Problem - pfsense working with WAN private IP

eZeeRider

I've just set up pfsense 2.5.2 as follows:

ISP's router/modem in modem mode > x1 cat7 cable > PC with pfsense 2.5.2 and dual port NIC > x1 cat7 cable > switch > cat 6 cables to wireless APs and everything else

All is working fine. Internet, APs, etc. all rock solid.

But the WAN setting in pfsense has a DHCP assigned private IP from the modem in the 192.168 range. I was expecting it to be getting the public IP assigned to me by my ISP (which I can see with any 'what's my IP' service)

I know the old adage is 'if it ain't broke..." And in fact I have left it alone for a couple of weeks so as not to break it during the holidays. But I do want to understand what's going on and why pfsense seems to be working without a public IP in the WAN field.

This is not a secondary router off my main one or anything clever like that.

There's an option under Interfaces/WAN > DHCP Client Configuration to "Reject leases from...cable modems that offer private IP addresses when they lose upstream sync." But I'm not sure if that relates to this as my 'upstream sync' appears to be fine.

Any help would be much appreciated!

SteveITS

@ezeerider They could be using Carrier-grade NAT, or else (more commonly) the ISP router isn't bridging and is in fact routing using NAT. If you go to a site like http://checkip.dyndns.org/ you should see some public IP. A traceroute from your PC or pfSense to something on the Internet like 8.8.4.4 should show where the translation to the public IP is happening.

johnpoz

@ezeerider what IP range are you getting is it the CGnat range 100.64-127.x.x 100.64/10

Or rfc1918? 192.168.x.x, 10.x.x.x, 127.16-31.x.x

As mentioned by @SteveITS it could very well be cgnat, or your isp device is not in bridge mode like you think.. If your seeing 192.168.x on wan, then either your device is not in bridge like you thought, or your isp is using just plain rfc1918 vs what they should be using which is the cgnat range if they are not going to assign you a public IP.

A Former User

@ezeerider, If you still need help let me know, I always have the solution.

eZeeRider

@johnpoz

SteveITS, johnpoz and Silence, thank you all for your responses. johnpoz, you were on the money: The ISP's device was still in router mode! I'd been swapping it back and forth during set up and thought I'd left it in modem mode. (doh!)

Put it in modem mode and pfsense picked up the public IP after 30 seconds or so. Sorted!

I did wonder about leaving it as it was since it was working. But then I read about double NAT being technically possible but potentially problematic with things like port forwarding.

Thanks again for your help!!

johnpoz

@ezeerider said in Problem - pfsense working with WAN private IP:

potentially problematic with things like port forwarding.

True - but its not something that can not be overcome for most everything. Its just you have to control the port forwards at the device doing nat in front of your pfsense. So say you wanted to forward port xyz to your pfsense wan, to be forwarded to some service behind pfsense.

You would have forward that traffic at the isp device first, then forward at pfsense. Quite often users stuck in a double nat config, will set their pfsense wan IP as what is called a dmz host in the device in front of pfsense.. This way the natting device in front of pfsense sends all traffic to pfsense wan IP, and you can just control the forwards there.

But generally speaking its better to not be behind a double nat if you can avoid it. But its not the end of the world or anything if you can not. As long as you also have control over the device in front of pfsense to forward the stuff you want to pfsense to forward.

Where is can be most problematic is actually outbound traffic from pfsense, say you need a static port

https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port

While you could set that in pfsense, so the source port of the traffic leaving pfsense is the same as the source port from traffic sent from behind pfsense - you have no control over what that natting device in front of pfsense will do, and most likely it will change the source port to something random when it nats it - since this is the common thing to do when doing napt.

So while yes double nat is not normally the most optimal setting. Many people run it and have no issues at all. As long as they have control of the device in front of their pfsense also doing nat. And can forward what they want pfsense to see on its wan from the internet.

eZeeRider

@johnpoz Noted. I'm seeing so many options in pfsense. It'll be interesting to dig into them. Thanks again for your help!

johnpoz

@ezeerider said in Problem - pfsense working with WAN private IP:

I'm seeing so many options in pfsense. It'll be interesting to dig into them

Just keep in mind just because something can do something - doesn't mean you have to do it ;) There many packages for example on pfsense. Doesn't mean you have to install them all - they are not Pokémon ;)

Two biggest examples off the top of my head are proxy and ips.. While they might be worth while for some users. Most users would have no uses for those packages, etc.

Nothing wrong with installing something to learn about it, but just don't think you need to install something if you have no actual need for it. Most users have no actual need for IPS, but lots of people think - oh install it and clickly clicky be running IPS... Its not that simple ;) and there is a huge learning curve to setting it up correctly, and getting any actual benefit out of it. And more likely than not your home network has no actual need of it. And even spend lots of time to set it up and monitor it and trim the rules, etc. In the big picture other than a learning experience there is little point to ti.

I have been running IPS in the enterprise for many many years.. Lots of different products, and feel I have a pretty good handle on it, and would not be too much trouble to actually set it up, etc. But it just doesn't really have a valid use case in my home network.. While it is great that pfsense supports it, and has the expert maintaining the packages, and providing great advice and support on the forums @bmeeks just because pfsense can do it - doesn't mean you need to set it up ;)

Another example is the bind package available for pfsense - this overall a great product, and great package for some users. The gui interface to bind make it more accessible to those that are non conf file types.. But unless you have a specific need to run it, the built in unbound resolver is more than capable of handling pretty much anything you would need for dns services.

So yes pfsense is very feature rich, and packages just expand on that.. Don't think you need to click every button, install every package to get value out of running it. Pfsense out of the box is great stable setup.. And out of the box pretty much will work for many a network.