Pfsense as lan router and port forwarding problems?
-
@josephchrzempiec If there is no bridge mode then another way to do this is to set a DMZ in the Comcast router so it forwards everything to your pfSense. So if the pfSense is 10.1.10.5, the Comcast router sets 10.1.10.5 as its DMZ. Then on your pfSense you also create NAT rules to forward port 443 to your web server.
Alternately you can forward Comcast port 443 to 10.1.10.5:443 and then create another NAT rule on the pfSense to forward port 443 to your web server.
-
Hello, I got my new modem/router in today. Wow that was fast. Found out they have a small office 5 minutes from me and I never known it, So I picked it up there. I was able to get it up and running. I also found out I not only got one Static ip address but I have block of 5. I totally forgot I paid for it.
So I assigned a static ip to the pfsense router and it works. I'm noticing one thing. Sense My Pfsense router is a 192.168 address and my comcast fiber is on another static ip I'm able to ping between both and see both no matter which network it's on. Is there a way to stop that?
Joseph
-
Prevent pfSense and Comcast pinging each other?
I'm not sure why you would want to do that. You can add firewall rules in pfSense to block that if you really want to though.
Steve
-
@josephchrzempiec If you're talking about pinging the Comcast 10.1.10.1 address that IP works, even when "bridged" and using a static IP on your router. It allows one to browse to the Comcast router to manage it. Also allows one to plug a laptop into their router to test, bypassing the customer router. But yes in some cases we block access to 10.1.10.1 from certain networks, allow from a management IP, etc.
-
@steveits this modem/router haves a 10.0.0.1 address. How can I apply those rules? I know nothing about firewalls.
Joseph
-
@josephchrzempiec OK around here Comcast's default is a 10.1.10.x subnet.
re: rules, first I would take some time to learn more about firewalls so you don't lock yourself out. Second, write down what you're trying to accomplish, in words. Rules on an interface are processed in order. By default LAN is allowed to connect anywhere.
https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html
for example rules (not that you need any of these): https://docs.netgate.com/pfsense/en/latest/recipes/example-basic-configuration.htmlTo restrict access to the Comcast router from LAN, something like this:
allow from my_ip to 10.0.0.1
block from LAN Net to 10.0.0.1So you can see no one else on LAN except my_ip can connect to 10.0.0.1.
-
@steveits said in Pfsense as lan router and port forwarding problems?:
https://docs.netgate.com/pfsense/en/latest/recipes/example-basic-configuration.html
Here are the following steps I tried from what I can see online and videos to block the address.
I went to firewall/rules/lan. I hit the add button.
Action: block
Interface: lan
address family: IPv4
Protocol: TCP/UDP
Source: Single host or alias Address 10.0.0.1
Deination: Any
discription: Block 10.0.01.Is there anything I got wrong or need to change?
Joseph
P.s.s applying these rules and saving the change did not stop me from pining 10.0.0.1 address.
-
@josephchrzempiec
Pinging is ICMP not TCP or UDP. TCP would block, say, an HTTP connection.
Source is the source of the packet so would be the IP you want to block. So probably LAN Net.
Destination is where the packet is going, so 10.0.0.1. -
@josephchrzempiec said in Pfsense as lan router and port forwarding problems?:
Protocol: TCP/UDP
That does not include ICMP which ping uses.
-
Hello , Thank you. I put LAN net in the source. and keep the destination at single host or alias with the address of 10.0.0.1. I have tried that and I'm still able to ping that address. Now I can not go to it but I can see it is there still.
I'm so confused. but Trying.
Joseph
-
@josephchrzempiec Did you change the Protocol to ICMP?
-
This post is deleted! -
@steveits I'm so dumb right now. I'm srry you said protocol ICMP. That is myfault there. I'm changing it now. Thank you
Joseph
-
Just an update. Thank you all for the information and help. This is a great community I got it all blocked now. however I need to figure out how to block not only 10.0.0.1 but all the addresses. I just tried to ping 10.0.0.34 which my laptop is on and I was able to ping that as well. Is there a way to stop all the addresses in that range?
Edit: I did mange to figure that out I changed Destination to network and the address 10.0.0.1 and it blocked everything on that.
Joseph
-
The destination should really be 10.0.0.0/24 there like:
-
@josephchrzempiec said in Pfsense as lan router and port forwarding problems?:
The support lady said Well I don't see a way to put it in bridge mode. and the option is not in the modem/router.
You can't always believe them. Post the model and maybe someone here can help you.
-
@jknott they already got a new isp device, and they have a block of 5 public IPs
@josephchrzempiec said in Pfsense as lan router and port forwarding problems?:
Hello, I got my new modem/router in today. Wow that was fast. Found out they have a small office 5 minutes from me and I never known it, So I picked it up there. I was able to get it up and running. I also found out I not only got one Static ip address but I have block of 5. I totally forgot I paid for it.
So I assigned a static ip to the pfsense router and it works.But yeah I agree with your overall advice - quite possible that the 1st level support person when you call just doesn't have a clue ;) Never hurts to post exact model, etc. as there might well be a way to put in bridge mode that the support was just not aware of.
-
Hello everyone, I'm very sorry for the late reply my depressed kicked in and for a long time I was useless to everything. I needed to get my head back in check. Even on this problem. I don't have any new news to report. But Soon I need to figure this out. My isp router still the same and my pfsense router is still the same. My problem s that I need to portward through the pfsense router to my isp router. I haven't found a way to to do that yet. I need to contact my isp to figure there side of there modem/router. and how I can bridge things.
They did offer me to do static ip addresses so I can run it as my own and the cost is $24 dollars a month. I'm not sure that is a cost I can really afford. However it might be the only way to fixing this problem. and Still lettings me to run the Pfsense router as a fulll standalone router without having to deal with my isp router part. I need to think if I should go that way or have more to deal with trying to bridge these two together Thank you all for the help and information. I have tried everything everyone said to try and I still couldn't get it to portforward. I will update this post in a day or two after the weekend is over.
-
@josephchrzempiec said in Pfsense as lan router and port forwarding problems?:
My isp router still the same
Which is what exactly - you never stated this.
My problem s that I need to portward through the pfsense router to my isp router.
No your isp router would be in front of pfsense - and you would need to forward port to pfsense wan, so it can forward to your clients behind pfsense.
-
Yes the manufacturers sometimes label these things differently. Might be pass through, might be bridge mode, or might be 'dmz'.
Do not, under any circumstances, let the ISP charge you extra for this. ...unless...
Now, they may block incoming (from the www...to a personal/home level service account) port 80, 443, 25, etc... The only way around that is to use a commercial account which they will charge you more for, and cut your speed in half...because they can.So back to the trouble at hand.
ISP > pfsense > webserver
This isn't rocket science. Push all the traffic through to pfsense somehow...bridge/passthrough/dmz.
Firewall rule into pfsense to forward correct traffic to the webserver.
Probably dynamic dns...or just memorize your public IP each time it changes.I have troubleshot the hell out of something already working before... so the part ~some~ people forget -- YOU...from INSIDE your network...will probably have issues getting to the public ip website because of routing/firewall rules. Separate set of rules for that. Quick sanity check after you get the above set up correctly - turn off the wifi on your phone, and try to get to the page. If it loads you're golden. Chances are the first try your desktop/laptop etc on the internal wifi will not work...need a few extra rules for that put in.
*also...make sure you're not making an internal webpage at home that functions as an unintentional honeypot ... just saying ... people will get in. It isn't pfsense's fault...99.99% of home webservers shouldn't be connected to the interwebs.
