How can I achieve this with my current setup?

kejianshi · Aug 2, 2013, 12:20 AM

Confirm or over ride what?

orientalsniper · Aug 2, 2013, 12:22 AM

The safety feature.

stephenw10 · Aug 2, 2013, 1:04 AM

Whilst having a publicly addressable printer is perhaps… unwise, it should work.
If you are doing 1:1 NAT, and have it setup exactly as the other LAN clients which are working, I can't see why it wouldn't work. Even if it had some code to prevent it using a public IP (which seems very unlikely) it doesn't know because it's behind NAT.
The fact that it can't ping out seems like a clue, NAT not working correctly perhaps. Can it ping the pfSense VM? When it fails to ping is there any error message?

Steve

kejianshi · Aug 2, 2013, 1:08 AM

With my samba server stuff, it always needs to know it subnet and workgroup in the samba config. That and telling it to accept anonymous clients etc.
Check your setup to see if its set up thinking it should be looking at this or that subnet that has changed.

orientalsniper · Aug 2, 2013, 1:14 AM

Take a break guys, I'm at home, will report tomorrow. Have a good night.

orientalsniper · Aug 2, 2013, 3:15 PM

Let the fun begins. ;D

Printer can ping pfSense's public IP (xxx.xxx.xxx.98) and can ping any LAN clients (10.0.0.100 - 10.0.0.120)
Again, printer can't ping anything outside LAN. (Err: Ping has failed)

It gets subnet automatically (255.255.255.0), has SAMBA Workname and Name set up. But printer only uses SAMBA for saving scans.

doktornotor · Aug 2, 2013, 3:19 PM

I frankly cannot see why printer should ping anything, in or outside LAN. Maybe you should make clear what is the issue here.

orientalsniper · Aug 2, 2013, 3:24 PM

@doktornotor:

I frankly cannot see why printer should ping anything, in or outside LAN. Maybe you should make clear what is the issue here.

I cannot print over the internet or access its web interface over the internet, I think I've stated that multiple times.

orientalsniper · Aug 2, 2013, 3:43 PM

I got it! ;D It's working now. I removed it from pfSense DHCP mappings, assigned it manually in printer. Don't know why it works now though.

bruor · Aug 2, 2013, 6:10 PM

I'm a little late to the game on this thread but it looks like you've gone ahead with a 1:1 nat setup for this. Alternatively you could have configured pfSense as a "transparent firewall" by setting up a bridge interface, disabling NAT, and configuring the public IPs directly on the "X amount of Comptuers".

This would have made pfSense work essentially like a QoS 'cable' linking the WAN connection into your switch. You also retain packet filtering functionality, and you don't have to configure any virtual IPs in the process.

For 1:1 NAT you don't need VIPs either if you're mapping them to devices behind the FW. This is also the best way to go if you want to have a private internal IP range that you route through pfSense for sharing an external IP with multiple internal devices.

I only chimed in because it appears that you want to use a pfSense VM on an existing server to run QoS for a bunch of stuff that is dedicated to WAN2 while leaving the orange and purple stuff set up as is using the other wifi router and WAN1.

kejianshi · Aug 2, 2013, 6:53 PM

I never was clear on your clients where. Assigning the IP statically often fixes thing when you would think DHCP should have worked but didn't. I'm glad it worked.

orientalsniper · Aug 2, 2013, 8:04 PM

@bruor:

I'm a little late to the game on this thread but it looks like you've gone ahead with a 1:1 nat setup for this. Alternatively you could have configured pfSense as a "transparent firewall" by setting up a bridge interface, disabling NAT, and configuring the public IPs directly on the "X amount of Comptuers".

This would have made pfSense work essentially like a QoS 'cable' linking the WAN connection into your switch. You also retain packet filtering functionality, and you don't have to configure any virtual IPs in the process.

For 1:1 NAT you don't need VIPs either if you're mapping them to devices behind the FW. This is also the best way to go if you want to have a private internal IP range that you route through pfSense for sharing an external IP with multiple internal devices.

I only chimed in because it appears that you want to use a pfSense VM on an existing server to run QoS for a bunch of stuff that is dedicated to WAN2 while leaving the orange and purple stuff set up as is using the other wifi router and WAN1.

I just deleted all the Virtual IP's and you were right! I was going for your setup in the beginning, setting up each IP at every computer, but turns out it's much easier for me with DHCP mappings and NAT 1:1.

Yes, for the moment I solved purple and red part, I'll have to read on about how Radius and Captive Portal work in pfSense for a DD-WRT router authentication.

stephenw10 · Aug 3, 2013, 12:41 AM

Hmm, interesting.
What are you mapping the internal machines to if you have removed the virtual IPs?
I am failing to see how this could work, I welcome a further explanation.

Steve

orientalsniper · Aug 3, 2013, 1:00 AM

@stephenw10:

Hmm, interesting.
What are you mapping the internal machines to if you have removed the virtual IPs?
I am failing to see how this could work, I welcome a further explanation.

Steve

I'm not sure, I just removed the VIP's and tested for a few minutes and they worked, but I got a huge problem right now :'(

My ISP took out my service by error (have to wait about 1-3 days), and I plugged my old ISP (the one I was using before without pfSense), it was a new setup of pfSense, I set it up with NAT 1:1 and VIP's just like how it was working before, but with different public IP's, everything worked fine for ~4 hours, then a few computers got disconnected (some playing League of Legends) some were fine, until every computer got disconnected.

I can ping any site or IP in pfSense console, but nothing in the LAN clients.

kejianshi · Aug 3, 2013, 4:56 AM

For me, I use VIPs if I get my IPs by bridging and I use additional Virtual WAN ports if I'm getting IPs by DHCP.
But the transparent firewall thing just screwed me when I tried it with zero NAT.

stephenw10 · Aug 3, 2013, 9:11 AM

Ah yes! I was forgetting it was vitual. Yes adding extra WAN interfaces makes sense. Probably easier to setup too. However I'm not sure that's what Orientalsniper did, it seemed like he just deleted the VIPs. :-\

This new problem sounds like it could be a DHCP issue. As the leases expire the machines are not renewing correctly?

Steve

orientalsniper · Aug 3, 2013, 3:05 PM

What's your suggestion to fix this DHCP lease issue?

doktornotor · Aug 3, 2013, 3:08 PM

@orientalsniper:

What's your suggestion to fix this DHCP lease issue?

I am afraid it's extremely difficult to work with constantly moving target. By this time, probably almost everyone lost the picture about what is the current problem yet again. You already posted multiple times that it works and all of a sudden it does not again.

orientalsniper · Aug 3, 2013, 3:11 PM

@doktornotor:

@orientalsniper:

What's your suggestion to fix this DHCP lease issue?

I am afraid it's extremely difficult to work with constantly moving target. By this time, probably almost everyone lost the picture about what is the current problem yet again. You already posted multiple times that it works and all of a sudden it does not again.

Nooo, this is a different setup, I'm gonna create new thread to make it less confusing.

doktornotor · Aug 3, 2013, 3:12 PM

@orientalsniper:

Nooo, this is a different setup, I'm gonna create new thread to make it less confusing.

Yes, please…