OpenWrt + pfSense VLANs

Installing and Using OpenWrt Network and Wireless Configuration
#1

Hi,

I'm trying my WDR4300 as an AP with VLANs.
On my pfSense firewall I configured the two VLANs 10 and 20 which have 192.168.10.1/24 and 192.168.20.1/24 respectively; DHCP activated on both.

pHlCQU2.png1464×556

On OpenWRT I disabled the firewall, created two new interfaces and created 2 SSIDs, one for each interface. The firewall is disabled.
I get correct IPs for each SSID, but I seem to be missing the last piece since I can't reach pfSense from those networks

pfSense is connected on the WAN port, so I tagged the WAN and CPU port for both VLANs

NUBFoBq.jpg1053×412

I also read the switch and VLAN documentation but I realiseI'm not competent enough, yet.
Can someone help me to figure this out ?

Thomas

#2

Have you "assigned" / bridged your wireless interfaces to the appropriate VLANs' networks?

You'll likely need firewall rules to isolate the VLANs within the OpenWrt box if you have routing enabled in the kernel (which is enabled by default).

#3

Yes, I bridged the wireless interfaces with their respective VLANs and WAN. Before that I did'nt get an IP from pfSense.
From one VLAN I cannot ping the interface of the other one, so they seem to be isolated.

And what I'm missing also is how to access the LEDE webinterface when I'm in a VLAN.

#4

Perhaps the bridges haven't been assigned an IP address? There's no reason to give the bridge(s) an IP address unless you need to communicate to/with the OpenWrt box with them.

Given that you've got a relatively sophisticated setup, I'd suggest that you also create a management VLAN and only bind uhttpd to that interface, running TLS with your choice of mbedTLS or OpenSSL libraries. LuCI takes the root password in the clear on login.

config uhttpd 'main'
        list listen_https '10.kk.mm.nn:443'
#       list listen_https '[::]:443'
        option redirect_https '1'
        [...]
#5

Jeff,

Thanks for the tip, I am running a similar setup described by jtommi. Your advice on a management LAN is helpful, and I wonder if you could elaborate on the steps necessary for running the uhttpd service using TLS with OpenSSL libraries. I did not realize LuCI transmitted in the clear at login, as I assumed the https://router_ip was encrypted from the start.

Thanks

P

#6

LuCI, itself, at least last I checked, just used a "normal" input element to accept the password, which then gets POST/GET to the server. So if you are not using TLS, the root password is in the clear. Yes, if you already have HTTP-S configured and required, that data is protected by the TLS encapsulation of the HTTP exchange.

https://openwrt.org/docs/guide-user/services/webserver/uhttpd

Another advantage of a dedicated management VLAN is most network-configuration "oops" situations will leave your connectivity to the device intact, as opposed to losing your "LAN", for example.

#7

I assigned the bridges 192.168.10.201 and 192.168.20.201.
It's my client computer that gets no IP address.
Also my OpenWRT can't ping 192.168.10.1 (pfSense)

#8

There's progress.
I eliminated the WAN from the equation (for now) and tagged Port 1 with both VLANs. Port 2 is untagged on VLAN 10. I get an IP and can even access LuCI on 192.168.10.201. But still no ping to 192.168.10.1.
How can I know if the issue is related to the OpenWRT config or pfSense.

#9

I'd break out tcpdump and possibly wireshark

#10

I'm progressing.
The IPs are right, I can even ping and access the firewall now.
Still no internet, but that is definitely a routing problem, so OpenWRT seems fine.
I'll keep posting my progress for future users (if I don't forget)

1 Like
#11

Hi all, @jtommi,

did you succeed? I would like to put this in place too, but it lacks a lot of documentation.

thanks in advance

#12

I’ve got enough of the WiFi instability on FreeBSD with my old wifi card that came with the mini pc I use for pfSense so I decided to hook my OpenWRT WiFi router to the pfSense box and have a great Wifi with another great firmware for me to tinker with.

I’ve been scratching my head with how to connect everything so I can control the WiFi networks from pfSense + being able to access both pfSense and OpenWRT admin GUIs from both WiFi and internal cable networks configured in pfSense.

Finally I succeeded. For me the only thing missing was to reach the OpenWRT interface from pfSense networks and what I had to do was to:

  1. create a new VLAN in OpenWRT and bridge it to the OpenWRT’s existing LAN interface. Also I didn’t stop the DHCP on the LAN but it's not used now.
  2. edit the same LAN interface and change the gateway to point to the pfSense’s interface IP which handles the same VLAN in pfSense. For example the LAN interface in OpenWRT has the static IP of 192.168.167.1 and its gateway is set to 192.168.167.50 while in pfSense the interface that handles the same VLAN is set to static IP 192.168.167.50 and no DHCP.
    No other changes in OpenWRT were needed which is better as I think configurations should be as simple as possible for me to be more confident that the routing works as expected.

The longer story about my configuration is the following:

  1. created 2 new SSIDS in OpenWRT. One will be bridged to the LAN in pfSense. One is for the IoT devices and needs only Internet + AP isolation.
  2. created 2 separate interfaces in OpenWRT for these SSIDS, left them Unmanaged
  3. created 2 VLANS on the same port in OpenWRT connected to the pfSense box and merged these VLANS respectfully to the 2 new WiFi interfaces created from point 2 above
  4. created 2 new VLANS in pfSense with the same ids as in OpenWRT(from point 3 above), set static IPs for them ,activated DHCP for each of them
  5. added the default firewall PASS rules for both new interfaces in pfSense

Now both WiFi networks work well, have Internet and I can reach other networks from the WiFi bridged to the pfSense's LAN. I will isolate(firewall) the IoT WiFi from other networks later as well and probably activate Avahi on all networks.

And to reach the OpenWRT admin I did the changes to the gateway in the OpenWRT's LAN interface like I mentioned above in the first 2 points.

I believe that instead of changing the OpenWRT’s LAN interface I could have set the gateway to one of the 2 new WiFi interfaces and get access to OpenWRT again(+ delete the OpenWRT's LAN interface completely this way) but I wanted to keep my WiFi configuration in OpenWRT straightforward.

I also removed all firewall zones in OpenWRT and the 2 WAN interfaces and everything still works. I didn’t stop any service in OpenWRT. If I see the need I will remove more things from OpenWRT and make it even more dumb AP but for now everything works very well.
I can also reach both pfSense and OpenWRT admin interfaces from VPN when I am outside home.