Solved Chaining NAT: wifi router plugged on a FreeBSD Ethernet router

patpro

patpro

Hello,
At home I have Internet access shared on an Ethernet network and on a WIFI network. Both are managed on a FreeBSD fanless PC, wlan interface and eth interface are not bridged and FreeBSD provides Firewall/NAT/DHCP/etc. to the home network.
The fanless PC is quite old and its WIFI performance is really subpar according to modern standards.
So I've bought a Netgear Orbi WIFI 6 router to plug on my network. Works really great, top notch performances.

Question is, how do I configure my network from here?

The Orbi router can act either as:
- a proper WIFI router, with NAT, DHCP, and many great features (guest SSID, protection, schedule, etc.)
- a simple access point (no NAT, no DHCP, almost every advanced features lost)

I'm tempted to go the "full WIFI router" way, but I'm concerned I might create problems when chaining NATs: either network related (MTU? …) or application related (partial uPNP, etc.).

Any thought about this?
 
Set it up as a simple access point, stick it on your network and be done.
 
Yeah, you don't want to use NAT or DHCP on it because that's already done by your current FreeBSD host. It will only complicate things.
 
Ok, I've just tried pure-AP setup and in fact it's better than expected: latest firmware allows the use of the guest ssid in AP-mode (help available inside admin interface states it's not possible), which is the feature I've would have missed the most.
My LAN and WiFi networks used to be separated (192.168.0.0/24 and 192.168.1.0/24 respectively) but now that the new AP is just another Ethernet device it lands in the 192.168.0.0/24 network. So I guess I'll have to alias my Ethernet interface, give the alias a proper network (192.168.1.0/24) and setup the DHCP so that the AP picks up an IP in this network.
 
Don't know how complex that AP is but I have a Linksys AC1750, I can create multiple wireless networks and assign each network to its own VLAN. I've set up a "guest" network and put it on a different VLAN so this traffic is completely separated from the rest of my network. This does require a switch that supports VLANs though. Routing is done on my FreeBSD firewall/router. I've created a couple of vlan(4) interfaces there so I can route the various different networks.
 
patpro said:
My LAN and WiFi networks used to be separated (192.168.0.0/24 and 192.168.1.0/24 respectively) but now that the new AP is just another Ethernet device it lands in the 192.168.0.0/24 network.
Click to expand...
If you want to keep it separate just replace the WiFi card with an ethernet card or add another ethernet card and then plug the AP into the ethernet port using a crossover cable. This way you get separate LAN/WLAN interfaces that you may configure independently.
 
SirDice said:
Don't know how complex that AP is but I have a Linksys AC1750, I can create multiple wireless networks and assign each network to its own VLAN. I've set up a "guest" network and put it on a different VLAN so this traffic is completely separated from the rest of my network. This does require a switch that supports VLANs though. Routing is done on my FreeBSD firewall/router. I've created a couple of vlan(4) interfaces there so I can route the various different networks.
Click to expand...
well, I think the VLAN capability of Netgear Orbi is really limited and more importantly not available in AP mode. I'll check anyway just to be sure, next time I plug it. I fact I'm not very interested in usign VLANs, it would be good enough for me to have just 2 different if names so I can apply different pf settings and get some metrics with LAN and WIFI instead of a metric for both.
 
patpro said:
I fact I'm not very interested in usign VLANs, it would be good enough for me to have just 2 different if names so I can apply different pf settings and get some metrics with LAN and WIFI instead of a metric for both.
Click to expand...
Without VLANs all SSIDs would end up on the same network. So you can't make that distinction on the FreeBSD host because that information isn't retained in the TCP/IP traffic.
 
mickey said:
If you want to keep it separate just replace the WiFi card with an ethernet card or add another ethernet card and then plug the AP into the ethernet port using a crossover cable. This way you get separate LAN/WLAN interfaces that you may configure independently.
Click to expand...
The Wifi card is an half-size PCIe Mini Card 802.11N (Atheros), can't swap with a proper Ethernet card, especially in this form-factor: https://www.patpro.net/blog/index.p...ndustrial-pc-fanless-oui-industriel-pas-trop/
 
SirDice said:
Without VLANs all SSIDs would end up on the same network. So you can't make that distinction on the FreeBSD host because that information isn't retained in the TCP/IP traffic.
Click to expand...
Totally agree with that, I had in mind the separation between Eth LAN and WIFI. I know I'll have to pull some magic on the AP to separate regular SSID with guest SSID, and obviously VLAN would be a good way.
 
Not the same, mine is https://www.netgear.com/support/product/rbr750.aspx , but the setup looks the same.
Bad news, VLAN setup in not intended for real VLAN use, it's made to allow IPTV flow to bypass NAT and Firewall when the Orbi is in router mode. It can't be used to segregate SSIDs for example.
Second bad news, VLAN setup is not available at all in AP mode.

Ready for some fun? I've just made a comprehensive test in AP mode:
- when using regular SSID, my device connected via WIFI to the Orbi AP gets an IP address from my FreeBSD router, that's expected.
- when using guest SSID, my device connected via WIFI to the Orbi AP gets an IP address out of the Orbi DHCP/NAT that's not supposed to exist and that you cannot configure. Obviously all packets seem to come from the LAN IP address of the Orbi.
I'm speechless.
 
Ok so finally I'm going to get a refund and take a much cheaper EAX20 that also work in AP mode. No guest SSID but I can create one on the WIFI card that sits in the FreeBSD router.
 
You must log in or register to reply here.
Back
Top