.168.1.0/24), I want the VLAN3 to spans through the whole network.
One thing I have noticed if I'm not using VLANs, only a single subnet(e.g 192.168.10.0/24) on the pfsense router with the mentioned LAN subnet and I setup the ASUS router as a "managed switch" either with static address(e.g 192.168.10.2/24) or dhcp client mode I can access the ASUS router's OpenWRT configuration interface(Luci) from the pfsense LAN subnet(192.168.1.0/24). So something is really missing, I'm waiting for suggestions, also a bit explanation if it is possible.
I know this description was long but I want to spare you from a lot of topic entries focusing on a clear explanation as possible I can. -
I know this description was long but I want to spare you from a lot of topic entries wink by focusing on a clear explanation as possible I can.
Yeah. And now I'll go and draw the network diagram myself. Not gonna happen.
-
You don't have to, sorry, I will provide for tomorrow the network diagram, now I don't have enough time because I need to go to work. I will provide everything just help me out, OK doktornotor? :)
-
For those who don't want to click:
No time to investigate this ATM, hopefully get back to this later.
-
Just to get a couple of simple checks out of the way, have you made sure the Windows Firewall on each of the clients you're using isn't blocking traffic?
For testing purposes it's often easiest to just disable any firewalls (watch out for those added by "anti-virus" products as well) so you can see if pfSense and the VLANs are talking properly.
You can just pick two devices (192.168.1.2 and 192.168.3.2 for eg.) and leave them "bare" so you're not fighting some Windows filtering on your network.
Once things are working you can adjust the firewalls to match your setup.
-
With an ordinary LAN Switch it could going more common, as I see it right
A Netgear GS180Ev2 or Cisco SG300-10 would you bring up to organize it more clean.
Only my poor opinion.
-
Thank you Frank for the suggestion but I really want to use the Asus RT-N16 soho router as a VLAN switch, I have already got it :)
-
OK divsys I have tried what you suggested, first I have connected the two client devices and I used Parted Magic Live OS on both instead of Windows OSs, I could ping the 192.168.3.3 (destination IP) from the 192.168.1.2 (source IP), than I tried with Windows OSs, I have continuously pinged the destination IP from the source IP and I turned off the firewall and that moment I get ping replies from the destination IP. So it was a Windows Firewall issue, partially, but I can't ping the the OpenWRT VLAN switch (asus rt-n16) VLAN3 interface (192.168.3.2 IP address) from 192.168.1.2 (source IP). I assume that the OpenWRT firmware's firewall is guilty too :D, it's a linux firewall, I have also wrote on the OpenWRT forum, but nobody helped me out in linux firewall configuration.
OK then the network diagram looks like this:
![Hotspot Network Diagram_2.jpg](/public/imported_attachments/1/Hotspot Network Diagram_2.jpg)
![Hotspot Network Diagram_2.jpg_thumb](/public/imported_attachments/1/Hotspot Network Diagram_2.jpg_thumb) -
Yah, the internal firewalls from many devices can make things interesting.
As far as OpenWRT, rather than trying a ping, since other devices CAN ping try to connect to its Web GUI via your browser at 192.168.3.2.
Sometimes the routers will ignore pings, but still allow Web access, you might try SSH as well.
You're probably right, the folks on the OpenWRT forum should be able to give you better idea how to config that software for easier access.
-
I have tried to access the OpenWRT GUI and shell via http/s and ssh protocols without success, I'm not an advanced user in Unix-like OSs command line and firewall, now I posted this issue on the OpenWRT forum but I can't get replies as fast as from here.
If I accomplish this configuration I will post on both forums, I think it is a very interesting scenario that is why I want to set up :D.
-
Keep at it and definitely let us know how it's going.
Good luck :)
-
I have disabled the OpenWRT firewall from the command line and restarted the switch, this hasn't changed nothing, same issue as before, so I can't access the OpenWRT VLAN switch static IP address 192.168.3.2/24 from the 192.168.1.0/24 pfSense subnet. I don't understand anything from now on…
-
Well, back to basics….
Can you still access the OpenWRT from the same subnet ie. 192.168.3.3 -> 192.168.3.1?
Make sure you still can access the OpenWRT at all.Recheck all your subnet to subnet connections 192.168.1.2 -> 192.168.3.1 and 192.68.3.3 (disable Win firewalls as necessary)
Turn on logging in pfSense to see if you can watch the traffic.
-
Yes I get ping responses, able to access via http/s, the OpenWRT VLAN3 interface 192.168.3.2 from the VLAN3 subnet 192.168.3.0/24 without any problem(device 192.168.3.x connected on the OpenWRT VLAN switch VLAN3 untagged/access port).
I get ping responses, able to access via http/s the pfSense firewall interface 192.168.3.1 from the VLAN3 subnet, from device with 192.168.3.x IP connected on the VLAN switch, Internet works too.
With disabled Windows firewall device with 192.168.1.x IP from the pfSense LAN subnet 192.168.1.0/24 doesn't get ping replies, no http/s, no ssh connection destined for OpenWRT VLAN3 interface with 192.168.3.2 IP, very interesting.
Device on subnet to device on other subnet 192.168.1.x->192.168.3.x and vice versa works fine.
I tested with disabled Windows firewall the above mentioned things. So I really don't understand where is the issue, on the OpenWRT side or on the pfSense side.
If I would have advanced network troubleshooting knowledge I would find the solution myself, lack of knowledge sorry, tomorrow I will try the pfSense logging option and I test the network again.
-
Hi everybody, after a continously testing/trying and reading documentation finally I found a working solution for my problem which I want to share with you in case if somebody is needed.
Ok here is my particular scenario, I wanted to access the VLAN switch configuration interface via the pfSense router LAN subnet, this is showed on the below network diagram, indicated by the red line:
Prerequisites:
Hardware/OS:Intel Jetway NF9D-2550+pfSense router/firewall 2.1.5
Hardware/firmware:ASUS RT-N16 SOHO router+OpenWRT Barrier Breaker 14.07(configured as VLAN switch)First about the issue, actually were two of them, both caused by dnsmasq running on the pfSense firewall/router and OpenWRT firmware
- DHCP lease negotiation, DHCP service is a client-server negotiation, so the pfSense needs to be act as a server and the OpenWRT as a client
- for some kind of reason the subnet on the pfSense LAN interface has to be different from the OpenWRT default LAN(VLAN 1) subnet, otherwise cause issues and the vlan switch won't be accesible
Here I would like to provide a step-by-step guide how to accomplish this network configuration:
TO BE CONTINUED…
-
…LET'S START
OK, after a few months later I'm answering my question by providing a step-by-step guide for the other curious people who are interested in this network setup.
So if I should give a title for this configuration it would be "Access OpenWRT managable VLAN switch interface via pfSense router subnet a.k.a how to access an OpenWRT VLAN switch remotely from your pfsense router/firewall".
First thing first, the network diagram helps a lot, so here is:
So here is a more improved version of the diagram(updated 2015-12-29):
1)In order to be clear for everybody who is attempting to accomplish this configuration I summarize the hardware+OS/firmware specs first:
Hardware/OS: Intel Jetway NF9D-2550+pfSense router/firewall 2.1.5 installed release
Hardware/firmware: ASUS RT-N16 Gigabit SOHO router+OpenWRT 14.07(codename Barrier Breaker)
2)Second, the ideea is to creating tree VLANs(VLAN 3,4,5), the first VLAN(VLAN3) is only for remote management purpose, via this VLAN you can access the VLAN switch(OpenWRT running Asus RT-N16 soho router) GUI/CLI interface remotely from one of the pfSense router/firewall subnets. The vlan switch's VLAN3 interface doesn't have physical port access on the switch, the other two VLANs(4,5 which corresponds for the internal port 3,4==external lan port label 1,2) have ports that provide network access for client devices, so if you plug you pc/laptop etc into one of these ports on the vlan switch you will get internet access.
!Note:The internal port numbering(which is the VLAN switch interface) for the VLAN switch(Asus RT-N16 soho router) is in reverse order against the external port label(the 4 ethernet LAN ports on the back of the router), so internal port nr 1==external port label 4, internal port nr 2==external port label 3, and so on…
The VLAN id numbering starts from 3, to avoid the possible issues, VLAN1 is the default VLAN on the pfsense router/firewall, same is true for the OpenWRT running asus soho router, additionally the WAN interface of the asus router is assigned to the VLAN2 so all those ports are set to off mode.
Here are the corresponding physical interfaces for the pfSense router/firewall and the OpenWRT VLAN switch:
re0 -> pfSense WAN port
re1 -> pfSense local LAN port
re2_vlan -> pfSense VLAN trunk port
internal switch port 1 -> OpenWRT VLAN1 port
internal switch port 2 -> OpenWRT VLAN trunk port
internal switch port 3 -> OpenWRT VLAN4 port
internal switch port 4 -> OpenWRT VLAN5 portSo the pfSense router/firewall and the OpenWRT vlan switch has 4 VLANs(subnets):
VLAN1 corresponds to 192.168.1.0/29 which is the default VLAN used for local management/network and internet access on the pfsense firewall
VLAN3 -> 192.168.3.0/29 for remote access from the pfsense router to the vlan switch
VLAN4&5 -> 192.168.4.0/27&192.168.5.0/27 only for internet access
VLAN1 -> 192.168.1.8/29 default VLAN used for local management on the VLAN switch- One important thing that have to be mentioned that both the pfSense and OpenWRT running hardware are capable of 802.1Q tagging/trunking, from the pfsense side the Intel Jetway motherboard is a good choose with an Realtek AD3RTLANG Gigabit Ethernet NIC, on the switch side the ASUS RT-N16 soho router has an BCM53115 chip which supports this VLAN functionality.
Ok , here are the steps that have to followed:
pfSense router/firewall configuration steps
!Note: The configuration is completed with address resolution mechanism what means you can access your remote manageable VLAN switch via its hostname and the domain name specified in the pfSense settings, the OpenWRT hardware doesn't have hardware clock so it has to be syncronized via the pfSense NTP service, so I would like to provide here this configuration too.
Here you can see the pfsense router's hostname, the domain name which is belongs to, the VLAN switch will belongs to this too, the first DNS server is the local DNS server address which is important because queries related to the local network will be served by the dnsmasq, thus you can access you pfsense router and VLAN switch by their hostnames, here is defined the NTP server address used for time syncronization too.
Enable the local DNS server in order to be able to resolve DNS queries comming from your network destined for your local network.
The VLAN switch's static IP address will be registered in the DNS forwarder.
If the DNS queries are destined for the local network then it will be resolved locally by the first DNS server.Settings for the local LAN interface on the firewall with static IP.
Specifying the VLANIDs, in this case 3, 4, 5 and assign the physical(parent) interface for the VLANs(trunk port for the VLANs on the pfSense side)…
…do this for all the 3 VLANs.
Assign the network port(physical interface) to the virtual interfaces (RLANVID3, VLANVID3, VLANVID5, this is the trunk port which pass throught the multiple VLANs on the pfsense side).
Enable the RLANVID3 interface, edit description to RLANVID3 (by default is OPTx)…
…same for VLANVID4...
…same for VLANVID5.
Enable DHCP server on the LAN interface and define DHCP pool for the local LAN on the pfsense router…
Statically allocated IP addresses for the management client devices, here we have two, a desktop pc and a netbook.
Enable DHCP server on the RLANVID3 interface and define the DHCP range for this, using "Deny unknown clients" option which avoids to assign IP address for any other devices, from the DHCP pool leave out the statically allocated IP address for the VLAN switch(in this case is 192.168.3.2 and specify it in the "DHCP static mapping for this interface" section) .
The VLAN switch IP address is a statically allocated DHCP IP address because the switch is fixed part of the network, so every time the switch sends a DHCP request, it gets the same IP assigned to its MAC address, so the switch's hostname will be resolved to this IP address.
…enable DHCP server on the VLANVID4 interface, similar to RLANVID3 interface...
…same for VLANVID5 interface.
Allow Network Time Protocol Service on the RLANVID3(VLAN3) interface, from the VLAN3 subnet comes the NTP request (initiated by the VLAN switch's NTP client).
Here you can specify some aliases(placeholders) for a group of IPs, these are the management hosts in the local LAN subnet which can access the router's interface, also group the accessible LAN/VLAN interface IPs,(these are the accessible management GUI/CLI interface IPs) …
…and you can create aliases for the group of ports for the management host, and ports for the clients which are not able to access the management interfaces(Router_interfaces==pfsense router interfaces+OpenWRT vlan switch interface, see previous image).
Firewall rules for the local LAN interface:
1st rule - Allowing DNS queries from the local LAN subnet
2nd rule - Allowing ping request from the local LAN subnet(ICMP messages)
!Note:Here we are using these first two rules to see if the interface is alive for any type of client device(by allowing DNS, ping and implicit DHCP services)3rd rule - Allowing only for Management_hosts(specified in the alias section) to access the Router_interfaces(pfsense router interfaces+OpenWRT VLAN switch interface IPs) only via Management_ports, so if a client device is not part of the Management_hosts alias on the local LAN subnet and trying to access the Router_interfaces on the port that is different from the Management_ports alias list then…
4th rule - ...it will be rejected by the firewall
5th rule - Allowing all client devices(those what are and aren't Management_hosts) to HTTP/S access(only webpage access), the rules are evaluated on the first match basis so the previous two rules treats all of the client devices(hosts that are part and aren't part of the Management_host alias list) to gain or reject access to the Router_interfaces, so this rule allow access for all of the client devices who want to reach the internet regardless of what type of hosts they are(Management_hosts or not).
6th rule - Rejecting any other type of communication, this treats communication between client and client devices, for ex., if you hook up two pcs on the local LAN interface(with an intermediate simple switch) they can't ping each other, you can't connect from one device to another remotely etc.Firewall rules for the RLANVID3(VLAN3 subnet) interface:
1st - Allowing DNS queries from the VLAN3 subnet(important for the NTP request what is comming from the NTP client used by the VLAN switch)
2nd - Allowing NTP requests from the VLAN switch's NTP client
3rd - Rejecting any other type of communication (for ex. Management_host or other client devices to reach the GUI via 192.168.3.1 IP address destined from the 192.168.1.1 subnet)Firewall rules for the VLANVID4(VLAN4 subnet) interface:
1st - Allowing DNS queries from the VLAN4 subnet
2nd - Allowing HTTP/S access to webpages except the Router_interfaces IPs for all clients, the main difference in contrast to local LAN interface rule that here you don't want any type of client device to reach the Router_interfaces thus…
3rd - ...it will fall into this rule, it will be rejected by the firewall(not blocked thus reducing network load), plus communications between client and client devices will be rejected tooFirewall rules for the VLANVID5(VLAN5 subnet) interface:
-same rules are applicable for VLAN5 subnetOpenWRT VLAN switch configuration steps
!IMPORTANT NOTE: The VLAN switch(ASUS RT-N16) configuration has to be done in the sequence listed here, completely unplugged from the pfSense router hardware, after the network interface confugration for the local LAN(VLAN1) is done(5th image about the VLAN switch configuration, vlanswitch_11.jpg) you can plug the ethernet cable which connects the pfSense router/firewall and the VLAN switch (the trunk link between the two network devices), otherwise the VLAN switch stoppes operation and have to be reset all the setting and start the whole configuration from the scratch.
Here you can see the hostname of the VLAN switch, the time zone and here specify the NTP server address of the router/firewall, in this case it is the pfSense's router NTP server address.
Here the VLAN1 is the switch's default VLAN, all the 4 internal LAN ports are part of this VLAN, so you has to leave only one port(internal port 1==external port label 4) for the VLAN1, so you can access the router management interface from the VLAN switch's local LAN(VLAN1 represents 192.168.1.8/29 local subnet) via this port.
The ports assigned for the VLAN2 subnet is disable, don't have to use it because VLAN2 subnet is assigned for the WAN port, here the Asus router acts as a VLAN switch so don't need WAN interface, the other reason that VLANID numbering starts from 3 to avoid VLAN configuration and operation issues on the VLAN switch side.Here you specify the VLANIDs, in this case 3, 4, 5 same as on pfSense router/firewall and assign the physical(port) interface for the VLANs(internal port 2==external port label 3, will be the trunk port for the VLANs on the VLAN switch side), this port pass through the multiple VLANs on the switch side.
Internal port 3(external port label 2) is assigned to VLAN4, and internal port 4(external port label 1) to VLAN5, these VLANs(4,5) has physical port access on the VLAN switch, set to untagged mode both in terms of their corresponding VLANIDs. So if you connect a pc/laptop into internal port 3 the device will be assigned to VLAN4 and for internal port 4 for VLAN5, both are be able to access the internet.
!Note: One important thing, both the local LAN subnet(VLAN1) and the RLANVID3 subnet(VLAN3) has to use the CPU port in tagged mode, thus packets comming from locally into the VLAN1 subnet or from remotely into the RLANVID3(VLAN3) subnet reach the CPU port which is an internal port, this ensures that to display the VLAN switch's GUI/CLI in your browser, so if packets won't reach the CPU port you are not able to access the GUI/CLI interface on the VLAN switch.
Here you can see the two created virtual interfaces, RLANVID3 for VLAN3 subnet for remote access, and LAN for the local LAN, for local access.
There was a WAN interface which you can delete it optionally because it is useless such as the VLAN2 VLANID in the switch configuration section.Detailed configuration options for the local LAN interface(VLAN1 subnet):
It has static IP address(VLAN1->192.168.1.9), netmask and broadcast address.
Here the important thing is to tick the "Bring up on boot" option so when the switch is plugged in the interface will be accessible, this is the local LAN so it has a local DHCP server(that is why "Disable DHCP for this interface" box is left unticked), where the usable IP address range starts from 192.168.1.10 and the limit is 5, and their lease time is 24 minutes but you can adjust these setting if you want.
The local LAN(VLAN1 subnet) interface is unbridged from the switch's interface, the physical interface is eth0.1 where .1 represents the LAN(VLAN1) interface on the switch, which is assigned to the LAN interface, from now on the two network devices can be connected via an ethernet cable to pass VLAN traffic from pfSense router to VLAN switch and vice versa.
Here you can see the created firewall zone for the local LAN(VLAN1) interface.
Detailed configuration options for the RLANVID3 interface(VLAN3 subnet):
It acts as DHCP client sending the DHCP request along with its hostname, in this case is "vlanswitch" to the 192.168.3.1 address on the pfSense router, and the router assign the 192.168.3.2 IP address knowing that the device with the unique MAC address and hostname sended by the DHCP client has a static ARP entry in the "DHCP static mapping for this interface" section, which is correspond to this IP address.
Here the important thing is to tick the "Bring up on boot" option, "Use default gateway" and "Use DNS server advertised by peer" option, thus the pfsense router serves its gateway address and DNS server which is in the RLANVID3(VLAN3) subnet (the gateway and DNS server IP is 192.168.3.1).
The RLANVID3(VLAN3 subnet) interface is unbridged from the switch's interface, the physical interface is eth0.3 where .3 represents the VLAN3 interface, which is assigned to the RLANVID3 interface.
Here you can see the created firewall zone for the local RLANVID3(VLAN3) interface.
Here you can see the general firewall zone settings for the VLAN switch, one for the local LAN(VLAN1) and the other for the RLANVID3(remote VLAN3), this is a Linux firewall so you can control network traffic(restrict access to the VLAN switch) via the built-in chains, here the only important chain is the input chain. You want to restrict incomming access to the VLAN switch so you reject any incomming traffic and define what type of network traffic allow to pass the input chain, in other words you filter what type of traffic are able to reach the VLAN switch interface from the LAN(VLAN1) subnet and from the RLANVID3(VLAN3) subnet which is comming from the pfSense router/firewall.
Firewall rules for the local LAN(VLAN1 subnet) interface:
1st - Allowing DHCP requests from the local LAN subnet
2nd - Allowing ping request from the local LAN subnet(ICMP messages)
!Note:I'm using these first two rules to see if the interface is alive for any type of client device(here I omited the DNS, have to include the DHCP service)
3rd - Allowing client devices to access the GUI via HTTPS protocol from a specified MAC address(this is the desktop PC used for management purpose)4th - Allowing client devices to access the GUI via HTTPS protocol from a specified MAC address(this is the Netbook used for management purpose)
5th - Allowing client devices to access the CLI via virtual terminal (SSH protocol) from a specified MAC address(this is the desktop PC used for management purpose)
6th - Allowing client devices to access the CLI via virtual terminal (SSH protocol) from a specified MAC address(this is the Netbook used for management purpose)7th - Allowing incomming DHCP response from the pfense router/firewall MAC address from the RLANVID3(VLAN3) subnet
8th - Allowing incomming NTP response from the pfense router/firewall MAC address from the RLANVID3(VLAN3) subnet
9th - Allowing incomming DNS response from the pfense router/firewall MAC address from the RLANVID3(VLAN3) subnet
!Note: these tree rules ensures that the responses coming from one of the pfsense router/firewall port and only from one single port which has the corresponding MAC address.10th - Allowing ping request from the RLANVID3(VLAN3) subnet from the pfSense router/firewall
!Note: Rule number 7 and 10 is used to to see if the RLANVID3(VLAN3 )interface is alive from the pfsense router/firewall side
11th - Allowing HTTPS request from the RLANVID3(VLAN3) subnet from the pfSense router/firewall(thus the VLAN switch is accessible via the GUI)
12th - Allow virtual terminal from the RLANVID3(VLAN3) subnet from the pfSense router/firewall(thus the VLAN switch is accessible via the CLI)The VLAN switch is accessed remotely from the pfSense local LAN subnet, here you can see the results:
The physical eth0.3 interface(RLANVID3==VLAN3) settings, the important thing is the default gateway and the advertised DNS server address which appears for the interface…
…So the VLAN switch responds to ping request via DNS resolution...
…and the VLAN switch GUI is accessible via DNS resolution too, same is true for the SSH.