pfSense with DD-WRT AP (setting changes) to link both

[x53gunner1]

All,
I'm asking for technical advice with some networking issues directly related to DD-WRT. I'm technically a noob but I am competent enough to flash my router with DD-WRT, setup a FreeNAS box, and just last night, with a little help from the guys on the pfSense forum, I setup a pfSense stand alone firewall. My background is IT help desk so networking is not my forte but again, I can listen and follow advice. In other words, I have a clue but I know just enough to be dangerous. I have the pfSense box setup and running as a firewall only with a single machine and it checks out good. The goal is to have pfSense box as just pure firewall, put the router (Cisco/Linksys WRT160NL running DD-WRT v24-sp2) down line from that for routing, wireless AP, etc. I've checked the net for info but found it very spotty or not truly relevant to my specific situation. One guide suggested putting both boxes on the same subnet but I think that's incorrect. They also suggested turning off DHCP in DD-WRT but I want the router to handle handing out DHCP addresses. I think I need to change the settings from Gateway to Router (under advanced routing) but I'm just guessing (the noob at large). There were half a dozen other options that looked like I should start checking or unchecking but then I realized, I wasn't going to learn anything that way and really wouldn't appreciate what's going on or understand how to fix it if it went down.

Can anyone provide a basic listing of the steps I should be focusing on to set the router up to serve in this new capacity? What settings should I changing or testing out so I make a good connection to the pfSense firewall? I'm sure the firewall is set on a fixed IP. Again, pfSense will be a stand alone firewall directly after the modem, then the router will be handling all the DHCP, wireless AP, access restrictions, etc.

Eventually, if at all possible, (and after I'm much more network competent, I'd like to set up a DMZ either with the DD-WRT or another stand alone box but for now, I'm just trying to get the router back into the chain so I can get my home network back in the game.

Any advice or suggestions greatly appreciated.

Thanks,

Tom

 

[Calculagator]

In a home network, a router basically provides DHCP and does NAT/firewall/port forwarding duties. Since PFSense can do all of these things (and more) easily, why do you need a separate router? Turn off DHCP on your DD-WRT AP and just use it as a WiFi AP. I can't think of any benefit to having a separate firewall and router for a home network.

 

[x53gunner1]

Don't get me wrong, in the very short time I'm looking at pfSense in the box I just set up, it's amazing with all the options that thing can handle. Perhaps when I start to push a lot of throughput on the router, DD-WRT will fold (like some have reported) but for me, it's been rock solid. DD-WRT offers Access restrictions per IP or MAC address, blocking P2P and other applications or website and it's super easy with dd-wrt, QoS, priority per IP, MAC, subnet or application, and the hotspot options. Most of all, at some point in the future, I'd like to set up a DMZ between the two so they'll be separate doing their own thing anyway so I'm just setting that split and right from the get go. The future DMZ thing is really the main goal. I want that firewall out front to do it's thing, than the DMZ, than the router with it's own (built in) firewall doing it's thing. I have to crack the set up between the two but as a noob, it's easier to have one box doing one thing at one time for one reason. Sort of like having two girlfriends. It's OK as long as they're not in the same place at the same time. Unless of course, that's all been precoordinated.

 

[Calculagator]

So, you really want two firewalls? Anything you want to let through will need to be allowed on both firewalls.
I assume you only get a single dynamic IP from your ISP. Having both firewalls do NAT is probably the simplest thing to setup. For example, put PFSense on 192.168.0.1 and have its DHCP set to hand out IP's from 192.168.0.10-100 with netmask 255.255.255.0. You can either configure PFSense to hand out a static IP to your dd-wrt using DHCP, or you can manually give the WAN port of the dd-wrt a static address like 192.168.0.2.
You can then set the lan ip of dd-wrt to 192.168.1.1 and configure its DHCP to hand out addresses in the same subnet.

Any ports you want to forward will need to be set to forward from PFSense to your dd-wrt box and then from your dd-wrt box to the proper machine.

 

[bill001g]

Pfsense can do everything dd-wrt can and much more. They many times are using exactly the same code base to accomplish the task. Pfsense is just one of the more commonly packaged firewall solutions. You can find unbuntu firewall/router builds.

Pretty much the only thing pfsense can't do is run wireless...it can I suppose if you put in pc based wireless nic cards.

The main advantage to pfsense is that it is a full blown computer. It can save long term data to the hard drive and it can load huge amount of filters and such in memory.

I am unclear what you consider a "router" feature, most the things you describe like access restrictions etc are firewall feature. Even many people put the NAT function on the firewall list. A true router would be running routing protocols like BGP or OSPF between other devices to select optimum pathing. When you look at a router with this definition you would never need a router in a home environment.

I would use your "router" to only provide the wireless function and the wireless security and the pfsense box for everything else. It is actually a much simpler design and you will avoid all the nasty problems with running multiple subnets in your house.

 

[x53gunner1]

Wow, wow, wow... the noob has gotten in deep this time eh? This is a bigger can of worms than I thought. Guess that's why I'm a noob...
Multiple subnets is not something I want to get into. Not at this point at least Yes, I only get a single dynamic IP from ISP and pfSense is set to take that. I better read both your responses again. Very informative but I'm in way over my head. I thought it would be easy to setup pfSense as "just" a firewall (in loose terms) when my concept of that is, in fact, knowledge limited as pointed out at by bill001g. Time to brush up on NAT and port forwarding. I've seen the terms and really only know what they stand for not the actual application of the concept. Bad on me. Simple is best. Back to networking 101. Again, ultimately, I wanted two firewalls with a DMZ. One would be running one build/OS and the other with a completely separate build/OS so they're weaknesses would be ultimately harder to penetrate. Thanks for the input guys. I will take your advice to heart and in this case to head. IF I just took your comments and numbers and plugged them in I would just be using that to complete my setup and not knowing what the heck I'm really doing. I better just leave the pfSense box alone for now since it's 100% operational, hook the router back up the way it was and utilize it's security features till I get "edumicated". I'll just make things worse if I jump in with both feet now. For once I'll chose the high road and do this smarter, not faster.

Thanks,

Tom