Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense behind router without bridge mode

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deanfourie @stephenw10
      last edited by

      @stephenw10

      Thanks for the reply Steve,

      Sorry for the misunderstanding but the interface itself is set to 172.16.0.1 o network 172.16.0.0/24

      I did also try DHCP, aswell as static but on both occasions I could not ping my upstream gateway. I did however login to the router by plugging into the back of it and I could see that there was an active ARP entry and DHCP lease for the hostname of my pfSense.

      Still not sure why unable to ping.

      Cheers

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You were able to connect to the router only on the serial console?

        The default firewall rules on LAN will allow pings but only from the LAN subnet.

        The upstream device may not allow pings. If that's the case you should see the gateway monitoring IP to something further upstream.

        Steve

        D 1 Reply Last reply Reply Quote 0
        • D
          deanfourie @stephenw10
          last edited by

          @stephenw10 thanks for the reply.

          I got it going, its really difficult to operate behind the router when not in bridge mode. I am now double NATing and things are a bit of a pain. Certain packets etc getting dropped like VPN traffic etc.

          Is there any tips you can give me to make this whole setup a little more clean?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by stephenw10

            Most traffic will work fine behind double NAT as long as all the subnets involved are unique.

            Mostly it's port forwarding that is problematic or anything that relies on UPnP.

            VPN traffic getting dropped is not something I'd associate with double NAT directly. If the upstream router is doing something with the traffic it will affect it. Some devices try to be too clever with things like IPSec 'helpers'. Generally breaks more things than it ever helps IMO!

            Steve

            D 1 Reply Last reply Reply Quote 0
            • D
              deanfourie @stephenw10
              last edited by

              @stephenw10 Thanks again for your help!

              I think after checking the logs, it appears the WAN interface link keeps dropping. I put this down to possible because the interface was set to DHCP so every time the lease expired, the interface would drop when a new lease was obtained?

              Sep 14 23:11:29 kernel ue0: link state changed to DOWN
              Sep 14 23:11:29 kernel ue0: link state changed to UP
              Sep 14 23:11:29 check_reload_status 378 Linkup starting ue0
              Sep 14 23:11:29 check_reload_status 378 Linkup starting ue0
              Sep 14 22:17:35 check_reload_status 378 Linkup starting ue0
              Sep 14 22:17:35 kernel ue0: link state changed to DOWN
              Sep 14 22:17:35 kernel ue0: link state changed to UP
              Sep 14 22:17:35 check_reload_status 378 Linkup starting ue0
              Sep 14 21:23:39 check_reload_status 378 Linkup starting ue0
              Sep 14 21:23:39 kernel ue0: link state changed to DOWN
              Sep 14 21:23:39 kernel ue0: link state changed to UP
              Sep 14 21:23:39 check_reload_status 378 Linkup starting ue0
              Sep 14 21:23:36 check_reload_status 378 Linkup starting ue0
              Sep 14 21:23:36 kernel ue0: link state changed to DOWN
              Sep 14 21:23:36 kernel ue0: link state changed to UP
              Sep 14 21:23:36 check_reload_status 378 Linkup starting ue0

              Not sure why this would be? Any ideas? It does seem to be good now.

              Also, I can reach my upstream gateway from my LAN. I'm guessing it has just added a static route to the subnet from my LAN subnet.

              Is there anyway to remove the route and only allow pfSense to access the upstream gateway? Im guessing this would be a specific static route that I need to add. I must admit I have not had a huge amount of experience with static routing. I always get the SOURCE and DESTINATIONS wrong haha.

              Thanks again!

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @deanfourie
                last edited by

                @deanfourie said in pfSense behind router without bridge mode:

                connection with a 4G router

                and

                @deanfourie said in pfSense behind router without bridge mode:

                Sep 14 23:11:29 kernel ue0: "UP DOWN UP DOWN UP DOWN UP DOWN ...."

                "eu0" means you 'forgot' to tell us your are using a USB Ethernet dongle ??
                Then remind me that we will not forget to tell you that Wifi support on FreeBSD is plain 'bad'.
                Same thing for Ethernet over USB.
                And even if you have something that actually works (I can't exclude that) you could have another issue :
                The Wifi (radio) connection comes up. A DHCP request is fired from pfSense to the 4G router. It obtains an IP (and mask, gateway, DNS etc etc) from the 4G router. Then the radio connection goes down. Comes up again, DHCP re negotiations restarts, and so on.
                I advise you to use a cabled connection between pfSense and the 4G router. All your issues will be gone.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                D 1 Reply Last reply Reply Quote 0
                • D
                  deanfourie @Gertjan
                  last edited by

                  @gertjan Thanks, so is this issue just between the 4G router and pfSense.

                  My setup.

                  Onboard LAN >> pfSense LAN (LAN)
                  USB Ethernet >> 4G Router LAN (WAN)

                  So do you suggest I use the onboard NIC for the WAN connection rather then the LAN?

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @deanfourie
                    last edited by

                    @deanfourie

                    I suggest you use USB ports only and limited to a serial emulation for the console access. That's some 115200 bits per sec.
                    Using it for ethernet traffic : just don't.
                    Your pfSense device has typically two NIC's (at least). This often, boils down to : invest in a second NIC (a couple of $$$).
                    These might be 'electric' or even fibre. Nothing else.

                    And so you know it : If you see NICs that use the 're' driver, also known as 'Realtek' : just run away, fast.
                    ( or get your hands on them, send the NIC over to your worst enemy and observe the result )
                    ( send him your USB to Ethernet stick also )

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • E
                      elvisimprsntr @deanfourie
                      last edited by elvisimprsntr

                      @deanfourie

                      If you are still having difficulty:

                      1. Inexpensive LTE modems that support bridge mode.

                      https://www.netgear.com/home/mobile-wifi/lte-modems/

                      1. Then configure your existing router as a dumb AP.

                      I use one for failover WAN connection.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Yeah, you should not see the interface lose link like that.

                        The only time you might see it is if you're running Snort/Suricata in in-line mode?

                        It's much better not to use USB Ethernet at all but you could certainly try swapping the WAN and LAN as a test. It might be more stable on the LAN side.

                        Check the modem though. It could be losing link because that's rebooting for example. The 6hr intervals there seem very regular. If it was the USB NIC flapping I would expect something much more random.

                        You are able to reach the WAN gateway with no routing at all because it's in a locally connected subnet; WAN.
                        If you can reach that but nothing else you may have lost your default route or have a bad default route.
                        Go to System > Routing > Gateways and set the default v4 gateway to the WAN gateway.

                        If you have more than one gateway and it's set to automatic it might be switching to the wrong gateway. You probably shouldn't have more than one gateway there though, if you do you may have something misconfigured.

                        Steve

                        D 1 Reply Last reply Reply Quote 0
                        • D
                          deanfourie @stephenw10
                          last edited by deanfourie

                          @gertjan said in pfSense behind router without bridge mode:

                          Your pfSense device has typically two NIC's (at least). This often, boils down to : invest in a second NIC (a couple of $$$).

                          No can do sir, I'm running pfSense on a NUC. No room for upgrades there haha!

                          @stephenw10 Yes, they are very regular intervals. I will see how it goes and monitor it.
                          I am able to reach everything on my LAN including my upstream gateway. I was thinking for "security" reasons, make the upstream gate inaccessible even from the LAN.

                          As for the default gateway, my DHCP server is dishing out my pfSense LAN interface as the default gateway rather then the actual WAN router (upstream gateway?) to clients. Is this correct?

                          Thanks guys!

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes, that's correct. LAN side clients should be using the pfSense LAN IP as their gateway.

                            pfSense should only have one gateway itself though in a simple setup like that. If it has more that one (probably wrong) it might be choosing the wrong one. Setting the default gateway to WAN_DHCP does not hurt in any case.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.