Insert SG-1100 between existing cable modem and router
-
It can be configured as a transparent firewall like that but doing so requires bridging VLANs.
It's almost always better to avoid bridging if you can.
An Access Point would normally be a layer 2 device anyway, no need to bridge anything or already internally bridged.
I'm unclear where the USP router fits in here. Potentially you have 3 routers with 3 levels of NAT. Really you want 1.
Steve
-
@stephenw10
We have no option on the ISP Router That Must stay in place.
However, I have revised my thoughts.
ISP Router -> Netgate SG-1100 Firewall - ASUS RT N66U (WiFi AP) -> Home Network Switch
This requires me to reassign the SG-1100 LAN IP
Currently the SG-1100 Put me directly to the Dashboard this is not what the User Guide states.
At this point I am lost.
I may be Somewhat of a newbie but the SG-1100 is not following the Documentation.
Dave -
@courierdog said in Insert SG-1100 between existing cable modem and router:
Currently the SG-1100 Put me directly to the Dashboard this is not what the User Guide states.
At this point I am lost.Huh?? When you setup the sg1100, yeah would be able to access the web gui, on the default 192.168.1.1 IP - unless you changed it?
Directly to the dashboard of what - how or where does it say in the documentation anything different?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
I assume you mean you're not seeing the setup wizard?
That can happen if it was previously launched and then escaped but you can run it again at any time fro System > Setup Wizard.
Steve
-
@johnpoz
Problem is the ISP uses the 192.168.1.1 LAN IP address so I have to change it.
The guide says go to Advanced - Option 2When I login, I am sent directly to the dashboard
The setup wizard does not appear.
Even if I set up using and empty WAN port and connect my Mac directly to the LAN port, Login takes me directly to the Dashboard.
Very strange. -
@courierdog said in Insert SG-1100 between existing cable modem and router:
The guide says go to Advanced - Option 2
You can set the IP via here option 2
What is the page in the docs your looking at exactly - can you post the url your looking at?
Here for example
https://docs.netgate.com/pfsense/en/latest/config/index.html#connecting-to-the-gui
-
@johnpoz let me start over.
my ISP (Telus) provides my Internet/TV/Home Security
I want to leave all of that on one network and using the Netgate SG-1100 to provide my Home Internet Network.
The ISP uses the Standard 192.168.1.1 IP LAN Settings
First I have to change the LAN of the SG-1100 to something different
However the WAN side of the Netgate SG-1100 will come from the ISP Provided Router.
Currently I have managed to LAN configuration of the SG-1100 but the WAN side of the SG-1100 is not connecting to the ISP Router.
Where / How in the configurations settings do I enable the Netgate SG-1100 to accept the Internet connection as provided by the ISP Router.
I hope this makes sense.
I mentioned this to a friend who uses pfsense and he did say I have to enable something on the WAN side to accept the feed from the ISP Router. -
@courierdog said in Insert SG-1100 between existing cable modem and router:
I have to enable something on the WAN side to accept the feed from the ISP Router.
No you don't... You can for sure use 192.168.1/24 on your wan - many users do, just a double nat.
He might be thinking about the default block rfc1918 rule, but the dhcp hidden rules that allow pfsense to be a dhcp client would allow it to get a rfc1918 address.
Change your lan of pfsense to be say 192.168.2 and you would be fine.
-
@johnpoz my limited understanding is Double NAT is not a good thing.
changing the LAN side to a secondary LAN assignment minimizes the issue or so I have been told.
Assigning as an example the pfsense LAN to the 192.168.2.1 or anything except the ISP DHCP assignment minimizes the Double NAT issue.
My current issue is the WAN side will not connect to the ISP Router and thus the internet.
I can connect the to the pfsense Device from the LAN, fine but the device is not connecting on the WAN side.
Hence the question of a setting for the WAN Side to enable it to communicate with the ISP Router -
@courierdog said in Insert SG-1100 between existing cable modem and router:
anything except the ISP DHCP assignment minimizes the Double NAT issue.
What? Your still double natted..
Change the lan of pfsense to be something different than its wan.. And will be fine - double nat is not optimal no... But works just fine... Many Many people do it, seen triple even quad nat, etc.
It is not an optimal choice but shouldn't be a problem.
@courierdog said in Insert SG-1100 between existing cable modem and router:
but the device is not connecting on the WAN side
What is not connecting to what exactly? Does pfsense get an IP address from your isp device its connecting too or not?
If you want something on your pfsense "wan" to talk to something on pfsense lan. And want the wan device to start the conversation. Then yes you would have to turn off the block rfc1918 rule that is default on the wan. AND you would have to setup a port forward for whatever it is your wanting to do.
If something on pfsense lan wants to start a conversation to something on pfsense wan - that would not be an issue.
-
OK Now you are way over my head.
Like I was attempting to say, I can communicate with the SG-1100 via the LAN port.
The WAN is not seeing the internet at all.
Is there any means to return to factory settings and I can start over. Just in case I have done something inadvertently.
I followed the Quick Start Guide but when I connected the WAN port to the SG-1100 it failed to connect to the ISP Router and thus the internet.
The first strange thing that happened when I plugged in the power was when I logged in from the first time,
The login was per the Quick Start Guide.
From then on everything has been different than the Guide.
First, Login -> Directly to Dashboard.
The Quick Start Guide does not explain what to do when you arrive at the Dashboard.
I am sure if the guide covered this situation I would not be sitting here scratching my head and not knowing what I did or how to proceed. -
You can reset to defaults from Diag > Factory Defaults in the GUI or using menu option 4 at the console.
The setup wizard runs one time only automatically. If you escape it at any point it won't run again. But you can manually run it anytime from System > Setup Wizard.
Do you even see link LEDs on the ports when you connect the WAN?
Steve
-
@stephenw10 Thank You Ever So Much.
This was the Most Helpful Response I have received to date.I would suggest this NOTE be placed in the beginning of User Setup Guide.
It would explain what is happening, to many people especially those who become frustrated and give upEven My friend who uses pfsense did not explain this to me.
Before this note I was about to pack up the Netgate SG-1100 in the box and return it as defective.
I may have to run through this procedure a few times to verify for my self exactly what is happening and time each segment noting the LED Status with each step.
Please be patient with an old Man (80) who is still finding new things every day.
-
No worries. Keep asking questions, that's what I'm here for.
Steve
-
@stephenw10 Have No Worries, I have many more questions.
The SG-1100 has a significant lag time for the reboot process.
Even after using the System -> Diagnostics -> Factory Defaults
Login to the SG-1100 takes a considerable time.
So I am not convinced, at least at this point, that the device default setting are correct.
There is still no internet connection passing through the SG-1100
I would have thought this would be a Default Setting.
I have a Zoom Meeting starting at 0900 I will get back to this after the meeting.
Thanks for your patience, I am sure the device will work, however some how there is an incorrect setting preventing the (Automatic) connection to the internet.
Dave -
It should indeed provide internet to a LAN side client by default when WAN is connected to something providing DHCP.
Reasons it may not include:
Subnet conflict. The WAN is using the same subnet the LAN does by default.
No DHCO server on the WAN connection.
No link on WAN so it cannot connect.Yes, the boot time is significantly slower when there is no valid WAN connected. A number of things have to timeout during the process.
Steve
-
@stephenw10 I had an opportunity to sit down on a zoom call late this morning.
My friend and I each sat in front of our respective pfsense box
Here are the Unedited Results
NOTE:
The setup wizard runs One Time Only automatically.
If you escape it at any point it will not run again.
However you can manually run it anytime from System -> Setup Wizard.
You can reset to defaults from Diagnostics -> Factory Defaults in the GUI
or
using Menu Option 4 at the console.For My Particular Issues of Non Connect with the Netgate SG-1100
- Interfaces WAN
Enable Interfaces [ ] - Reserved Networks
UnBlock Private - Interfaces LAN
Static IP Address 192.168.2.1
General Enable DHCP
Subnet 192.168.2.0
Subnet Mask 255.255.255.0
Available Range 192.168.2.1 192.168.2.254
Range From 192.168.2.100 To 192.168.2.199 - Package Manager
Installed aws wizard
ipsec profile wizard
Add Bandwidthd
Reboot Full Reboot, - Settings Highlight LAN
- Bandwidthd Settings
Enable Bandwidth [ ]
Subnet(s) LAN Highlight
Enable Proniscuous [ ]
Enable Draw Graphs [ ]
Meta Refresh 20
6 SAVE
This is my first draft of what it required to place the SG-1100 down stream of my ISP Router and before my home network switch.
Please review and provide your input and comments.
Note one of the objectives is to be able to monitor all Home Network LAN Traffic with will also include a wireless Access Point for the iPhones and iPads ALL computers are hardwired to the LAN as are the NAS Servers - Interfaces WAN
-
Yes, that should work fine. As long as you have changed the LAN subnet so it doesn't conflict with the ISP router that will work.
You don't need to inblock 'Private Networks' on WAN unless you have incoming connections there from hosts on the ISP router dircetly. Which you might if, for example, you had IP TV boxes trying to access the NAS behind pfSense.
Steve
-
@stephenw10 Steve we are not sure why the Unblock of the private networks is required, however, Enabled and we have no connection. Unchecked and the connection from the ISP Router come through allowing the connection.
I spent another two hours last night revising the document so it flows better and does not skip any issue especially the (SAVE) functions.
It now seems very stable and has begun to collect the Bandwidth data.
My next challenge is to add the Access point to the system and as my friend suggested connected to the Home network Switch.
This allows future wireless extensions as required.
Now that the SG-1100 is running I can say I am quite pleased with the device.
Prior to your comment re the Setup Wizard I was totally convinced I had messed up a setting and bricked the device.
I really think your comment re the Setup Wizard needs to be in the User Setup Guide
The IP TV as provided by the ISP is on the ISP Network System, along with the Home Security and other Home monitoring equipment.
All Residential Internet activity is on the "Home" router as are all the NAS Servers, Computers, iPads, iPhones, Readers ETC.
In the short time I have had the SG-1100 I am beginning to see why my friends all insist, Set It, Forget It.
Again Thanks for your patient assistance. -
@courierdog said in Insert SG-1100 between existing cable modem and router:
we are not sure why the Unblock of the private networks is required, however, Enabled and we have no connection. Unchecked and the connection from the ISP Router come through allowing the connection.
Well not understanding that is going to come back and bite you.. There is no reason why that would be required.. The only reason that would be required is if you had something on that network or some other rfc1918 network that you wanted to allow unsolicited inbound traffic into pfsense wan, that you forward to pfsense lan.
That rule has zero to do with pfsense wan getting an rfc1918 IP via dhcp, or via pfsense creating outbound connects to the internet through your router.
