No internet access through pfSense
-
@Pagger: are we talking about CGNAT here ? What is it with private addressing like 10.14../ ?
When you had No pfSense in between, what was then the public IP number from ISP on Netgear-WAN and what was the private IP on Netgear-LAN ?
-
Did you reboot your device "modem" when you switched devices on it? If the device is in bridge mode then pfsense should get a public IP. If pfsense can ping that 10 address.. Where did it get that, can pfsense ping to the internet, say 4.2.2.2 or 8.8.8.8? I doubt it.
I would reboot your isp device, then once it is up and running all its light showing it has internet connection. Then connect pfsense. Does it get public IP then? If so you should be golden. If not should still work just with double nat. You don't have switch between your isp "modem" and pfsense do you - this isp device does it have more than 1 lan port? Are other devices connected that could be handing out dhcp?
If you have only 1 segment, no you wouldn't be natting. I am fairly sure whatever you are running pfsense on now can handle your network.. If your netgear could handle it before anything that pfsense could boot on would be fine. I see no use of the netgear at all, not sure what you think its going to be saving the pfsense from doing exactly even if on the oldest of hardware??
If you want your netgear AP great, if you want to leverage it just for switch ports fine. But either of those scenarios normally mean you turn off the netgear dhcp server, give its lan IP on your network lan segment and connect it to your lan via one of its lan ports. Now you can setup its wifi and or plug in a device on one of the other lan ports and be on our 1 lan segment via dhcp from pfsense and pfsense would be the gateway off the network.
Your setup is no different than any other typical home setup. Pfsense has wan (internet) and connection into lan = done. To be honest setting up pfsense should take all of 5 minutes.. Depending on how fast you can install it or even boot live mode, etc.
I've already tried rebooting the modem several times with no difference.
And no i can't ping out from the pfSense box, and I don't have a switch between my modem.
The alix2d.13 barely meets the minimum requirments for pfSense and I do have some servers with some traffic going sometimes and might wanna use vpn or something at the same time, so that's why I was thinking to use the D-link. But you're right it probably won't make much of a difference, and it's probably an unusual setup, but I don't see how it would be a negative thing to use the D-link as gateway on the lan site, if I have missed something, please do enligthen me :)
I'm gonna try and turn off the modem for 48 hours and hopefully it will get a public ip afterwards, but if it does not, do you have any idea what else could be wrong, since it dosn't get a public ip address?
@hda:@Pagger: are we talking about CGNAT here ? What is it with private addressing like 10.14../ ?
When you had No pfSense in between, what was then the public IP number from ISP on Netgear-WAN and what was the private IP on Neatgear-LAN ?
No it isn't CGNAT, and what adresses are you talking about, you mean my D-link ? because the neatgear is only used as modem, so I don't know what private ip lan it should have?
-
…
No it isn't CGNAT, and what adresses are you talking about, you mean my D-link ? because the neatgear is only used as modem, so I don't know what private ip lan it should have?OK. Netgear MoDem only (bridge/pass-tru). So what was the D-Link-WAN public IP and the D-link private LAN IP then at that point ?
-
"because the neatgear is only used as modem"
Oh my bad, I said netgear when I mean your D-link DIR-868L..
Again what do you think your dlink would be doing that would save pfsense any cpu cycles? Yes by all means use it as a switch. But it not going to save any cycles on pfsense using it as a downstream router. You do understand pfsense doesn't require much.. I run my in a VM on older N40L HP microserver with only 512MB of ram and have not issues with it at all.
All traffic that would be going to the internet would be going through pfsense, be it coming from what looks like 1 IP since your dlink is natting or its from different IPs doesn't matter. Traffic between machines on the same segment don't even talk to pfsense. They go through switch ports.
There is NO use of that dlink other than switch/wifi - using it in route mode or nat mode only complicates your setup for no reason at all.
Does not matter what you put behind pfsense, if pfsense can not talk to the internet - then nothing behind it would be able to get to the internet. So a quick google on the cg3000 and bridge mode points to turn off wifo on it, then going to 192.168.0.1/RgNatControl.asp and turning off NAT. Then rebooting it and plugging a device in to PORT1 of the lan ports.
What port is pfsense plugged into on it? How did you turn it into bridge?
I would plug a computer in to port 1, does it get public IP or some rfc1918 address? If your getting rfc1918 then its not in bridge mode that is for sure.
-
@hda:
…
No it isn't CGNAT, and what adresses are you talking about, you mean my D-link ? because the neatgear is only used as modem, so I don't know what private ip lan it should have?OK. Netgear MoDem only (bridge/pass-tru). So what was the D-Link-WAN public IP and the D-link private LAN IP then at that point ?
I didn't really note them down as I expected them to work, but if I don't find a solution I will set it up as it was before, and then I will return with them.
"because the neatgear is only used as modem"
Oh my bad, I said netgear when I mean your D-link DIR-868L..
Again what do you think your dlink would be doing that would save pfsense any cpu cycles? Yes by all means use it as a switch. But it not going to save any cycles on pfsense using it as a downstream router. You do understand pfsense doesn't require much.. I run my in a VM on older N40L HP microserver with only 512MB of ram and have not issues with it at all.
All traffic that would be going to the internet would be going through pfsense, be it coming from what looks like 1 IP since your dlink is natting or its from different IPs doesn't matter. Traffic between machines on the same segment don't even talk to pfsense. They go through switch ports.
There is NO use of that dlink other than switch/wifi - using it in route mode or nat mode only complicates your setup for no reason at all.
Does not matter what you put behind pfsense, if pfsense can not talk to the internet - then nothing behind it would be able to get to the internet. So a quick google on the cg3000 and bridge mode points to turn off wifo on it, then going to 192.168.0.1/RgNatControl.asp and turning off NAT. Then rebooting it and plugging a device in to PORT1 of the lan ports.
What port is pfsense plugged into on it? How did you turn it into bridge?
I would plug a computer in to port 1, does it get public IP or some rfc1918 address? If your getting rfc1918 then its not in bridge mode that is for sure.
Well, I'm pretty sure that it dosn't nat just because I use it as the default gateway on the lan side.
Also the Alix2d.13 has 128 MB of ram minus what the system uses to run the embedded image.
I was thinking that when I create more network segments it might offload it a little bit, as i said, probably a strange use, but I can't really see where where the harm is.
And yes that exacly how I did, and I plugged it into the right port (which my D-link used before and worked fine), when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access -
…
It's a Docsis 3.0 modem(Netgear CG3000) so yeah it's a router as well, but it's in bridge mode with NAT turned off.
Modem ip is: 10.14.24.6
pfSense ip is: 10.14.255.45
...Explain to us why this Netgear MoDem in bridge/pass-tru has & gives a private address… What's the point ?
Who has given the pfSense (-WAN ?) a 10.14.255.45 ? Why this choice?
-
…
and I plugged it into the right port (which my D-link used before and worked fine), when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet accessNot MoDem only then… So, what is your public IP on the WAN side of the Netgear ? That public IP should go, MoDem transparant, onto the pfSense-WAN in case of MoDem-only bridge/pass-tru.
But...
If your Netgear is needed as MoDem-router and connected with pfSense-WAN, then give the pfSense-LAN f.i. 192.168.1.1/24
Next a client can get a number like 192.168.1.101 -
"when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access"
And that is NOT bridge mode.. 10.x.x.x is a rfc1918 address and is not routable on the internet. Plain and simple it just is not going to work with such an address if you have nat turned off on the device because you want it to be in bridge mode.. You sure you have internet access at all?
So your saying you plug in a device and you get internet with that 10.x address? Or it works? Sounds liek you have no internet unless you do what? How are you posting this if you have no internet?
If so then post up a ipconfig /all from that machine plugged into your modem that is in bridge mode and do a trace route to say 8.8.8.8
example in the attached I have a private address 192.168, when I try and go to internet I hit my pfsense private lan address at 192.168.1.253, it nats that connection and sends it to my ISP on public IP, in my case 24.13.x.x, that 24.13.x.1 is my ISP gateway, next hops are in the internet be it the isp network or others, etc.
You having 10.x address on something plugged into your modem tells me you have to be doing NAT, either at that device your plugged into or your ISP Is doing it on global scale for all their customers. 10.x is not a public address.. If you were bridging you would see public, unless your isp is doing NAT in their network or your modem is not in bridge, etc.
So lets see your internet connection work with a client plugged in to your modem. Also if pfsense is on private network on its wan, you prob want to turn off block rfc1918 address in the interface setting for your wan interface.
As to using another router down stream.. Dude again you can use it as a switch or AP, etc.. But if your going to have it NAT your just going to cause yourself even more grief..
-
@hda:
…
It's a Docsis 3.0 modem(Netgear CG3000) so yeah it's a router as well, but it's in bridge mode with NAT turned off.
Modem ip is: 10.14.24.6
pfSense ip is: 10.14.255.45
...Explain to us why this Netgear MoDem in bridge/pass-tru has & gives a private address… What's the point ?
Who has given the pfSense (-WAN ?) a 10.14.255.45 ? Why this choice?
I get my Internet from my ISP by DHCP and not static, when i plug in the D-link instead of pfSense it is working, and the modem is definetly set to nat turned off aka bridge mode, so I can't really explain why, that's what I'm trying to find out.
@hda:…
and I plugged it into the right port (which my D-link used before and worked fine), when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet accessNot MoDem only then… So, what is your public IP on the WAN side of the Netgear ? That public IP should go, MoDem transparant, onto the pfSense-WAN in case of MoDem-only bridge/pass-tru.
But...
If your Netgear is needed as MoDem-router and connected with pfSense-WAN, then give the pfSense-LAN f.i. 192.168.1.1/24
Next a client can get a number like 192.168.1.101The only IP I can see in the web interface when it's in brigde mode, is cable modem IP address which is 10.14.24.6
And the physical setup is like you mention, modem port 1 goes to pfSense wan, and the lan site is setup like that.
The thing is, when i plug in the D-link instead of pfSense, the D-links wan port get's my public IP address as it should, pfSense just dosn't
@johnpoz:"when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access"
And that is NOT bridge mode.. 10.x.x.x is a rfc1918 address and is not routable on the internet. Plain and simple it just is not going to work with such an address if you have nat turned off on the device because you want it to be in bridge mode.. You sure you have internet access at all?
So your saying you plug in a device and you get internet with that 10.x address? Or it works? Sounds liek you have no internet unless you do what? How are you posting this if you have no internet?
If so then post up a ipconfig /all from that machine plugged into your modem that is in bridge mode and do a trace route to say 8.8.8.8
example in the attached I have a private address 192.168, when I try and go to internet I hit my pfsense private lan address at 192.168.1.253, it nats that connection and sends it to my ISP on public IP, in my case 24.13.x.x, that 24.13.x.1 is my ISP gateway, next hops are in the internet be it the isp network or others, etc.
You having 10.x address on something plugged into your modem tells me you have to be doing NAT, either at that device your plugged into or your ISP Is doing it on global scale for all their customers. 10.x is not a public address.. If you were bridging you would see public, unless your isp is doing NAT in their network or your modem is not in bridge, etc.
So lets see your internet connection work with a client plugged in to your modem. Also if pfsense is on private network on its wan, you prob want to turn off block rfc1918 address in the interface setting for your wan interface.
As to using another router down stream.. Dude again you can use it as a switch or AP, etc.. But if your going to have it NAT your just going to cause yourself even more grief..
No I never said that i've got internet with a 10.x address, I'm using 4G to post this, I don't get internet with modem in bridge mode and clients connected directly(they get that 10.x address as I posted), or through pfSense (pfSense get that 10.x address), through the D-link yes I do get internet, but I see the that the WAN interface on the D-link gets my public IP, If I turn bridge mode off and connect clients directly to the modem it works aswell (again, not with a 10.x address)
The problem is when I connect the pfSense, it keeps getting that 10.x address, whereas with the D-link it works just fine, and it get's my public IP.Also I don't believe the ISP is doing NAT, in the 2 scenarious I do have internet access, either my Netgear or my D-link is doing NAT.
You wanna see a tracert for a working conection? or is it because you thought I said I had internet access with a 10.x address directly connected to the modem?
And i'm already blocking RFC1818 on WAN interface, and as I tried to explain, the D-link isn't doing nat, I'm just using it as a lan router and then trying to setup pfSense as a perimeter firewall. -
…
I get my Internet from my ISP by DHCP and not static, when i plug in the D-link instead of pfSense it is working, and the modem is definetly set to nat turned off aka bridge mode, so I can't really explain why, that's what I'm trying to find out.
...Well, if you cannot find out or understand your Netgear & D-Link stuff, forget about the pfSense. It is a brainer. :D
-
Just a wild guess, but try spoofing the MAC address of your D-Link on the WAN interface of pfsense…
-
@hda:
…
I get my Internet from my ISP by DHCP and not static, when i plug in the D-link instead of pfSense it is working, and the modem is definetly set to nat turned off aka bridge mode, so I can't really explain why, that's what I'm trying to find out.
...Well, if you cannot find out or understand your Netgear & D-Link stuff, forget about the pfSense. It is a brainer. :D
But I do understand my "Netgear & D-Link stuff" :P and I have setup Linux distros like ClearOS before which worked like a charm, from what I can tell pfSense should be able to do the same, and it should be setup correctly, so what I can't understand is why it ain't working as it should:P
Just a wild guess, but try spoofing the MAC address of your D-Link on the WAN interface of pfsense…
Thanks i'm gonna try that, if that don't work I'm gonna try and turn off the modem for 48 hours which should give me a new public ip, and then hope that it helps
Edit: Better late than never, but i figured I would update this, spoofing the mac address worked, the second I changed it back (since I want my D-link on the network aswell) it stopped working though, but after a call to the ISP, i got them to reset it so it wasn't locked to the mac address of my D-link.
I thank all of you for the help -
So when you connect your dlink and it gets public IP. Disconnect it and reboot your modem (if it has battery backup on modem pull the battery) then connect pfsense or a client. Does it work then?
Quite often when you change a device connected to a modem you have to reboot it to clear the mac cache on the modem. And I do believe from what I read on that device you have to be connected to port 1 to get the public.
You can use pfsense in double nat, if you can not get bridge mode to work. But if works with dlink then it should work with anything. Unless for some reason your isp has it locked to that mac of the dlink - if that is the case you can try cloning the mac of the dlink
