Posted: Fri Nov 08, 2019 5:54 Post subject: pfSense, main, guest and IOT VAPs - working solution
I have pfSense working as firewall and router. I use my TP-Link Archer C9v1 (running dd-wrt v3.0-r41027)as an access point connected to pfSense.
My requirements:
- main LAN network, 2.4&5Ghz wifi (subnet 192.168.2.x, untagged VLAN1)
- guest virtual access point (subnet 192.168.4.x, tagged VLAN 4)
- iot virtual access point (subnet 192.168.5.x, tagged VLAN5)
- my main lan devices can access guest and iot devices
- my guest and iot devices can't access my main lan devices.
- only 1 utp cable connection between my pfSense and Archer C9, work as trunk.
- remaing ports on my Archer C9 are still in main network (192.168.2.x)
- an existing dumb switch is still under main network (192.168.2.x)
Based on my requirement, on dd-wrt, I have to:
1. set it as AP (router) mode, define dd-wrt AP LAN ip as 192.168.2.254, define wifi keys for 2.4 and 5Ghz bands
2. define vlan 4(for guest) and 5(for iot) at trunk port 1 by command line on dd-wrt (can't do with gui)
nvram set vlan1ports="1 2 3 4 5*"
nvram set vlan2ports="0 5"
nvram set vlan4ports="1t 5"
nvram set vlan5ports="1t 5"
nvram set port1vlans="1 4 5 16 18 19 21"
nvram set port5vlans="1 2 4 5 16"
nvram set vlan4hwname=et0
nvram set vlan5hwname=et0
nvram commit
reboot
3.create 2 virtual APs under wl0 (2.4Ghz). You will get wl0.1 and wl0.2
4. create br1 and associate it with VLAN4 and wl0.1
5. create br2 and associate it with VLAN5 and wl0.2
6. enable jffs, clear jffs, you will get a permanent jffs storage on dd-wrt; create subdirectory /jffs/bin; copy the patched wlconf to /jffs/bin/
7. copy, paste and save startup the following script:
sleep 10
stopservice nas
stopservice wlconf
/jffs/bin/wlconf eth1 up
/jffs/bin/wlconf eth2 up
startservice nas
***Update 16 Dec 2019: you don't need step 6,7, and patched wlconf mentioned above, you can put the following script in startup:
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas
Thanks to @RedHawk, from this thread:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322362&sid=6b9ec20c01a309d3360ff6f71952d96e
**********
That's all you need to do on dd-wrt.
On PfSense, you have to
1. create VLAN4 and VLAN5 assigend to port LAN port (in my case is em1)
2. create (assign) 2 new interfaces, one for guest and the other one for iot;and associate them with corresponding vlans
3. define dhcp range for the two interfaces (192.168.4.x, and 192.168.5.x)
4. define two firewall rules per interface (to allow internet access)
vlan_gui.png
Description:
what vlan gui will look like after nvram set commands
Filesize:
42.9 KB
Viewed:
4051 Time(s)
vlan_command.png
Description:
what vlan will look like after nvram set commands.
Filesize:
24 KB
Viewed:
4051 Time(s)
Network_Diagram.png
Description:
Filesize:
639.88 KB
Viewed:
4051 Time(s)
Last edited by bthoven on Sun Dec 15, 2019 23:34; edited 6 times in total
Posted: Tue Nov 12, 2019 19:46 Post subject: Re: pfSense, main, guest and IOT VAPs - working solution
bthoven wrote:
I have pfSense working as firewall and router. I use my TP-Link Archer C9v1 (running dd-wrt v3.0-r41027)as an access point connected to pfSense.
My requirements:
- main LAN network, 2.4&5Ghz wifi (subnet 192.168.2.x, untagged VLAN1)
- guest virtual access point (subnet 192.168.4.x, tagged VLAN 4)
- iot virtual access point (subnet 192.168.5.x, tagged VLAN5)
- my main lan devices can access guest and iot devices
- my guest and iot devices can't access my main lan devices.
- only 1 utp cable connection between my pfSense and Archer C9, work as trunk.
- remaing ports on my Archer C9 are still in main network (192.168.2.x)
- an existing dumb switch is still under main network (192.168.2.x)
Based on my requirement, on dd-wrt, I have to:
1. set it as AP (router) mode, define main LAN ip as 192.168.2.254, define wifi keys for 2.4 and 5Ghz bands
2. define vlan 4(for guest) and 5(for iot) at trunk port 1 by command line on dd-wrt (can't do with gui)
nvram set vlan1ports="1 2 3 4 5*"
nvram set vlan2ports="0 5"
nvram set vlan4ports="1t 5"
nvram set vlan5ports="1t 5"
nvram set port1vlans="1 4 5 16 18 19 21"
nvram set port5vlans="1 2 4 5 16"
nvram set vlan4hwname=et0
nvram set vlan5hwname=et0
nvram commit
reboot
3.create 2 virtual APs under wl0 (2.4Ghz). You will get wl0.1 and wl0.2
4. create br1 and associate it with VLAN4 and wl0.1
5. create br2 and associate it with VLAN5 and wl0.2
6. enable jffs, clear jffs, you will get a permanent jffs storage on dd-wrt; create subdirectory /jffs/bin; copy the patched wlconf to /jffs/bin/
7. copy, paste and save startup the following script:
sleep 10
stopservice nas
stopservice wlconf
/jffs/bin/wlconf eth1 up
/jffs/bin/wlconf eth2 up
startservice nas
That's all you need to do on dd-wrt.
On PfSense, you have to
1. create VLAN4 and VLAN5 assigend to port LAN port (in my case is em1)
2. create (assign) 2 new interfaces, one for guest and the other one for iot;and associate them with corresponding vlans
3. define dhcp range for the two interfaces (192.168.4.x, and 192.168.5.x)
4. define two firewall rules per interface (to allow internet access)
Thanks for this dude! Ive been trying to make this exact same setup work for ages but theres always something that doesnt work! How did you get the bridge to give out ips? I mean I could bridge the VLAN to the WLAN VAP but I was never able to make it get an IP from PFSense!
I was so frustrated too because I believe I did everything right on both dd-wrt and pfSense side; but the VAP can't connect at all. So I resorted to the hybrid approach where my main network (wired and wireless) dhcp/dns were managed by pfSense; but my VAPs' (without VLAN) dhcp were on dd-wrt. The problem with the hybrid approach was I can't access those iot/guest devices on VAPs from my main network.
Until I found the post (a link in my OP), the solution is to run the patched wlconf (I attached here).
I was so frustrated too because I believe I did everything right on both dd-wrt and pfSense side; but the VAP can't connect at all. So I resorted to the hybrid approach where my main network (wired and wireless) dhcp/dns were managed by pfSense; but my VAPs' (without VLAN) dhcp were on dd-wrt. The problem with the hybrid approach was I can't access those iot/guest devices on VAPs from my main network.
Until I found the post (a link in my OP), the solution is to run the patched wlconf (I attached here).
Thank you bro! you are a god send I will defo try it out as soon as I can. Is the DDWRT version you used important ? like it has to be THAT version or it works on any version going forward?
I can't speak for newer versions. No harm to try, but this version is rock solid for me(20+ devices); and I don't want to have more down time just for trying a newer version. I have added 2 vaps/vlans dedicated to 2 openvpn clients running concurrently on pfSense
and it works perfectly.
I can't speak for newer versions. No harm to try, but this version is rock solid for me(20+ devices); and I don't want to have more down time just for trying a newer version. I have added 2 vaps/vlans dedicated to 2 openvpn clients running concurrently on pfSense
and it works perfectly.
Do try other versions and let us know.
Got the basic setup working with your steps. All VLANs are getting IPs and have access. Can you please write a guide about how you routed the VLAN6 to go through your VPN provider? I'd love to setup a VAP which goes to a VLAN and then out through the VPN connection!
I only use openvpn for ip4 (to connect to US and UK servers in parallel).
Though it connected to the VPN provider's servers without problem and whatismyip reported the right geolocations, BBC iPlayer still can detect I'm not in UK. I'm still finding solution. If I run native openvpn connect app on my Android TVOS box, by using vpnunlimited downloaded profile, I can play BBC iPlayer without problem.
I only use openvpn for ip4 (to connect to US and UK servers in parallel).
Though it connected to the VPN provider's servers without problem and whatismyip reported the right geolocations, BBC iPlayer still can detect I'm not in UK. I'm still finding solution. If I run native openvpn connect app on my Android TVOS box, by using vpnunlimited downloaded profile, I can play BBC iPlayer without problem.
That might be because your IP is a known proxy IP that is blacklisted. Try a different server if you can and maybe that might help ya!
I can setup the OpenVPN client without any problems, my problem, however, is with routing because I do not know how to route specific IP's over the VPN. I am guessing I can setup a VLAN like you did the guest one, link it to a VLAN and associate that with the VAP. Then in PFSense I have it route traffic over the VPN by using a guide from the second post from this link? https://forum.netgate.com/topic/65970/solved-routing-some-traffic-static-ips-through-openvpn-over-pia/11 ?
I can forgo all this and set specific IP's to route through the VPN tunnel but the problem with doing that is that it would hard lock the IP to the VPN or my regular WAN and the important thing here is for me to be able to switch between them with ease somehow!
I'm not a network expert. I don't know how to route only certain IPs through the openvpn. You may create an alia (Firewall/Aliaes) listing certain number of IPs which you will later route through VPN (in my case, it's the whole subnet, see the screenshot); then specify the alia in one of your LAN rule.
You are right. For me, I just create a dedicated VLAN/VAP and its whole subnet going through VPN. I attach some screenshots of Alia and LAN rule I mentioned above. You may try it without a dedicated VLAN/VAP. Off course, you need to fix your devices' IPs which you want to go through vPN, then put it in the Alia.