You can definitely put an interface on the inside and 1:1 NAT addresses in the /28 to it but the hosts on the inside will have real addresses in RFC1918 private space and pfSense will have to NAT for them.
Thanks for answering, I'll look into it, because the place where I am installing this, has a server with a fixed 192.168.89.2 IP, and that can't be changed, since it's the domain server, any idea here?
Hello.
Yes you are correct. I would want stealth mode. In modem mode i get stealth but in router mode i get closed.
I am just concerned that in router mode the LAN , WAN , OPT1 are all in RFC1918 addresses and it seems that it might be routing between them
Craig
@viragomann:
@TPCoMatt:
Do I add a 'static route' in pfSense? If so, so I need to create a 'Gateway' at 2.2.2.247, so the static route has a gateway to go through?
Yes.
Basically you need two routes for accessing the internet: the upstream route and the downstream route.
For the upstream route you have to set the ISP gateway as default gateway on the external firewall and select it in the WAN interface settings. On the secondary firewall you have to the same with the external FW's LAN address.
For the downstream you need a static route on the external firewall. First set 2.2.2.247 as gateway (not default!) and then add a static route for 3.3.3.0/24 and select 2.2.2.247 for the GW to be used.
Thanks! That worked perfectly!!
Were are you running wireshark?
I would try a packet capture on the pfsense interfaces and compare what is arriving to what it leaving,
also trying looking over the pfsense logs, if it is doing anything to the packets and erroring it should so up here
status > system > routing
They will be configuring their router in transparent mode, so your Pfsense WAN port will be facing the internet,
you will need to configure Virtual IP's (VIP) for the 2 routed Ip addresses "51.52.103.153 and 51.52.103.154"
and the important part, make sure any existing inbound nat rules are created using these Ip addresses
VIP's are under firewall > Aliases
NAT is under Firewall NAT
Yes, that is what you need.
Note that if you are trying to segment those cameras, it is up to the Win7 router to filter what the cameras can and cannot access on the pfSense LAN segment. pfSense is not involved in communications between 10.0.1.0/24 and 10.0.0.0/24.
You will have a pretty hosed asymmetric routing problem there that might help keep reply traffic from making it back though.
I would, personally, use another interface on the firewall for that. If you need the windows PC on that segment, put it there.
Hi, All I see is a bunch of thing like this, they all look the same.
20:56:08.579383 ARP, Request who-has 192.69.162.161 tell 192.69.162.78, length 28
Sorry but that is up to your ISP to solve. They have to respond to ARP so the firewall knows what MAC address the gateway IP address can be found at on the WAN subnet.
You might need to hire someone locally to get you running - especially someone who knows what it is that ISP needs.
Hello,
I have managed to resolve the issue myself.
For those, who stumble upen similar situraion, I only had to define a LAN rule to sent all traffic with the destination 94.0.0.0/8 through the VPN gateway.
Kind regard,
vrugaitis
Scheduling a maintenance window and doing it right the first time is often the best way to go.
Sometimes the dog needs to wag the tail, not the other way around.
I have no idea who your ISP is, but this FAQ might help: http://www.dslreports.com/faq/16077
It talks about FIOS and their TV package. In order to get all of the services to work with your TV, those devices need to be on the FIOS LAN. How you get a second router or network working in this kind of environment is addressed in the above FAQ. It might not apply 100% to your particular situation, but it does have some very well thought out approaches to solve the issue that may be helpful to you.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
