The pfSense Store

Author Topic: [SOLVED] Setting up Tomato Wifi Router behind PFSense  (Read 7623 times)

0 Members and 1 Guest are viewing this topic.

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #15 on: March 07, 2015, 04:04:14 pm »
Ok, I think I'm probably suffering from a mild case of severe brain damage at this point, but I drew a blank when you asked "Where should it be getting DHCP from?"

Here is the process I'm conceptualizing at the moment:

OPT1 port (configured to serve dhcp to the wifi AP on the switch) -----> wifi switch ---> wifi AP


So I'd set the main OPT1 port config to something like this:

IPv4 configuration type: Static
Ipv4 address: 10.0.0.1

Enable firewall rules to permit all traffic through OPT1

...But doing it this way, where would the option to provide DHCP from the static IPv4 be coming from?


Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #16 on: March 07, 2015, 04:21:17 pm »
So I'd set the main OPT1 port config to something like this:
IPv4 configuration type: Static
Ipv4 address: 10.0.0.1


...But doing it this way, where would the option to provide DHCP from the static IPv4 be coming from?

Hmmm? You simply configure a DHCP server on the OPT interface, like you did on LAN. Services - DHCP Server - OPT1 tab.

Enable firewall rules to permit all traffic through OPT1

Thought you wanted this separated from wired. So, the destination for that allow rule should not really be any, but NOT LAN subnet instead.
Do NOT PM for help!

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #17 on: March 07, 2015, 04:29:36 pm »
Ok awesome, thanks for the help doktornotor! I'm still learning the fine-tuning of configuring rules correctly, so I imagine that destination: "not lan subnet" is something I'd probably miss on the first flush.

I'll be going in again tomorrow to finish up some testing and will post here to let you know if the new setup works.  :)

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #18 on: March 08, 2015, 11:17:13 am »
Hi guys, well round two and I still don't have this thing up and running...

As a quick recap so that lots of thread scrolling isn't needed:

I'm trying to set up a seperate WIFI network on my OPT1 interface. The light on the back of the PFsense box for the OPT1 port is green instead of orange (the working WAN and LAN ports are both orange). In the Status---> Interfaces page the OPT1 section reads: "no carrier" at the top.

Current OPT1 setup:

Interfaces ---> OPT1
-'Enabled'
-Static IPv4
-IPv4 Address: 10.0.0.x
-(all other entries are blank)

Firewall ----> NAT: Outbound
-Automatic outbound NAT rule generation

Firewall ---> Rules: OPT1
-(Image of full OPT1 Firewall settings attached) Basically allow all except to LAN network.

Services ---> DHCP Server
-'Enabled for OPT1'
-Range is set to 10.0.0.20 - 10.0.0.100
-Everything else is blank

Right now, I have the OPT1 port running to a switch with a Wireless AP on it, set up like this:

OPT1 ----> Unmanaged Switch ---> Wireless AP


Wireless AP settings:

WAN:off
LAN:
IP: 10.0.0.2
Gateway: 10.0.0.1 (OPT1 address)
DNS: 10.0.0.1 (OPT1 address)
Subnet: 255.255.255.0
Disabled DHCP.

Could this be a hardware problem, or am I missing an important step somewhere?

Thanks again for helping me get this set-up...although the wifi is still not working, I'm getting much more comfortable using the PFSense interface during the troubleshooting.  :)
« Last Edit: March 08, 2015, 11:20:34 am by RickJ »

Offline hda

  • Sr. Member
  • ****
  • Posts: 592
  • Karma: +30/-4
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #19 on: March 08, 2015, 12:48:40 pm »
Config looks good.

[Interfaces: assign] is OK for OPT1 on NIC ? (no bridge stuff etc.)
Static entry for AP in [Services: DHCP server] ?
AP must be explicitly set to AP-mode ?
Rebooting both boxes did not help?

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #20 on: March 08, 2015, 01:05:42 pm »
Hi hda,

-Hrm...I have no recollection of the interfaces: assign section, that might be the step I'm missing. NO bridges at the moment though...or ever...no bridges...(see above posts)

-Didn't add a static entry for the AP, I'll try that out for sure.

-Not sure about AP Mode...using Tomato on a linksys e2500, and haven't seen any special customization recommendations aside from the standard setup I posted above...

-Rebooting doesn't solve it atm, hopefully the fix is one of the above.

Thanks for the suggestions, anything new to try is welcome since I'm totally stumped. I've left the office for today, so I'll have another go tomorrow morning and post an update then!

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #21 on: March 08, 2015, 02:46:16 pm »
No.  You want to REJECT traffic from OPT1 net to LAN net, then PASS traffic from OPT1 net to any.

In general for a protected, public segment:

PASS the specific local traffic you need them to access (DNS servers, etc)
REJECT the specific traffic you don't want (to other local networks, to the firewall itself)
PASS everything else (the internet)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #22 on: March 08, 2015, 02:56:27 pm »
Quote
Thanks again for helping me get this set-up...although the wifi is still not working
You're plugging one of tomato's LAN ports into the switch right?  Not messing around with any VLANs right?

define "not working"

Do you not get associated over wi-fi with the tomato?
Do you not get DHCP?
Can you ping 10.0.0.1 by IP?
Can you ping outside (like 8.8.8.8 or your ISP's gateway) by IP?
Can you resolve names?

The above are in the general order that things have to be working.  If you can't do one, you need to fix that before moving on.

Can you ping 10.0.0.2 from pfSense Diagnostics > Ping?
Anything in the Status > System Logs, DHCP to indicate leases being allowed or rejected or ??
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #23 on: March 09, 2015, 02:51:48 pm »
Ok thanks Derelict, I've attached an updated Firewall Rules pic, I think it's updated to correctly pass traffic as you described so let me know if it's still incorrect.

As to the WiFi setup itself:

-Yes, tomato is plugged in from a LAN port into switch
-The tomato wifi signal is getting sent out
-Do not get DHCP from wifi signal (no IP being assigned to client machine)
-Cannot ping 10.0.0.1 from client machine, get these results: at first, "no route to host," followed by "host is down"
-Cannot ping outside from the client machine
-Cannot resolve names

Results from Diagnostics > Ping:

PING 10.0.0.2 (10.0.0.2): 56 data bytes

--- 10.0.0.2 ping statistics ---
10 packets transmitted, 0 packets received, 100.0% packet loss

Results pertaining to 10.0.0.x from System Logs, DHCP:

Mar 9 13:12:01   dhcpd: Listening on BPF/re1/00:30:18:a6:dd:24/10.0.0.0/24
Mar 9 13:12:01   dhcpd: Sending on BPF/re1/00:30:18:a6:dd:24/10.0.0.0/24


I added a static IP to the tomato AP under DHCP Server just in case, but hasn't seemed to fix anything. Still getting that OPT1 is down on the interfaces panel. From the looks of it there must be SOMETHING missing from the OPT1 port config...I can't think of any other reason the port is still not registering a carrier in Status > Interfaces.

Could this be a hardware issue? The box I put together has 1 Intel i211AT Gigabit LAN and 4 Realtek RTL8111E-VL-CG Gigabit Ethernet Controllers. Our WAN is on the Intel, and our current LAN is on the first Realtek port. I should be able to add OPT1 on the second Realtek port correct (or do I need another NIC for separate wifi)?

« Last Edit: March 09, 2015, 03:26:10 pm by RickJ »

Offline hda

  • Sr. Member
  • ****
  • Posts: 592
  • Karma: +30/-4
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #24 on: March 09, 2015, 03:56:55 pm »
...
I should be able to add OPT1 on the second Realtek port correct (or do I need another NIC for separate wifi)?
...

So your re1 NIC is set on OPT1 ?

How is Interfaces (assign) report ? [Interfaces: Assign network ports]
What choices do you have there?

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #25 on: March 09, 2015, 04:06:18 pm »
Yep, re1 NIC is set on OPT1.

Added a screenshot of current NIC assignments under Interfaces > (assign) , all NICS have a different MAC address assigned.


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #26 on: March 09, 2015, 04:11:05 pm »
Ok thanks Derelict, I've attached an updated Firewall Rules pic, I think it's updated to correctly pass traffic as you described so let me know if it's still incorrect.

As to the WiFi setup itself:

-Yes, tomato is plugged in from a LAN port into switch
-The tomato wifi signal is getting sent out
-Do not get DHCP from wifi signal (no IP being assigned to client machine)

Sounds like you have a layer 2 issue.

If you assign a static address to the wireless client in the right range and you can ping pfSense, you have a DHCP issue instead.  I think you might need help with tomato more than pfSense.  Sorry.  No experience with it.

Quote
snip

I added a static IP to the tomato AP under DHCP Server just in case, but hasn't seemed to fix anything. Still getting that OPT1 is down on the interfaces panel. From the looks of it there must be SOMETHING missing from the OPT1 port config...I can't think of any other reason the port is still not registering a carrier in Status > Interfaces.

I take it back.  You have a layer 1 issue.

Quote
Could this be a hardware issue? The box I put together has 1 Intel i211AT Gigabit LAN and 4 Realtek RTL8111E-VL-CG Gigabit Ethernet Controllers. Our WAN is on the Intel, and our current LAN is on the first Realtek port. I should be able to add OPT1 on the second Realtek port correct (or do I need another NIC for separate wifi)?

As has been suggested, what is in Interfaces > (assign)??  Start with the basics.  I don't know why you're messing with the AP if you have no carrier on your ethernet interface.

So you've messed with the MAC addresses or what?  Why?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #27 on: March 09, 2015, 04:17:06 pm »
I think I ninja'd you Derelict, added a post just before you describing interfaces >assign

 I think we're on the same page, since this morning I'm thinking it's a layer 1 issue. I didn't manually change any of the MAC addresses, was just stating the obvious that they were different for each entry.

**Edit**

For clarity, I've added what my OPT1 entry looks like in Interfaces > OPT1 in case you can see something glaringly missing
« Last Edit: March 09, 2015, 04:22:56 pm by RickJ »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #28 on: March 09, 2015, 04:28:04 pm »
That looks fine.

And you have a DHCP server enabled on OPT1 handing out IPs in 10.0.0.0/24?

If you plug a laptop directly into OPT1 do you get link/DHCP?  If so, you need to figure out why you don't get link from your switch.  You should not need a crossover cable or anything like that.

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline RickJ

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: Setting up Tomato Wifi Router behind PFSense
« Reply #29 on: March 09, 2015, 04:36:55 pm »
Yep, enabled OPT1 on DHCP server, handing out on 10.0.0.0 subnet (pic below for verification)

When directly plugged into OPT1 the laptop gets no DHCP, can't ping anything.