Seperating two SSIDs with VLANs for pfSense

lewis32 · August 26, 2019, 12:06pm

My goal is to have two SSIDs on OpenWrt each tagged with a seperate VLAN (20, 30). I want pfSense to handle DHCP requests and manage everything else.

I have used the below resource to try get this working:

When clients try to connect to the SSID it says "Connecting..." forever and I think its failing to issue an IP address via DHCP or there is conflict between pfSense LAN (192.168.1.1) and OpenWrt LAN (192.168.1.1).

When I try change the LAN mapping in OpenWrt it will always revert back to 192.168.1.1

Setup on pfSense

igb0 - WAN (DHCP)
igb1 - LAN (192.168.1.0/24)

igb2
VLAN 20 (192.168.20.0/24) - assigned as interface PrimaryWiFi
VLAN 30 (192.168.30.0/24) - assigned as interface GuestWiFi

Setup on OpenWrt

[Album] Imgur

Firewall disabled
"Network->DHCP" unchecked "Authoritative"

Can anyone see any obvious issues?

My goal is to simply get a trusted/guest SSID setup with VLAN's on same port which is managed by pfSense.

anon50098793 · August 26, 2019, 12:23pm

what ip is pfsense?

Not so definitive a choice to make.

Did you happen to notice your RX0 on both "WIFI" interfaces?

lewis32 · August 26, 2019, 12:27pm

pfSense has an IP address of 192.168.1.1. When I try change OpenWrt to something else it will revert back.

When I took these screenshots no clients were connected.

anon50098793 · August 26, 2019, 12:30pm

Click "Apply Unchecked"... Depending on what you've done... the 192.168.1.0 network may not be so relevant anyway.... Only for non-wifi-oob-ease-of-admin purposes....

Running a small DHCP scope ( non-overlapping ) ( 3 addresses per network except 192.168.1.x ) at least for testing purposes will help you to narrow down your issues.

If you do this... you might need check you've set the upstream GATEWAY and DNS per INTERFACE.

By the way.... can you ping from 20/30.xOPENWRT to 20/30.x pfsense?

Step 6 on the Pfsense side looks like it could cause some issues... rather than 192.168.1.x DHCP which technically should not pass to the clients anyway......

PFSENSE: Create a Pass rule for each interface in "Firewall->Rules"

lewis32 · August 26, 2019, 12:41pm

Okay I don't think the issue is related to DHCP because pfSense and OpenWrt fail to ping each other.

PING 192.168.20.10 (192.168.20.10) from 192.168.20.1: 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=64 time=0.857 ms
64 bytes from 192.168.20.10: icmp_seq=1 ttl=64 time=0.349 ms
64 bytes from 192.168.20.10: icmp_seq=2 ttl=64 time=0.330 ms

--- 192.168.20.10 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.330/0.512/0.857/0.244 ms

anon50098793 · August 26, 2019, 12:43pm

That is a good ping....

Lilkely the pfsense firewall or VLAN DHCP scopes not setup right.

lewis32 · August 26, 2019, 1:07pm

It could be the firewall rules. I have them all open at the moment... the only exception I have is the GuestNetwork should not be able to ping trusted ones. Which it can so that is not working as planned.

The LAN network 192.168.1.1 (pfSense) is unable to reach OpenWrt which it should be able to based on rules. The other networks seem to be able to talk okay. On pfSense I have DHCP enabled for the VLAN interfaces and the ranges look good.

192.168.20.100 - 192.168.20.199
192.168.30.100 - 192.168.30.199

PING 192.168.20.10 (192.168.20.10) from 192.168.1.1: 56 data bytes

--- 192.168.20.10 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

PING 192.168.20.10 (192.168.20.10) from 192.168.20.1: 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=64 time=0.530 ms
64 bytes from 192.168.20.10: icmp_seq=1 ttl=64 time=0.396 ms
64 bytes from 192.168.20.10: icmp_seq=2 ttl=64 time=0.406 ms

--- 192.168.20.10 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.396/0.444/0.530/0.061 ms

PING 192.168.30.10 (192.168.30.10) from 192.168.30.1: 56 data bytes
64 bytes from 192.168.30.10: icmp_seq=0 ttl=64 time=0.573 ms
64 bytes from 192.168.30.10: icmp_seq=1 ttl=64 time=0.373 ms
64 bytes from 192.168.30.10: icmp_seq=2 ttl=64 time=0.340 ms

--- 192.168.30.10 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.340/0.429/0.573/0.103 ms

PING 192.168.20.10 (192.168.20.10) from 192.168.30.1: 56 data bytes
64 bytes from 192.168.20.10: icmp_seq=0 ttl=64 time=0.575 ms
64 bytes from 192.168.20.10: icmp_seq=1 ttl=64 time=0.378 ms
64 bytes from 192.168.20.10: icmp_seq=2 ttl=64 time=0.459 ms

--- 192.168.20.10 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.378/0.471/0.575/0.081 ms

Lucky1 · August 27, 2019, 5:40pm

I'm very confused if you want pfSence is to Handel DHCP
then the openwrt device should be setup as a dump AP
it's ip should be given by pfSence as well it will have no range or dhcp servers running
it could get it's ip form ether the a vlan or normal lan
it just need correct vlan tagging & binding of wifi interfaces

anon50098793 · August 27, 2019, 6:03pm

not necessarily... based on the posted guide... ignoring the intricacies of native vlans, and all config relating to the management of openwrt...

each vlan is essentially its own "dump ap". and given an isolated L2 segment, one should not run overlapping DHCP servers ( as a general rule - there are some advanced exceptions). I do not believe the OP has any issues in this regard.

and thats the crux of it really. you setup the vlans... some static addresses, and test. all L3 config and services that run on top of that then rely on common configuration principles.

Lucky1 · August 27, 2019, 6:25pm

if you want to make life harder for reason go for it

Lucky1 · August 27, 2019, 6:42pm

lewis23 can you provide a screenshot of your Network > Switch page
this guide is very vague & you routers hardware layout is needed to take into consideration

lewis32 · August 30, 2019, 2:26pm

Do you want the screenshots from pfSense or OpenWRT? I will need to attach them later. I've attached an image of the network.

Lucky1 · August 30, 2019, 9:26pm

I'm more interested in what ports are attached to the switch inside openwrt & if you have the vlan tagged correctly and if your uplink/wan port is part of it
looking at at his tho there are 2 faults
if you can bridge your modem & not doule NAT you system it would be better
youn have 2 networks using 192.168.1.x/24 i would at lest more openwrt to 192.168.10.2 at lest if not just dhcp
& make sure all 3 of your static networks on openwrt have dhcp disabled
for testing i would make your 2 openwrt 0.20 & 0.30 both dhcp from static & make sure they get an ip from pfsence. later i would change them to Unmanaged

lewis32 · September 3, 2019, 6:45am

Thanks for the feedback on this.

Currently the switch in openwrt only has the trunk rule specified. So it looks like:

VLAN ID: 1 with CPU tagged and the ethernet port connecting openwrt and pfsense tagged as well.

I thought this would pass all VLAN traffic over it with VLAN tags and pfsense will manage the rest.

Do I need to setup individual rules in the switch for each VLAN? eg 20, 30?

Lucky1 · September 3, 2019, 6:54am

in your switch page you want 3 vlans setup
VLan ID = 1 CPU = tagged LAN = untagged,WAN = untagged
VLan ID = 20 CPU = tagged LAN = tagged,WAN = tagged
VLan ID = 30 CPU = tagged LAN = tagged,WAN = tagged
if you WAN port is not part of the switch then don't use it for now
connect your PFsence to a LAN port

lewis32 · September 3, 2019, 7:53am

Okay I think I understand now. I can see why things were not working. Will test this later. I believe I have enough information now.

Many thanks for your assistance!

system · September 13, 2019, 7:53am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.