Two router network setup not working. Help!

[Ted Danson]

Hello.

This should have been fairly straightforward but it's wrecking my head the past 3 days. Basically I want to do per the attached diagram.

The AP on the 192.168.2.0/24 network should not be able to talk to devices on the 192.168.1.0/24, I just want that traffic going out to the Internet. The AP on 192.168.2.0/24 needs to be a router too because I need to issue iptables commands so that the router use ISP DNS IP's and then, depending on destination, route DNS requests to other IP's. The devices on the 192.168.2.0/24 network will all be wireless. Only the AP is connected by LAN and that interface has a static IP of 192.168.1.11/24. I created a second interface for WLAN with an IP of 192.168.2.1/24.

The end result is I can ping both interfaces from the ping tool in pfsense (which is 192.168.1.1/24), however I cannot ping 192.168.2.1/24 from a cmd line on a client. A test client connected to the 192.168.2.1/24 SSID gives a DHCP lease of 192.168.1.X/24. I want DHCP enabled on both routers, I'm assuming right now theyre fighting with each other to hand out leases?

Also, if you check my diagram, I do have 0.0.0.0/0 as a static route entry for pfSense, however pfSense only let's you add 0.0.0.0/1 in static routes. Which is odd to me, so I left it out.

Only other thing really to note is the AP on 192.168.2.1/24 is a TP-Link TL-WR902AC running OpenWRT.

Can anyone help? It's driving me insane!

 

[abailey]

The way you are doing it seems very confusing. Since you have a smart switch and pfSense, you should run separate vlans. Then you just have to add the rules in pfSense for access between VLANS. Also if this is for home or small business I would let the pfSense box do all your routing and not have another device doing some of the routing also.

 

[Ted Danson]

The way you are doing it seems very confusing. Since you have a smart switch and pfSense, you should run separate vlans. Then you just have to add the rules in pfSense for access between VLANS. Also if this is for home or small business I would let the pfSense box do all your routing and not have another device doing some of the routing also.

The problem is that I need to have the 2nd AP doing routing because I want to add prerouting IP tables entries on it that tell those devices on the 192.168.2.X network to use a different set of DNS IP's depending on destination. Otherwise they just use normal ISP, or Cloudflare or whatever DNS IP's.

I run pfsense with Snort and pfblockerng and don't use dnsmasq etc so I can't use custom iptables (afaik?).

 

[roguetr]

Sorry I won't be of any help but I'm really curious how you can dynamically change the queried DNS server based on destination when usually DNS is queried for the destination? Are you redirecting by inspecting host headers ... though then you may as well set static entries ...

Seriously have no idea how you would be doing this ...

I'm probably too late to the party but I would also be interested in how you solved this. If the second router was actually routing then the clients really shouldn't be seeing the dhcp server for the next network along unless they were connected within the same broadcast domain, the client wifi interface would have to be bridged to that network.

Sent from my MI 5 using Tapatalk

 

[coxhaus]

If you want to control DNS on users then you will need to lock allowed DNS servers on the firewall otherwise the users will just change DNS on their device. Some wireless devices support DHCP on the device but as stated above you need to control access to which DNS server you want.

 

[roguetr]

If you want to control DNS on users then you will need to lock allowed DNS servers on the firewall otherwise the users will just change DNS on their device. Some wireless devices support DHCP on the device but as stated above you need to control access to which DNS server you want.

Is this directed at me?

Sent from my MI 5 using Tapatalk

 

[coxhaus]

No.

 

[roguetr]

No.

Ok, I wasn't sure. You're take is the same as mine, transparent redirects and dhcp ... but I'm still interested in the concept OP had in mind. Maybe I should just search and see if I find something

Sent from my MI 5 using Tapatalk

 

[coxhaus]

I would setup multiple IP networks using one DHCP server with multiple scopes, one for each network. You can define which DNS for each scope. One of the networks will only have internet access and no local access which sounds like a guest network. This is easy to do and you don't need to make iptables commands. I use a layer 3 switch but it is not necessary. Don't let too many firewalls confuse you. You only need one firewall at the front door.