2 boxes - ISP device and pfSense

andrej

I must use a device that is imposed by my ISP provider: Sinope ADSL2+ Home Gateway Sinope568+ R2 (http://www.iskratel.com/en/access/Documents/Sinope568plus_R2_datasheet_en.pdf).
This device establishes PPPoE connection as I have a fixed IP. Since I have a "triple play" service (TV+VoIP+HDTV IP stream) I don't see any other chance but to use this device (Box1) as a WAN connection.

I just bought (Box2) a pfSence appliance (http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-hd-pfsense.html) as a replacement for Smoothwall installed on a PC. I also bought and read the book (pfSense The Definitive Guide). But I'm lost as I can not get an Internet connection.

If I connect through Box1 everything works just fine. When I defined that WAN IP as well as Gateway and DNS server on Box 2 as the IP of Box1 I couldn't get through. The advices in the book (Section 4.8 and especially 4.8.2.2) didn't help me. I can ping Box1, but's all. I tried to change configuration in Box1 (Static + DHCP off, DHCP on, Upnp on/off), no success.

Thanks, Andrej

scoop

Maybe you can elaborate on what IP addresses and default gateway you have configured on the WAN interface and LAN interface on pfSense (Box1)? Next to that, also tell us what IP adresses are configured on the Sinope ADSL2+ device (Box2) so we can figure out what's wrong with your setup. Things that come to mind for example are IP subnet overlaps or missing/wrong default gateway on the pfSense side. Things we need to know before we can assess your setup are:

• IP address range used on the LAN side of pfSense

• Configured default gateway on the systems that reside on LAN (if not using DHCP)

• Configured IP on the LAN interface of pfSense (if you changed that)

• Configuration of the WAN interface of pfSense (and IP address and default gateway if configured as static)

• IP address range used on the LAN side of your ADSL router (and thus the WAN interface of pfSense)

andrej

Than you for your quick response. Answers:
IP address range used on the LAN side of pfSense: 172.17.148.0/24

Configured default gateway on the systems that reside on LAN (if not using DHCP):
I turned DHCP off. Default gateway: 172.30.208.65

Configured IP on the LAN interface of pfSense (if you changed that): 172.17.148.1

Configuration of the WAN interface of pfSense (and IP address and default gateway if configured as static)
Configured as static, WAN IP and default gateway: 172.30.208.65

IP address range used on the LAN side of your ADSL router (and thus the WAN interface of pfSense):
I tried to configure just one IP: 172.30.208.65, mask: 255.255.255.255, but ADSL router wouldn't allow it. Therefore I was forced to configure the range between 172.30.208.65 - 172.30.208.65, mask: 255.255.255.252.

scoop

Hi,

AFAIK there are two misconfigurations in your setup. The first thing is to configure the systems that reside on the LAN interface of pfSense to have 172.17.148.1 as default gateway. This means traffic that does not fall into the 172.17.148.0/24 range should be forwarded to 172.17.148.1 (your pfSense). Next, you need to configure both pfSense and your DSL gateway to have a unique IP address in the 172.30.208.xxx range. I take it you also use a subnet masker of 255.255.255.0 (i.e. /24) for this segment. So configure pfSense's WAN interface to have 172.30.208.65/24 and you DSL gateway to 172.30.208.1/24 for example. Next, make sure pfSense's default gateway on the WAN interface is configured to have 172.30.208.1 as your default gateway and things should work.

There's only one ugly thing / downside to this setup, and that's that it uses NAT twice. But since your DSL router provides other IP related services there's not an easy way around this I think.

I Hope this helps.

andrej

Hi,

I'm not sure if I understood everything. Let me repeat in order to make sure I get it right:

1. Settings for LAN interface of pfSense:
   IP Address: 172.17.148.1
   Default Gateway: 172.17.148.1
   Subnet Mask: 255.255.255.0
   Start Host Address: 172.17.148.1
   End Host Address: 172.17.148.254

2. Settings for WAN interface of pfSense:
   IP Address: 172.30.208.65
   Default Gateway: 172.30.208.1
   Subnet Mask: 255.255.255.0
   Start Host Address: 172.30.208.1
   End Host Address: 172.130.208.254

3. Settings for DSL gateway (you mean ADSL router?):
   IP: 172.30.208.1
   Subnet Mask: 255.255.255.0
   Start Host Address: 172.30.208.1
   End Host Address: 172.130.208.254

Is that correct?

And I have an additional question. Since my ADSL router is on a RFC1918 private range I can not use the option "Block RFC1918 Private Networks" (figure 4.10, page 55 in the book). How should I fix this trouble and enable "Ingress Filtering"?

Thank you, Andrej

Cry Havok

LAN - no default gateway (each device can only have a single default gateway and it's normally on the WAN facing interface).

Otherwise the network settings look ok.

scoop

With "The first thing is to configure the systems that reside on the LAN interface of pfSense to have 172.17.148.1 as default gateway" I don't mean that pfSense should have it configured as default gateway, but i.e. your computer that is behind pfSense. As for unblocking private networks on the WAN interface, this is not a problem. If you really want to keep blocking private networks except your WAN subnet, then you should just create a firewall rule on the WAN interface to allow traffic from that particular subnet and then just below that rule block all private networks (10.0.0.0/8, 172.16.0.0/20 and 192.168.0.0./16).

andrej

It works!
Many thanks, you saved me a lot of time and trouble. :)