The pfSense Store

Author Topic: Possible for Other Router to be DHCP Server instead of pfSense?  (Read 2273 times)

0 Members and 1 Guest are viewing this topic.

Offline a_null

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +2/-0
    • View Profile
Re: Possible for Other Router to be DHCP Server instead of pfSense?
« Reply #30 on: March 15, 2017, 09:54:58 pm »
My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.

The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.

I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.

I see, thanks. So is your RPI NIC going straight to a wireless router just like in my situation?
Well... not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.
« Last Edit: March 15, 2017, 10:08:13 pm by a_null »
\x0

Offline darkarn

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
Re: Possible for Other Router to be DHCP Server instead of pfSense?
« Reply #31 on: March 16, 2017, 06:58:41 am »
My home network uses a separate DNS/DHCP server from my pfSense router. I have ISC DHCP server and unbound DNS running on a Raspberry PI 3, and it serves both the main LAN and the guest network.
I had to add multiple IP addresses to the RPI NIC (2 VLANs) so that it sees both networks, but it works well.
It gives out addresses from the proper pools, using it's own address as DNS and the pfSense box as the gateway. Naturally, each network has it's own settings. DNS forwards to OpenDNS.

The pfSense firewall has rules that keep the guest network off the LAN, except for a printer which I expose to the guest.

I was pretty much forced to set this up when I donated my pfSense box to a client as a spare when theirs failed, and I had to stuff a Cisco PIX into my home network. When I did that, I lost my pfSense DNS and DHCP, so I had to punt, and I cobbled together the RPI setup. I liked it so much that I added a LiFePo battery backup (http://lifepo4wered.com/lifepo4wered-pi.html) to it and have been running it nonstop for over a year. Even when I regained my pfSense appliance.

I see, thanks. So is your RPI NIC going straight to a wireless router just like in my situation?
Well... not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.

Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet

Offline a_null

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +2/-0
    • View Profile
Re: Possible for Other Router to be DHCP Server instead of pfSense?
« Reply #32 on: March 16, 2017, 09:52:34 am »

Well... not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.

Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet

Well, if you still have your ASUS unit (or really, any ol' wifi router than can be placed into AP-only mode), you could use both the Orbi and the ASUS, one for the LAN, and one for the guest network.
\x0

Offline darkarn

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
Re: Possible for Other Router to be DHCP Server instead of pfSense?
« Reply #33 on: March 17, 2017, 02:51:01 am »

Well... not exactly, I guess. But they are all on the same LAN switch.
Basically, there is a router between the internet and my network, just like everyone else's. On the local network, there's a DHCP/DNS server, and a wireless access point, just like most. The popular setup is to just have the pfSense firewall provide D&D services to the LAN, but I have them disabled there, and simply provide it on another box. My wireless units don't do anything but provide access points to the LAN, so there is no additional services running on the wireless APs.

My network is a tiny bit unique, in that I have a Cisco Catalyst switch, and a Cisco WLC wireless lan controller with a few Aeronet wireless devices controlled by the WLC, but it's still a network (actually two) behind a pfSense firewall behind a cable modem.

I can see where there could be a problem with a guest network, though. In my case, my pfSense box provides two LAN segments, my main LAN and my guest network. My access points provide two SSIDs, one for the LAN and one for the guest net. If you are trying to do this solely from the wifi router, obviously it could be difficult, since there's no common place for DHCP to exist on both networks.
I believe that dd-wrt can create multiple SSIDs, so conceptually, you can use a separate VLAN from the pfSense firewall as the guest network, and have a dd-wrt provide a WIFI SSID  for each VLAN. In that way, you can use all the pfSense services for each network as desired.

Hmm I see, looks like it will be a while before I can try all these since DD-WRT is not out for the Orbi just yet

Well, if you still have your ASUS unit (or really, any ol' wifi router than can be placed into AP-only mode), you could use both the Orbi and the ASUS, one for the LAN, and one for the guest network.

The ASUS is now with my friend permanently though, and even then it won't be able to cover the entire house unlike the Orbi (and getting another Orbi for guest network only is too cost-inefficient)

Offline GPz1100

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +1/-1
    • View Profile
Re: Possible for Other Router to be DHCP Server instead of pfSense?
« Reply #34 on: November 18, 2017, 03:12:03 pm »
Did you ever figure out how to do the guest isolation on the asus when it's in AP mode.

Read a bunch of threads over on the snb forum, but none seem to work in my application.

Guest wifi is on separate vlan.  Ideally each wireless guest is completely isolated from each other and any lan hosts on the vlan.  Since it's a wireless guest network, chance of wired hosts being present is unlikely, so the latter is not as important.  At the minimum getting each wireless host isolated is the goal.

https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-359045

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9212
  • Karma: +1046/-308
    • View Profile
Re: Possible for Other Router to be DHCP Server instead of pfSense?
« Reply #35 on: November 18, 2017, 03:22:22 pm »
I solved that problem on a large installation (650 access points) using uplink ports in brocade switches for per-vlan isolation among the different APs, and Ruckus' ability to set per-SSID isolation in the APs themselves. This achieved campus-wide isolation on certain VLANs between all wired and wireless clients.

You might get close using private vlan edge on the catalyst (protected ports) but that is not per-vlan so it's all or nothing.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM