pfSense as Firewall only?

uxm

@NogBadTheBad said in pfSense as Firewall only?:

Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

I added this route on the Asus router :

Asus router : 172.16.117.1
pfsense WAN : 172.16.117.106 (DHCP from Asus Router)
pfSense LAN : 192.168.2.10
my PC : 192.168.2.110 (from DHCP)

I cant ping my PC from the Asus Router.. :(

my pfsense Firewall rule is this :

Do I miss something? I am sure.

Gertjan

Do I miss something? I am sure.

Yes, as you said yourself : your WAN on pfSense is

pfsense WAN : 172.16.117.106 (DHCP from Asus Router)

so why WAN is set to 172.16.17.1 ?

?

Set it to 'any' or WANnet or 192.168.117.106 (and if you want to keep DHCP activated on WAN, make it a static mac lease)

edit : btw : this firewall rule is part of a NAT rule, right ?

uxm

@Gertjan said in pfSense as Firewall only?:

Do I miss something? I am sure.

Yes, as you said yourself : your WAN on pfSense is

pfsense WAN : 172.16.117.106 (DHCP from Asus Router)

so why WAN is set to 172.16.17.1 ?

?

Set it to 'any' or WANnet or 192.168.117.106 (and if you want to keep DHCP activated on WAN, make it a static mac lease)

edit : btw : this firewall rule is part of a NAT rule, right ?

NAT is disabled (on pfSense) as we said earlier on this thread. (Outbound NAT)

This is my network so far.

Some questions :

1. Asus Router Firewall features are enabled. Should I disable them?
2. Should I make the WAN IP of pfsense static? Is it better?
3. Should I add one route to Asus and one static route to pfsense to get this working right? How am I gonna od that on pfsense? On Firewall NAT settings?
4. As I said earlier, I want pfsense to act as a Firewall only. Which is the best NAT configuration for pfsense in this scenario?

I am a little confused.. sorry.

Gertjan

@uxm said in pfSense as Firewall only?:

NAT is disabled (on pfSense)...

Ah, my bad.

So this is what you want / use / need https://docs.netgate.com/pfsense/en/latest/book/bridging/index.html ?

uxm

@Gertjan I just want pfsense to inspect the traffic passing inside of it, to be the firewall of the network.

And something else. If I want to port forward to a single port from outside to one of my internal PCs, how Im gonna do that? I must create a port forward on Asus Router and then, one more on the pfsense Firewall rules?

Update : I disabled the Asus Router's Firewall feature and internet speed increased very much.

Gertjan

I don't have any experiences with pfSense being put in bridged mode.
Why do you need this mode ?

From what I make of it - which ain't much, you should introduce routes to your devices.

uxm

Hi! Here again! :)

My new ISP (Vodafone) gave me a new crappy modem/router that I cant change with one of my own. So.. I try (again) to make pfsense to act as a firewall only. My network topology is the same but for some reason, when I switch pfsense's NAT to "Disable Outbound NAT rule generation.(No Outbound NAT rules)" I cant get internet from inside the 192.168.2.0/24 network! I dont have internet.

I try to set a static route on my ISP router for 192.168.2.0/24 via gateway 192.168.2.10 (pfsense internal NIC) and I cant make it work. The strange thing is that I CAN google! When I type something on google, it works! When I try to get into another website, nothing, zero.

I am a little bit confused here. I would really appreciate your help.

Thanks!

PS : Oh! Routing Table of pfsense is this :

uxm

someone?

johnpoz

@uxm if you setup a route on your asus on how to get to 192.168.2 network, your assume it would allow this network to go outbound, and you assume it would nat this network to your public IP.

I try to set a static route on my ISP router for 192.168.2.0/24 via gateway 192.168.2.10 (pfsense internal NIC)

This would never work anyway, is 192.168.2 directly attached to asus - how would it talk to that IP?

The route on your asus for any network behind pfsense would be pfsense wan IP that attached to your asus network 172.16.117.106 in your drawing.

But there is no saying that would work, because is the asus going to nat 192.168.2.x to your public IP on its wan? I doubt it to be honest.

I would look to see if you can put this asus into bridge mode so that pfsense gets public IP on its wan, if can not do that then just do a double nat.. While double nat is not optimal - it works, triple nat or even quadruple nat can work just fine most of the time..

uxm

@johnpoz As I said earlier on this thread, I changed the ISP so now I don't have the Asus Router but a Sercomm H300s (from Vodafone).

When I had the Asus, with this static route and no Outbound NAT from the pfSense, I could go out to the Internet.

the static route was this :

Now, on the Sercomm, I cant create a Static Route like this. It says that it cannot use an "internal IP address". (what?)

:(

johnpoz

@uxm well your going to have to double nat then.. Or put their device into bridge mode.

uxm

@johnpoz ok. I will try to find a way to bridge it. I want to have pfsense in front of my network. As you said in another post. I think that this is the right way.

Thank you very much!