Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to to be able to fully set up some secondary pfsense routers. For history of what works and what doesn't, I use multiple routers, and I also am just now using multiple pfsenses. I have 3 secondary pfsenses. No wireless on any of them.
I have cheap dd-wrt routers configured as APs behind each one, providing my wireless. So far, goal met, it seems to be a stable network.
However, if it's possible, I would love to be able without connecting to the individual wireless networks, be able to access the configuration for the APs from any subnet. I believe my firewalls on the pfsenses are set up correctly for it, and I believe that my NAT configuration is working. But they still can't reach it. If we can't make this work, I can live with it, but it's better if it works. I can reach the LAN IP of each from outside.
Maybe I'm wrong about the firewall and NAT? One of the additional things I tried, is port forwarding a port 89 to a port 80. That didn't seem to work at all, when I fromed the firewall itself, to at least open the configuration page. I just thought also of the fact that I might later want to ping a client attatched to my network. Like I said, for now, I can probably live with it, if this is all, but it's probably good if it works.
I would assume that port forwarding should work. Does nmap show the port as open through the firewall?
Just out of curiosity are the APs wired to the Pfsense using the WAN or LAN port?
They are most likely wired by WAN port. HOWEVER, what I have done (these are probably similar models to Linksys E1200s), is before, when they were just routers, all of them were flashed with dd-wrt via the router database. Most of them years ago (like 5??). Then, when I made them APs, the main thing I did, was disable the WAN, and then assign the WAN to switch. Then, I changed the LAN IPs, so that they were the next IP up from the routers. In each router, I've assigned a static reservation to the APs. It's redundant but extra safe. I believe in most cases, I left the rest of the configuration alone for now in the APs. I believe in all cases I hooked up pfsense router LAN to WAN of AP. I do have one dd-wrt, which has two switches I believe, as my new mainrouter, because I found that leaving dd-wrt as mainrouter works best. But there, that has been replaced with another similar model of mini PC, which I'm only using wired on. But it has a mainap hooked up to it in much the same fashion. Pfsense is still the edge router as well though. So I might have called it, mainrouter1 and mainrouter2. This from experiments was required to make my situation work. I'm impressed though. So far, it's not broken once. I think my reason for doing it payed off, now it's just a matter of configuration. I'll work on that, but I AM willing to make compromises I have to make. It's appearing like port forwards are not doing it? Do you want me to copy some of the text in the tables of one router to start with?
If you assign the WAN to the switch then it should work but did you disable its internal DHCP server? Have you confirmed the WAN port is actually working correctly?
Yes, I also disabled DHCP on APs. Every WAN port should be good right now. I have a new theory on what I did wrong though. I'll test it out, and come back.
OK. My theory was possibly wrong and possibly right, but not as I imagine. Before, when I used DD-WRT, I had to tell each router about all the others statically, unless I wanted to set up dynamic routing. I am not sure I've done that properly. And I made some of the rules less restrictive to see what happens as well.
Gateways
Name Default Interface Gateway Monitor IP Description Actions
guestrouter WAN 192.168.1.4 192.168.1.4 192.168.1.4
WAN_DHCP WAN 192.168.1.1 192.168.1.1 Interface WAN_DHCP Gateway
Static Routes
Network Gateway Interface Description Actions
192.168.0.0/24 WAN_DHCP - 192.168.1.1 WAN mainrouter
192.168.3.0/24 guestrouter - 192.168.1.4 WAN guestrouter
Rules
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
WAN ANY * * LAN net * * Accept
WAN TCP * * This Firewall 88 192.168.2.1 443 (HTTPS) configuration
Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0/20.66 MiB
IPv4 * WAN net * LAN net * * none Accept
1/57 KiB
IPv4 * WAN net * This Firewall * * none This
0/0 B
IPv4 TCP * * This Firewall 443 (HTTPS) * none configuration
---
Guestrouter
===========
Gateways
Name Default Interface Gateway Monitor IP Description Actions
clientrouter WAN 192.168.1.3 192.168.1.3 clientrouter
WAN_DHCP WAN 192.168.1.1 192.168.1.1 Interface WAN_DHCP Gateway
Rules
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
WAN ANY * * LAN net * * Accept
WAN TCP * * This Firewall 88 192.168.3.1 443 (HTTPS) configuration
Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
1/473 KiB
IPv4 * * * LAN net * * none Accept
0/51 KiB
IPv4 * WAN net * This Firewall * * none This
0/0 B
IPv4 TCP * * This Firewall 443 (HTTPS) * none configuration
---
Typical ping response:
Code:
SMILEY000\des@e-des:~$ ping 192.168.3.2
PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=2 Redirect Host(New nexthop: 192.168.1.4)
From 192.168.1.1 icmp_seq=3 Redirect Host(New nexthop: 192.168.1.4)
From 192.168.1.1 icmp_seq=4 Redirect Host(New nexthop: 192.168.1.4)
From 192.168.1.1 icmp_seq=6 Redirect Host(New nexthop: 192.168.1.4)
^C
--- 192.168.3.2 ping statistics ---
7 packets transmitted, 0 received, +4 errors, 100% packet loss, time 6061ms
Let's get those two working first. Is anything wrong with it? Besides the obvious ping being wrong. But what clues does it give us about the actual problem?
How are the LAN ports configured? Your forwarding to 192.168.2.1 but typically the LAN IP address of the router is configured as x.x.x.1 and from your text I assumed you were trying to forward 443 to the AP?
Alright. I'll attatch my wiring diagram, if possible, here. OK. Got it. I'm still working on the wiring diagrams (as far as bringing them up to date for the current apartment and situation), so I don't have the wireless network defined yet. These are just the friendly names of each device, not part of the network configuration, so far.
Since I'm working on it, there may be some issues, which I'm working out. However, this still gives you the general idea.
The network starts at 192.168.0.1, then goes to 192.168.1.1, for mainrouter2. Then it goes up, in sequence for each router, with clientrouter, guestrouter, then nonsecrouter. Each AP is given the second IP in the subnet. That's as much as I think you need to know for now, unless you think you really need to know more to solve this.
I'm now using https (443) for pfsense routers. I will probably switch over to it for the other routers/APs at some point. That doesn't mean I will never use http (80) anywhere though. Hopefully all this information helps you help me.
Last edited by des_a; 11-11-2023 at 05:42 PM.
Reason: Called them just routers.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.