Posted: Fri Aug 02, 2019 21:09 Post subject: DHCP for VLAN in WAP only configuration
Hi all,
I have a Netgear R7000 with v3.0-r33675M kongac (11/03/17).
I am using the R7000 as a wireless access point connected to a pfSense router. DNS and DHCP are turned off in dd-wrt, and the Setup>Basic Setup>Network Setup points to the pfSense router for DNS and Gateway. This works perfectly for my primary SSID.
I am trying to setup a VLAN for my IoT devices. The VLAN is set up in pfSense, as well as in dd-wrt. The setup in dd-wrt is as follows:
Following the VLAN setup, I added a new SSID (wl0.1), created a bridge (br1), and then assigned vlan10 and wl0.1 to that bridge.
Finally, in the "Network Configuration br1" section, I entered the IP address and subnet for the VLAN. For now I did not enable Wireless Security on wl0.1.
When I connect to the SSID, I am able to connect, but the device does not receive an IP address or a gateway.
It seems like there should be a place to enter the gateway and DNS server for a VLAN, but I cannot seem to find how to do that. How can I get the VLAN in dd-wrt to use the pfSense box as the gateway/DNS/DHCP server?
Let me know if you need any additional information. Thanks for your help!
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Aug 02, 2019 21:33 Post subject:
http://tips.desipro.de/2013/12/06/guest-wifi-setup-dd-wrt/ <-- good starting point, but your configuration adds a few things to the mix. You do need to add a dhcp server for the vlan in the services page and enable dnsmasq and configure it to point to your dns server and gateway.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Aug 02, 2019 22:33 Post subject:
That is usually the normal way guest wi-fi / vap is set up. But it may be something with your port setup. I am presuming that you are setting vlan10 to the WAN port. So, you have a cable going to the WAN and one of the LAN ports, I am presuming. This setup may not work as intended unless the WAN port is assigned to the switch (basically disabling vlan2, if I am thinking correctly).
That was another thing I was thinking of, forgot to link that wiki page. It's either the port setup or assigning the gateway per the wiki that you found.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Sat Aug 03, 2019 7:58 Post subject:
I am not the greatest VLAN expert but you have unbridged one ethernet port and set it together with a guest wifi on br1.
I am assuming you connect your WAP with ethernet just via one of the other ports so via br0.
If you want to connect the guest wifi via vlan10 wired to your pfsense than forget all what I have written below!
You have to use DNSMasq to assign DHCP for clients attached to br1.
So in the Setup/networking page under DHCPD (scroll down) set the DHCP server for br1.
As you have set the PF sens as Local DNS and Gateway on setup page that will be used, no need to set anything else (I am not 100%sure about this)
For broadcom routers unbridged VAP's need workarounds to function I will attach my notes with some workaorunds
Lastly but most important traffic coming out from your br1 has a different subnet then your local network (of course that is why you unbridged)
This can result in traffic not being NATted out to the internet if you run a DDWRT router, because DDWRT only NAT's traffic from its own subnet.
Depending on your PF sense box this might NAT traffic out but otherwis you need an extra NAT rule
The second problem is that your pfsens router does not know where to send return traffic ftom br1 to.
So you have not set a static route to route the subnet of br1 to the IP address of the WAP.
Now there is a trick to do all the above in one simple rule which you apply to the firewall of the DDWRT WAP:
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
This will NAT all traffic coming from br1 to br0
See the attached document last setion VAP on a WAP
My logic in not connecting vlan10 to the CPU port was that I was using the dd-wrt as a switch only, and therefore the router portion would not figure into the equation. This, of course, was faulty logic. Bottom line is this: always connect your vlans to the CPU port.