I’ve got enough of the WiFi instability on FreeBSD with my old wifi card that came with the mini pc I use for pfSense so I decided to hook my OpenWRT WiFi router to the pfSense box and have a great Wifi with another great firmware for me to tinker with.
I’ve been scratching my head with how to connect everything so I can control the WiFi networks from pfSense + being able to access both pfSense and OpenWRT admin GUIs from both WiFi and internal cable networks configured in pfSense.
Finally I succeeded. For me the only thing missing was to reach the OpenWRT interface from pfSense networks and what I had to do was to:
- create a new VLAN in OpenWRT and bridge it to the OpenWRT’s existing LAN interface. Also I didn’t stop the DHCP on the LAN but it's not used now.
- edit the same LAN interface and change the gateway to point to the pfSense’s interface IP which handles the same VLAN in pfSense. For example the LAN interface in OpenWRT has the static IP of 192.168.167.1 and its gateway is set to 192.168.167.50 while in pfSense the interface that handles the same VLAN is set to static IP 192.168.167.50 and no DHCP.
No other changes in OpenWRT were needed which is better as I think configurations should be as simple as possible for me to be more confident that the routing works as expected.
The longer story about my configuration is the following:
- created 2 new SSIDS in OpenWRT. One will be bridged to the LAN in pfSense. One is for the IoT devices and needs only Internet + AP isolation.
- created 2 separate interfaces in OpenWRT for these SSIDS, left them Unmanaged
- created 2 VLANS on the same port in OpenWRT connected to the pfSense box and merged these VLANS respectfully to the 2 new WiFi interfaces created from point 2 above
- created 2 new VLANS in pfSense with the same ids as in OpenWRT(from point 3 above), set static IPs for them ,activated DHCP for each of them
- added the default firewall PASS rules for both new interfaces in pfSense
Now both WiFi networks work well, have Internet and I can reach other networks from the WiFi bridged to the pfSense's LAN. I will isolate(firewall) the IoT WiFi from other networks later as well and probably activate Avahi on all networks.
And to reach the OpenWRT admin I did the changes to the gateway in the OpenWRT's LAN interface like I mentioned above in the first 2 points.
I believe that instead of changing the OpenWRT’s LAN interface I could have set the gateway to one of the 2 new WiFi interfaces and get access to OpenWRT again(+ delete the OpenWRT's LAN interface completely this way) but I wanted to keep my WiFi configuration in OpenWRT straightforward.
I also removed all firewall zones in OpenWRT and the 2 WAN interfaces and everything still works. I didn’t stop any service in OpenWRT. If I see the need I will remove more things from OpenWRT and make it even more dumb AP but for now everything works very well.
I can also reach both pfSense and OpenWRT admin interfaces from VPN when I am outside home.