Hello,
I’ve got a TP-Link Archer C9 wireless router running DD-WRT and am currently using it as a dumb AP on my network. I would like to have it issue out IP addresses via DHCP for any wireless clients and be on a separate VLAN. I would like to be able to ping/access the wireless clients but not have them reach my other network. My problem is I’m not sure how to hook this all up in pfSense (and technically DD-WRT but I don’t expect support for that here, I’ll do my own research to sort that out :)) I’m a real pfSense/Networking noob so forgive me if this is a nonsensical request.
Current Setup:
pfSense running DHCP @ 192.168.1.1
DD-WRT with DHCP disabled @ 192.168.1.2
What I’m looking to achieve:
pfSense running DHCP @ 192.168.1.1 handing out IP addresses for any LAN connected devices on 192.168.1.* range
DD-WRT running DHCP @ 192.168.1.2 handing out IP addresses for any Wireless connected devices on 10.0.0.* IP range
Thank you in advance for any help!
Yeah this should be possible. Tom has a great video on something very similar located here.
The way I would do it is
- Create the VLAN for your 10.x.x.x network with DHCP configured on pfsense
- Statically assign the AP on you management network to the IP (192.168.1.2)
- Create the SSID network on your AP to have the VLAN tag of 10.x.x.x network you created in pfsense
aaaaaaaaaaaaand BAM! You should be good to go.
Is the router in some type of bridge mode? I think the easiest solution would be to put it in a bridge mode and have pf sense give out the dhcp. (Mainly to keep in one spot) I say this because if the wan ip of the router is 192.168.1.2 and the router hands out 10.xx ips you are not really on a vlan. That is unless ddwrt can use the 192. Address as a management only address. In the config you sites the 192. Address would most likely be reachable from the Wifi which if I am reading correct is not desired.
Was thinking similar to @Thedannymullen … Personally I would stick all vlans in the 192.168.xx.xx range and just change the 3rd octet for the different vlans. It’s easier to use rules in pfsense to segment traffic which I guess you are trying to do.
My access point and switches allow management vlans to be nominated but I can’t honestly say what the difference would be if I just omitted it, I’ve selected it only because I can.
1 Like
The wireless router is working in “Router Mode” according to DD-WRT. To be honest, if I can get this all working through pfSense that would be ideal. I was just under the assumption it had to be done between the two. I’ve tried creating an Interface for VLAN but got stuck along the way (I couldn’t ping google or do anything really despite following many guides on the subject) so I’m not sure what’s up.
Thanks! That video actually answered a lot of questions I had. I was able to get a VLAN setup as shown in the video. However, I don’t own any managed switches in which to tie the VLAN into. Can I just tell a device to use 192.168.69.1 (My VLAN) and get an IP that way? Or is it an absolute must to use a managed switch?
Yeah it doesn’t work that way unfortunately. How many NIC’s do you have on you pfsense box? Do you by chance have a spare?
I have a built-in Intel NIC and a low-profile Intel Ethernet card. I’ll see about maybe getting one of those 4 NIC cards. Thanks!
As @xMAXIMUSx said it doesn’t quite work that way. However if you do have a spare network port on pfsense box you can assign that port to be an untagged vlan this will allow the router to be on the 69.1 subnet. You will want to put the router in a bridge mode vs router this will eliminate the double nat issue. Ddwrt should support this mode on the router I believe.
I also read in a quick google looked like ddwrt supports vlans? Does the hardware need to support them for this to work?
Lastly, you can find tp link and netgear managed switches for around the $20 price point. If you can scrape together some $$ these can be good learning tools. I have one of each they work great for a small home network.
I suppose it depends on your budget and the amount of grief you can tolerate. In your position I would consider a PoE switch it will cost a bit more, however if you get an AP which supports PoE then you can place it in a more optimal location. I assume you’re running an ethernet cable so you’re almost half way there.
Have various routers in the cupboard which I can use as an AP but because they have a power plug I’m limited as to where I can place it.
You can still use your DD-WRT router in AP mode obviously but the signal strength probably won’t be as good.
Things ended up moving away from the DD-WRT portion of this question as I have obtained an old Cicso Catalyst 2960 switch. I’ve created a new thread here pfSense & Cisco Catalyst 2960 VLAN Questions
