Reach IPs behind pfsense

des_a · 11-06-2023, 05:16 PM

I'm trying to to be able to fully set up some secondary pfsense routers. For history of what works and what doesn't, I use multiple routers, and I also am just now using multiple pfsenses. I have 3 secondary pfsenses. No wireless on any of them.

I have cheap dd-wrt routers configured as APs behind each one, providing my wireless. So far, goal met, it seems to be a stable network.

However, if it's possible, I would love to be able without connecting to the individual wireless networks, be able to access the configuration for the APs from any subnet. I believe my firewalls on the pfsenses are set up correctly for it, and I believe that my NAT configuration is working. But they still can't reach it. If we can't make this work, I can live with it, but it's better if it works. I can reach the LAN IP of each from outside.

des_a · 11-06-2023, 05:36 PM

Maybe I'm wrong about the firewall and NAT? One of the additional things I tried, is port forwarding a port 89 to a port 80. That didn't seem to work at all, when I fromed the firewall itself, to at least open the configuration page. I just thought also of the fact that I might later want to ping a client attatched to my network. Like I said, for now, I can probably live with it, if this is all, but it's probably good if it works.

michaelk · 11-06-2023, 05:54 PM

I would assume that port forwarding should work. Does nmap show the port as open through the firewall?
Just out of curiosity are the APs wired to the Pfsense using the WAN or LAN port?

des_a · 11-07-2023, 01:51 PM

They are most likely wired by WAN port. HOWEVER, what I have done (these are probably similar models to Linksys E1200s), is before, when they were just routers, all of them were flashed with dd-wrt via the router database. Most of them years ago (like 5??). Then, when I made them APs, the main thing I did, was disable the WAN, and then assign the WAN to switch. Then, I changed the LAN IPs, so that they were the next IP up from the routers. In each router, I've assigned a static reservation to the APs. It's redundant but extra safe. I believe in most cases, I left the rest of the configuration alone for now in the APs. I believe in all cases I hooked up pfsense router LAN to WAN of AP. I do have one dd-wrt, which has two switches I believe, as my new mainrouter, because I found that leaving dd-wrt as mainrouter works best. But there, that has been replaced with another similar model of mini PC, which I'm only using wired on. But it has a mainap hooked up to it in much the same fashion. Pfsense is still the edge router as well though. So I might have called it, mainrouter1 and mainrouter2. This from experiments was required to make my situation work. I'm impressed though. So far, it's not broken once. I think my reason for doing it payed off, now it's just a matter of configuration. I'll work on that, but I AM willing to make compromises I have to make. It's appearing like port forwards are not doing it? Do you want me to copy some of the text in the tables of one router to start with?

des_a · 11-07-2023, 01:52 PM

If it's really needed, I can include a wiring diagram. I have wired devices documented pretty well now, as far as diagram goes.

michaelk · 11-07-2023, 02:35 PM

If you assign the WAN to the switch then it should work but did you disable its internal DHCP server? Have you confirmed the WAN port is actually working correctly?

des_a · 11-08-2023, 05:35 AM

Yes, I also disabled DHCP on APs. Every WAN port should be good right now. I have a new theory on what I did wrong though. I'll test it out, and come back.

des_a · 11-08-2023, 05:55 AM

OK. My theory was possibly wrong and possibly right, but not as I imagine. Before, when I used DD-WRT, I had to tell each router about all the others statically, unless I wanted to set up dynamic routing. I am not sure I've done that properly. And I made some of the rules less restrictive to see what happens as well.

des_a · 11-08-2023, 05:55 AM

I'll post some of my configuration.

des_a · 11-08-2023, 06:01 AM

Clientrouter
============

Gateways
Name Default Interface Gateway Monitor IP Description Actions
guestrouter WAN 192.168.1.4 192.168.1.4 192.168.1.4
WAN_DHCP WAN 192.168.1.1 192.168.1.1 Interface WAN_DHCP Gateway

Static Routes
Network Gateway Interface Description Actions
192.168.0.0/24 WAN_DHCP - 192.168.1.1 WAN mainrouter
192.168.3.0/24 guestrouter - 192.168.1.4 WAN guestrouter

Rules
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
WAN ANY * * LAN net * * Accept
WAN TCP * * This Firewall 88 192.168.2.1 443 (HTTPS) configuration

Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0/20.66 MiB
IPv4 * WAN net * LAN net * * none Accept
1/57 KiB
IPv4 * WAN net * This Firewall * * none This
0/0 B
IPv4 TCP * * This Firewall 443 (HTTPS) * none configuration

---

Guestrouter
===========

Gateways
Name Default Interface Gateway Monitor IP Description Actions
clientrouter WAN 192.168.1.3 192.168.1.3 clientrouter
WAN_DHCP WAN 192.168.1.1 192.168.1.1 Interface WAN_DHCP Gateway

Static Routes
Network Gateway Interface Description Actions
192.168.2.0/24 clientrouter - 192.168.1.3 WAN clientrouter

Rules
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
WAN ANY * * LAN net * * Accept
WAN TCP * * This Firewall 88 192.168.3.1 443 (HTTPS) configuration

Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
1/473 KiB
IPv4 * * * LAN net * * none Accept
0/51 KiB
IPv4 * WAN net * This Firewall * * none This
0/0 B
IPv4 TCP * * This Firewall 443 (HTTPS) * none configuration

---

Typical ping response:

Code:

SMILEY000\des@e-des:~$ ping 192.168.3.2
PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=2 Redirect Host(New nexthop: 192.168.1.4)
From 192.168.1.1 icmp_seq=3 Redirect Host(New nexthop: 192.168.1.4)
From 192.168.1.1 icmp_seq=4 Redirect Host(New nexthop: 192.168.1.4)
From 192.168.1.1 icmp_seq=6 Redirect Host(New nexthop: 192.168.1.4)
^C
--- 192.168.3.2 ping statistics ---
7 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6061ms

des_a · 11-08-2023, 12:34 PM

Let's get those two working first. Is anything wrong with it? Besides the obvious ping being wrong. But what clues does it give us about the actual problem?

michaelk · 11-08-2023, 03:08 PM

A wiring diagram would be beneficial. I was hoping for something straight forward and simple.

Quote:

main router (LAN) -> network address -> (WAN) secondary router 1 (LAN) -> network address -> WAP

How are the LAN ports configured? Your forwarding to 192.168.2.1 but typically the LAN IP address of the router is configured as x.x.x.1 and from your text I assumed you were trying to forward 443 to the AP?

des_a · 11-11-2023, 05:33 PM

Alright. I'll attatch my wiring diagram, if possible, here. OK. Got it. I'm still working on the wiring diagrams (as far as bringing them up to date for the current apartment and situation), so I don't have the wireless network defined yet. These are just the friendly names of each device, not part of the network configuration, so far.

des_a · 11-11-2023, 05:39 PM

Since I'm working on it, there may be some issues, which I'm working out. However, this still gives you the general idea.

The network starts at 192.168.0.1, then goes to 192.168.1.1, for mainrouter2. Then it goes up, in sequence for each router, with clientrouter, guestrouter, then nonsecrouter. Each AP is given the second IP in the subnet. That's as much as I think you need to know for now, unless you think you really need to know more to solve this.

des_a · 11-11-2023, 05:41 PM

I'm now using https (443) for pfsense routers. I will probably switch over to it for the other routers/APs at some point. That doesn't mean I will never use http (80) anywhere though. Hopefully all this information helps you help me.