Insert SG-1100 between existing cable modem and router

johnpoz

@courierdog said in Insert SG-1100 between existing cable modem and router:

anything except the ISP DHCP assignment minimizes the Double NAT issue.

What? Your still double natted..

Change the lan of pfsense to be something different than its wan.. And will be fine - double nat is not optimal no... But works just fine... Many Many people do it, seen triple even quad nat, etc.

It is not an optimal choice but shouldn't be a problem.

@courierdog said in Insert SG-1100 between existing cable modem and router:

but the device is not connecting on the WAN side

What is not connecting to what exactly? Does pfsense get an IP address from your isp device its connecting too or not?

If you want something on your pfsense "wan" to talk to something on pfsense lan. And want the wan device to start the conversation. Then yes you would have to turn off the block rfc1918 rule that is default on the wan. AND you would have to setup a port forward for whatever it is your wanting to do.

If something on pfsense lan wants to start a conversation to something on pfsense wan - that would not be an issue.

Courierdog

OK Now you are way over my head.
Like I was attempting to say, I can communicate with the SG-1100 via the LAN port.
The WAN is not seeing the internet at all.
Is there any means to return to factory settings and I can start over. Just in case I have done something inadvertently.
I followed the Quick Start Guide but when I connected the WAN port to the SG-1100 it failed to connect to the ISP Router and thus the internet.
The first strange thing that happened when I plugged in the power was when I logged in from the first time,
The login was per the Quick Start Guide.
From then on everything has been different than the Guide.
First, Login -> Directly to Dashboard.
The Quick Start Guide does not explain what to do when you arrive at the Dashboard.
I am sure if the guide covered this situation I would not be sitting here scratching my head and not knowing what I did or how to proceed.

stephenw10

You can reset to defaults from Diag > Factory Defaults in the GUI or using menu option 4 at the console.

The setup wizard runs one time only automatically. If you escape it at any point it won't run again. But you can manually run it anytime from System > Setup Wizard.

Do you even see link LEDs on the ports when you connect the WAN?

Steve

Courierdog

@stephenw10 Thank You Ever So Much.
This was the Most Helpful Response I have received to date.

I would suggest this NOTE be placed in the beginning of User Setup Guide.
It would explain what is happening, to many people especially those who become frustrated and give up

Even My friend who uses pfsense did not explain this to me.

Before this note I was about to pack up the Netgate SG-1100 in the box and return it as defective.

I may have to run through this procedure a few times to verify for my self exactly what is happening and time each segment noting the LED Status with each step.

Please be patient with an old Man (80) who is still finding new things every day.

stephenw10

No worries. Keep asking questions, that's what I'm here for.

Steve

Courierdog

@stephenw10 Have No Worries, I have many more questions.
The SG-1100 has a significant lag time for the reboot process.
Even after using the System -> Diagnostics -> Factory Defaults
Login to the SG-1100 takes a considerable time.
So I am not convinced, at least at this point, that the device default setting are correct.
There is still no internet connection passing through the SG-1100
I would have thought this would be a Default Setting.
I have a Zoom Meeting starting at 0900 I will get back to this after the meeting.
Thanks for your patience, I am sure the device will work, however some how there is an incorrect setting preventing the (Automatic) connection to the internet.
Dave

stephenw10

It should indeed provide internet to a LAN side client by default when WAN is connected to something providing DHCP.

Reasons it may not include:
Subnet conflict. The WAN is using the same subnet the LAN does by default.
No DHCO server on the WAN connection.
No link on WAN so it cannot connect.

Yes, the boot time is significantly slower when there is no valid WAN connected. A number of things have to timeout during the process.

Steve

Courierdog

@stephenw10 I had an opportunity to sit down on a zoom call late this morning.
My friend and I each sat in front of our respective pfsense box
Here are the Unedited Results
NOTE:
The setup wizard runs One Time Only automatically.
If you escape it at any point it will not run again.
However you can manually run it anytime from System -> Setup Wizard.
You can reset to defaults from Diagnostics -> Factory Defaults in the GUI
or
using Menu Option 4 at the console.

For My Particular Issues of Non Connect with the Netgate SG-1100

1. Interfaces WAN
   Enable Interfaces [ ]
2. Reserved Networks
   UnBlock Private
3. Interfaces LAN
   Static IP Address 192.168.2.1
   General Enable DHCP
   Subnet 192.168.2.0
   Subnet Mask 255.255.255.0
   Available Range 192.168.2.1 192.168.2.254
   Range From 192.168.2.100 To 192.168.2.199
4. Package Manager
   Installed aws wizard
   ipsec profile wizard
   Add Bandwidthd
   Reboot Full Reboot,
5. Settings Highlight LAN
6. Bandwidthd Settings
   Enable Bandwidth [ ]
   Subnet(s) LAN Highlight
   Enable Proniscuous [ ]
   Enable Draw Graphs [ ]
   Meta Refresh 20
   6 SAVE

This is my first draft of what it required to place the SG-1100 down stream of my ISP Router and before my home network switch.
Please review and provide your input and comments.
Note one of the objectives is to be able to monitor all Home Network LAN Traffic with will also include a wireless Access Point for the iPhones and iPads ALL computers are hardwired to the LAN as are the NAS Servers

stephenw10

Yes, that should work fine. As long as you have changed the LAN subnet so it doesn't conflict with the ISP router that will work.

You don't need to inblock 'Private Networks' on WAN unless you have incoming connections there from hosts on the ISP router dircetly. Which you might if, for example, you had IP TV boxes trying to access the NAS behind pfSense.

Steve

Courierdog

@stephenw10 Steve we are not sure why the Unblock of the private networks is required, however, Enabled and we have no connection. Unchecked and the connection from the ISP Router come through allowing the connection.

I spent another two hours last night revising the document so it flows better and does not skip any issue especially the (SAVE) functions.
It now seems very stable and has begun to collect the Bandwidth data.
My next challenge is to add the Access point to the system and as my friend suggested connected to the Home network Switch.
This allows future wireless extensions as required.
Now that the SG-1100 is running I can say I am quite pleased with the device.
Prior to your comment re the Setup Wizard I was totally convinced I had messed up a setting and bricked the device.
I really think your comment re the Setup Wizard needs to be in the User Setup Guide
The IP TV as provided by the ISP is on the ISP Network System, along with the Home Security and other Home monitoring equipment.
All Residential Internet activity is on the "Home" router as are all the NAS Servers, Computers, iPads, iPhones, Readers ETC.
In the short time I have had the SG-1100 I am beginning to see why my friends all insist, Set It, Forget It.
Again Thanks for your patient assistance.

johnpoz

@courierdog said in Insert SG-1100 between existing cable modem and router:

we are not sure why the Unblock of the private networks is required, however, Enabled and we have no connection. Unchecked and the connection from the ISP Router come through allowing the connection.

Well not understanding that is going to come back and bite you.. There is no reason why that would be required.. The only reason that would be required is if you had something on that network or some other rfc1918 network that you wanted to allow unsolicited inbound traffic into pfsense wan, that you forward to pfsense lan.

That rule has zero to do with pfsense wan getting an rfc1918 IP via dhcp, or via pfsense creating outbound connects to the internet through your router.

Courierdog

@johnpoz John, when we were working through the setting with a friend on a ZOOM Call.
My setup was stripped bare.
ISP Router Actiontec TM3200 -> Netgate SG-1100 -> Computer (MacBook Pro)
My friend on the other end has
ISP Supplied by WiFi -> pfsense (64 bit PC computer) -> Computer (MacBook Pro)
He has been a Computer tech for over 40 years.
He has had several clients who have had similar problems to mine where excessive Data Charges were an issue.
I my case it was 7 TB in one month. Turned out to be a gamer using an unknown WiFi port on my Home System.
It most resent case my friend was involved with as a Lawyer client who had a son who was using the excess Data Bandwidth for gaming.
In all cases the User must use the supplied ISP Router.
We do not understand why but the Unblocking of the Private Networks is common to the working in all our situations.
The use of the Bandwidth Motoring is also a common setup requirement.
These settings are common to all installations.
Mine is the only one using the Netgate SG-1100 all other installations utilize a PC loaded with pfsense
I have only begun the first page of the pfsense journey. The Manual is 2053 pages. I have a long way to go. ha ha
I appreciate all the suggestions, recommendations and above all the patience displayed to a Old Man. Dave

johnpoz

@courierdog Not sure why your bring up all that for the simple point that there is no reasons you need to uncheck the block rfc1918 default rule to work behind a nat..

If your guy has so much experience he would know that.. Or be able to explain why in your setup it breaks your internet access.

Simple firewall rules

[22.01-RELEASE][admin@sg4860.local.lan]/root: pfctl -sa | grep "Block private networks"
block drop in quick on igb1 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" ridentifier 12001
block drop in quick on igb1 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" ridentifier 12002
block drop in quick on igb1 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" ridentifier 12003
block drop in quick on igb1 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" ridentifier 12004

Which have nothing to do with internet connections that pfsense or devices behind pfsense create..

In what scenario would those cause you issue, unless you were creating inbound unsolicited to your wan that you needed to allow. They have nothing to do with outbound traffic created by pfsense, or by devices behind pfsense.

There is no need to go into the life story of why you want to use pfsense, or some issue you have with your ISP bill, etc. etc.. Its just simple understanding on why you think you need to uncheck that rule when you don't .. So if your saying you need to uncheck that for internet to work, or your IT guy is - I would suggest you understand why that is, or in the future something is going to not work and your not going to understand why. Since clearly you don't actually understand how its working now - because that rule wouldn't prevent it, and your saying it does.

I don't care if you have that rule on or off, block bogon either.. They are questionable how much good they do anyway rules.. But many a thread here where users say you need to uncheck that rule, when clearly they don't.. The rules are for inbound traffic with a source of rfc1918.. They have nothing to do with return traffic in answer to traffic pfsense or its clients have created. Since that traffic even if from rfc1918 would be allowed by the state the outbound traffic created.

So again if your saying internet doesn't work for clients behind pfsense unless you turn that rule off - I would suggest you actually understand why that is.. Because that should not be the case.

stephenw10

I would suggest disabling that again and seeing if anything actually fails because, I agree, it should not.
It only inbound connections and only sources from private IPs. So even if you have port forwards setup they would only appear to be from a private IP if the ISP router is NATing inbound conections, which I have never seen. But I guess there's a first time for everything.

Steve

johnpoz

@stephenw10 Only possible thing I can think of is maybe the router is pinging pfsense IP.. and they also have some other rule allowing ping?

Or they are saying "internet" is broken when they mean something on the wan of pfsense can not talk to something on lan?

What trying to prevent is continued FUD about that rule, and turn it off when there is no reason to do so, etc. Or if there is some specific scenario where some ISP or some sort of configuration requires that rule to be off.. That would be great info as well.

But with the information provided I sure do not see how turning that rule on or off has anything to do with anything about internet access from pfsense, or its clients behind pfsense, etc.

Courierdog

@johnpoz John the only response I can think of in reference to our ISP(s) here in Alberta, Canada.
Myself and other friends are finding similar difficulties with our ISP(s)
Perhaps they have a different network architecture I am not sure.

johnpoz

@courierdog well why don't you have your IT guy figure it out and explain it..

I have some 30 years in the biz myself.. And have run, and currently running pfsense behind nat connections where pfsense has a rfc1918 address on its wan.. Guess what they work just fine with that rule enabled.

For the life of me I am hard pressed to even come up with a scenario where that rule would prevent internet access.. Its just not how pfsense works or for that matter any firewall, The only thing that rule does is prevent unsolicited inbound traffic from a rfc1918 address. Which has nothing to do with pfsense talking to a rfc1918 address, nor allowing return traffic from a rfc1918 address, etc. etc..

If there is some sort of setup - like your isp router having to be able to ping pfsense IP to allow access, and this comes from rfc1918, etc. Then it would be great to know this info, so we could help the next user that might run into that, etc.

Courierdog

@johnpoz I do know Telus (ISP) does have access down to their equipment level for customer support.
They are required to ask permission to go any further.
I have worked with some of their customer support personnel who had difficulty speaking the same language.
The only thing I know is at this point if I return to default
Interfaces WAN -> Reserved Networks -> Private (Block enabled) then the SG-1100 will not pass traffic through the device. It is baffling as the default setting are only enable after considerable research.
I would like to find a better answer on this.