Netgate SG-1000 microFirewall

Author Topic: [SOLVED] Setting up Tomato Wifi Router behind PFSense  (Read 8495 times)

0 Members and 1 Guest are viewing this topic.

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
[SOLVED] Setting up Tomato Wifi Router behind PFSense
« on: March 07, 2015, 11:21:31 am »
Hi Everyone!

I can't seem to get my wireless router to cooperate and I'd be forever grateful for some help. Here's the setup I'm trying to accomplish:

Gateway ---> PFSense box ----> Wifi-Router

I have referenced these two places, but neither has helped me through to the finish:
 
(Main PFSense help doc for this)
(Post by someone from 2008 who was trying to do the same thing)

Unfortunatley the second post petered out due to the original poster's misunderstanding of subnets.

My Tomato Wifi-Router Setup:

WAN: Disabled

LAN
IP: 192.168.0.2
Gateway: 192.168.0.1 (pfsense address)
DNS: 192.168.0.1 (pfsense address)
Subnet: 255.255.255.0
Disabled DCHP.

As far as I know things should be working from these settings, so I'm pretty sure the error is coming from my PFSense config.

I have the Wifi-Router plugged into my OPT1 port, which I"m pretty sure is the problem. What settings do I need to supply in my OPT1 interface to successfully get things running?

Current OPT1 interface settings:

(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: none

The rest of the fields are empty except for the hostname that is currently "testwifi"

I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.

It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured, but barring that what do I need to do to adjust my OPT1 settings? I can't just copy/paste my current LAN port settings can I? (I assume that copy/pasting would cause a conflict when both LAN and OPT1 try and use 192.168.0.1 as their static IPv4.)

Thanks for taking a look!  :)

« Last Edit: March 09, 2015, 04:51:10 pm by RickJ »

Offline Nullity

  • Hero Member
  • *****
  • Posts: 979
  • Karma: +99/-9
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #1 on: March 07, 2015, 11:42:10 am »
Why the OPT1?
Can we get more information about your network topology?
I am assuming you need to bridge LAN and OPT1 or make them completely serparate networks.

I have a very similar setup and my pfSense config has only WAN and LAN. WAN is my ADSL modem and LAN is my RT-N66U in AP mode.
Please correct any obvious misinformation in my posts.
-Not a professional; an arrogant ignoramous.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10256
  • Karma: +1175/-313
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #2 on: March 07, 2015, 12:32:34 pm »
Quote
It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured

No, no, no.

Just put the Tomato on your LAN.

A couple scenarios:

https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131

https://forum.pfsense.org/index.php?topic=88942.msg491727#msg491727
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #3 on: March 07, 2015, 01:40:28 pm »
Thanks for the replies Nullity and Derelict,

Yes Nullity, as you suspected I didn't give my full topography, my apologies. I already have an ASUS router plugged into the PFsense LAN port which is providing connectivity to our main un-managed switch (this is why I was asking about bridging, Derelict). 

Because I already have one router using the LAN port, I was hoping to plug in the wireless router into OPT1 and set up a separate network.

Now as far as the VLAN post you linked Derelict, would that information be what I need to do in my OPT1 settings?   


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10256
  • Karma: +1175/-313
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #4 on: March 07, 2015, 02:21:29 pm »
You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.

Just plug the new AP into the unmanaged switch.  I am at a loss why you think you need the Asus on LAN.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #5 on: March 07, 2015, 02:34:51 pm »
You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.  You don't need a bridge.

And for a good measure:

You don't need any freaking bridge!!!
Do NOT PM for help!

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #6 on: March 07, 2015, 03:04:34 pm »
Haha, thanks for the laugh guys, I needed that after having to come in on Saturday.   :D

I didn't mean to imply in my last post I was still thinking about the bridge, though I'm glad it happened now none the less.

To address the bafflement about the ASUS router, I've disconnected it and the switch is running directly into the LAN port. Works fine.

Part of my logic for wanting to go into the OPT1 port was the possibility of having the wifi on a different ip strcture/ subnet, such as 10.0.0.x instead of the 192.168.0.x.

Example of the topography I was thinking of:

gateway ---> pfsense --> main wifi router (10.0.0.x) ---> 4 or 5 wifi routers getting their dhcp from main wifi-router all on the 10.0.0.x.
                          |
                           ----> main switch on LAN port (192.168.0.x)

Am I over-thinking this here?  The part that I've expressed poorly is the hope of being able to separate the wi-fi onto a different subnet in the future. The idea behind it is "a separate subnet/ ip structure would be more secure." Am I missing the mark on security by wanting to separate the ethernet and wifi networks?

Offline Nullity

  • Hero Member
  • *****
  • Posts: 979
  • Karma: +99/-9
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #7 on: March 07, 2015, 03:08:46 pm »
The few things I have read on the topic mirror your thoughts; separating WiFi from LAN is a smart decision if you are concerned with security.

I have no personal experience with multiple LANs though... sorry.
Please correct any obvious misinformation in my posts.
-Not a professional; an arrogant ignoramous.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10256
  • Karma: +1175/-313
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #8 on: March 07, 2015, 03:17:52 pm »
There is nothing wrong with segmenting your Wi-Fi.  Depends on what you want to do.

Things like windows networking, apple zeroconf/bonjour, autodiscovery, etc, are just a lot easier to use on one broadcast domain.  Set a good WPA2 passphrase, limit to AES only, put it on your LAN and rock on.

Quote
main wifi router (10.0.0.x) ---> 4 or 5 wifi routers getting their dhcp from main wifi-router all on the 10.0.0.x.
I would let pfSense do DHCP, but whatever.  And I'm pretty sure you mean wi-fi bridges/APs, not routers.

To do this I would seriously consider getting a managed switch so you can put wired ports together with a wireless network on a specific VLAN without having to...wait for it...make a pfSense bridge.  You could put a completely different SSID on a segmented VLAN with no access to the other VLAN.  Pretty sure Tomato supports that.  See that second link I posted above.  D-Link DGS-1100 will do everything you need for cheap.
« Last Edit: March 07, 2015, 03:26:56 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #9 on: March 07, 2015, 03:26:11 pm »
Hrm, I think part of the big concern is how we use our network.

We're a school, and were hoping to have a wireless network separated from our ethernet just for parent, phone, and tablet use. We already have this set up, it's just currently running through a separate router and not through PFsense at the moment.

 I was hoping to merge it all into one, while still keeping the wifi from having access to the same network that our shared drives are on. Is that at all possible?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10256
  • Karma: +1175/-313
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #10 on: March 07, 2015, 03:29:31 pm »
Isn't there just bushels and bushels of "free" federal just-printed-out-of-thin-air money for wi-fi in schools?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #11 on: March 07, 2015, 03:34:56 pm »
Probably, but we'ere a small mom and pop private school...so those funds aren't available to us.

No worries if what I was hoping for isn't a feasible model, worst case scenario would be that we have to save up for another PFsense box for the wifi if we really want the extra security.   

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #12 on: March 07, 2015, 03:38:43 pm »
We're a school, and were hoping to have a wireless network separated from our ethernet just for parent, phone, and tablet use. We already have this set up, it's just currently running through a separate router and not through PFsense at the moment.
I was hoping to merge it all into one, while still keeping the wifi from having access to the same network that our shared drives are on. Is that at all possible?

Sure it's possible. Stick all those APs on a separate OPT interface via some switch. Choose a subnet big enough to accommodate the clients. Configure DHCP there. Do not run any DHCP on any of those WiFi APs. Configure the firewall rules on OPT as required (e.g., do not allow access from OPT to LAN). Done.
Do NOT PM for help!

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #13 on: March 07, 2015, 03:47:27 pm »
Great, glad to hear that it's possible!

I'm not 100% sure, but I think what you're describing is what I tried to do in the beginning with configuring the OPT1 port, right?

I wasn't able to configure my OPT port to successfully give my wireless router an IP (I think that was the problem at least). Here are the settings I tried (from above)

Current OPT1 interface settings:

(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: none

The rest of the fields are empty except for the hostname that is currently "testwifi"

I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.

Once working, I'll definitely let the OPT do all the DHCP, and all wifi routers will just connect through a switch. Any ideas on why the OPT port wasn't allowing my test router to get through?

Again, thanks for the help on this...any and all recommendations are much appreciated.  :)

**Edit**

Sorry, I didn't see your edit recommending the managed switch above, Derelict. I must have started typing a new message while you were editing and I didn't scan the previous post. I'll definitely consider getting a managed switch for the future, but for the time-being I'm really trying to squeeze all I can of what we already have.
« Last Edit: March 07, 2015, 03:56:11 pm by RickJ »

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #14 on: March 07, 2015, 03:51:00 pm »
Of course, where should it be getting DHCP from? Configure a separate subnet there with static IPv4. You also need to create firewall rules on OPT to permit traffic.
Do NOT PM for help!