Question about VLANS with ASUS Ai mesh and PFSense/opnsense in front

[rvcjew]

I have a network as follows:

main router (AX86U Pro) 192.168.x.x
AI Node (2nd AX86U pro)
Have guest network pros with 2 current vlans of 52, 53
Have about 30 clients in general (don't know if that mattes)

My issue is we now need to add some clients all wired to a IPSEC VPN and the AX86U PRO doesn't support this so I have made a opnsense/pfsense box out of a GK41 miniforums. The wan will come into this and the AX86U pro will get the lan port. I have successfully tested the wan coming into a OpenVPN connection and then through a vlan made on the gk41. My question is is there a way to get the asus wan port to see this tagged traffic, and if not my plan is to use hardware I already got atm which is a tp link smart switch off the gk41 lan port to put the vpn client devices on a tagged port (10) and the asus on another tagged port (11). I need one device in the IPSEC VLAN (tagged 10) to see the lan (tagged11) of the asus though, I am trying to figure out if this is possible with a rule in pfsense?

EDIT: Also if I were to just ditch the ASUS as the router it self and use the pfsense as the only router and put my main asus into AP mode It would no longer be able to make an AImesh right and I would just have to have two separate AP routers which is not ideal?

 

[dave14305]

Also if I were to just ditch the ASUS as the router it self and use the pfsense as the only router and put my main asus into AP mode It would no longer be able to make an AImesh right and I would just have to have two separate AP routers which is not ideal?

I’m pretty sure you can have AiMesh in AP mode. See the “Access Point(AP) mode / AiMesh Router in AP mode” on the Administration / Operation Mode tab of the GUI.

 

[Tech9]

Also if I were to just ditch the ASUS as the router it self and use the pfsense as the only router and put my main asus into AP mode It would no longer be able to make an AImesh right and I would just have to have two separate AP routers which is not ideal?

There is no AI in AiMesh. It's just a marketing name like other Asus Ai things. Wired AiMesh is in fact routers in AP mode with limited control. Separate routers in AP mode are actually better. If you want full VLAN control for LAN/WLAN better ditch consumer AiMesh and go with controller managed Omada. You'll never look back. If TP-Link product is not an option for whatever reasons - UniFi. If Ubiquiti product is not an option for whatever reason - MikroTik.

 

[rvcjew]

There is no AI in AiMesh. It's just a marketing name like other Asus Ai things. Wired AiMesh is in fact routers in AP mode with limited control. Separate routers in AP mode are actually better. If you want full VLAN control for LAN/WLAN better ditch consumer AiMesh and go with controller managed Omada. You'll never look back. If TP-Link product is not an option for whatever reasons - UniFi. If Ubiquiti product is not an option for whatever reason - MikroTik.

Spoke to the client. Ordered a 24 port jetstream +poe, a 610 eap for testing (not sure if they need anything more then that, it's only 100/100 fiber), an oc200 controller (for today will mess with the software controller on windows I guess). Here's hoping I can get all of this stuff to play nice with each other.

Thanks for the advice.

 

[Tech9]

I have a network

Spoke to the client

Tell your client to you have no clue what to do and had to ask in an online forum for advice. Be honest. Thanks.

 

[rvcjew]

Tell your client to you have no clue what to do and had to ask in an online forum for advice. Be honest. Thanks.

Oh they know, I didn't think it mattered whether it is mine or not for the discussion sorry. We had the asus for years and had zero issues and if we didn't need that ipsec tunnel this would have stayed for a long time. They have now outgrown the ability this all provides and I have outgrown my skill set in what I could deploy and configure quickly. This let's me also make it easier if they need someone besides me to ever manage this thing if I'm gone. My biggest fear is if something happens to me what do they do if something goes down etc. I try to leave good documented info on what is done but you never know.