cancel
Showing results for 
Search instead for 
Did you mean: 

HG612 & OPNSense Firewall

JRIrish
Hooked
Posts: 8
Thanks: 1
Registered: ‎11-11-2021

Re: HG612 & OPNSense Firewall

There is one thing you learn very quickly with both pfSense and OPNsense, each and every time you make a configuration change make a backup! Believe me it makes life a hell of a lot easier! Diagnostics-Backup & Restore.

 

OsoPolar
Grafter
Posts: 27
Thanks: 1
Registered: ‎17-01-2023

Re: HG612 & OPNSense Firewall

HI

I need a little more guidance please 

I have my OPNsense box with the PPPoE credentials connection and works fine and connected to LAN1.

I converted my wifi router R7800 DD-WRT into a WAP with guidance from the DD-WRT devs.

But when i pop it into my switch i get no wifi whatever i try.

But if i shove the wifi router in LAN of the modem everything is fine?

What am i doing wrong?

MisterW
Superuser
Superuser
Posts: 16,119
Thanks: 6,118
Fixes: 441
Registered: ‎30-07-2007

Re: HG612 & OPNSense Firewall

Sounds like the r7800 is still configured as a router and not a WAP.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

OsoPolar
Grafter
Posts: 27
Thanks: 1
Registered: ‎17-01-2023

Re: HG612 & OPNSense Firewall

OsoPolar
Grafter
Posts: 27
Thanks: 1
Registered: ‎17-01-2023

Re: HG612 & OPNSense Firewall

Screenshot from 2023-01-23 09-25-42.png

OsoPolar
Grafter
Posts: 27
Thanks: 1
Registered: ‎17-01-2023

Re: HG612 & OPNSense Firewall

When i say LAN i mean LAN2 port i still have OPNsense in LAN 1 on the modem

Rockyuk
Dabbler
Posts: 14
Thanks: 2
Registered: ‎04-12-2018

Re: HG612 & OPNSense Firewall

I can see you have disabled the DHCP server. So how is it assigning IP's on the network? Are you manually assigning the endpoints? Computers, phones and laptops etc? Have you tried it with it on?
Rockyuk
Dabbler
Posts: 14
Thanks: 2
Registered: ‎04-12-2018

Re: HG612 & OPNSense Firewall

So, your setup should look like this

Modem (Internet) - OPNSense (Dual Nic) - Switch or Hub and then your WAP?
OsoPolar
Grafter
Posts: 27
Thanks: 1
Registered: ‎17-01-2023

Re: HG612 & OPNSense Firewall

HI

I was under the impression with LAN & WAN being in OPNsesne it controls the issue of IP addresses it is the master DNS server otherwise you would have 2 ?

 

Rockyuk
Dabbler
Posts: 14
Thanks: 2
Registered: ‎04-12-2018

Re: HG612 & OPNSense Firewall

I have a Mesh WAP attached to my switch which get internet access from my Pfsense. But I have given it a different IP address on the network and it is running DHCP as well.

Basically I have segregated the Pfsense and Mesh WAP from eachother so they work in harmony.
MisterW
Superuser
Superuser
Posts: 16,119
Thanks: 6,118
Fixes: 441
Registered: ‎30-07-2007

Re: HG612 & OPNSense Firewall

@OsoPolar well you certainly don't want gateway mode!

According to this https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point it should be in router mode with WAN and dhcp disabled 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

OsoPolar
Grafter
Posts: 27
Thanks: 1
Registered: ‎17-01-2023

Re: HG612 & OPNSense Firewall

HI 

Yes i was aware of this but from a senior Dev on DD-WRT i received this message 


There is a wiki: https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point
But IMHO opinion that is somewhat flawed.

I do it like this:

Wireless Access Point (WAP):
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.
On Basic Setup page:
• On Basic Setup page:
o WAN disabled
o DHCP server Disabled (=off and NOT set as Forwarder!)
o Local IP address in subnet of primary router but outside DHCP scope, make sure the used IP address is unique on your network you cannot have duplicates.
o Gateway and Local DNS pointing to primary router
• Keep DNSMasq enabled (both on Basic Setup page and Services page)
• On Setup > Advanced Routing, keep Operating mode in the default Gateway (the wiki says Router mode but do not do that, either it does not matter (this case) or break things)
• On Security > Firewall keep the SPI Firewall enabled, although you do not want a firewall it will be automatically disabled as there is no WAN so no need to change this setting form default.
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre and there are some routers where the WAN port is not added to the br0 so the WAN port could be non-functional on some routers).

Note: for Broadcom routers for best throughput enable CTF on Basic Setup Page

You have to add the following rule to the firewall in order to get internet access from clients attached to a VAP/Bridge on your WAP.
In the web-interface of the router (the WAP): Administration > Commands save Firewall:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

If you want to only have the VAP/bridge to have internet access and not access to the rest of the network
#Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

#For isolating the WAP itself from the VAP/bridge:
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT​
MisterW
Superuser
Superuser
Posts: 16,119
Thanks: 6,118
Fixes: 441
Registered: ‎30-07-2007

Re: HG612 & OPNSense Firewall

@OsoPolar as long as you are connecting LAN to LAN  then it shouldn't matter. It should basically be , allocate it an ip in the main router subnet and disable dhcp and wan

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

OsoPolar
Grafter
Posts: 27
Thanks: 1
Registered: ‎17-01-2023

Re: HG612 & OPNSense Firewall

SO you saying i should try it in modem mode?

MisterW
Superuser
Superuser
Posts: 16,119
Thanks: 6,118
Fixes: 441
Registered: ‎30-07-2007

Re: HG612 & OPNSense Firewall

It ( r7800) doesn't have a modem mode.

Connect the r7800 via one of its lan ports to a lan port on the opnsense. Disable dhcp on the r7800.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.