Attempting to Install pfSense on P6T Deluxe V2
-
Keep at it, from what you've described you ARE close to a basic working setup.
It just gets better after that ;)
Welcome to pfSense!
-
Close, yet so far away…
Something is still not right. Instead of using the same subnet of 192.168.1.3 for the LAN IP i changed it to 192.168.10.3 but I was never able to connect to the pfSense web configuration again. WAN is set to DHCP6 and my router/modem is set to bridged mode.
I also tried enabling the DHCP server function in pfSense but I don't think it was configured right. I ended up just getting a message on the dashboard that said the IP pool was invalid or something. I wanted the same range of 192.168.1.100 to 192.168.1.250 for my local devices but I don't think any of the computers on the network were actually getting IP's from pfSense.
The good news is that the motherboard and NICs I am using haven't died yet, so that's something.
-
If you changed the LAN IP to 192.168.10.3 then that implies your LAN subnet for all your local devices will be 192.168.10.0/24.
That means your DHCP pool (you want DHCP on LAN) must be in that subnet, eg 192.168.10.100-192.168.250.63 to give you a similar dynamic range to what you have now.That does mean your home devices are going to change from 192.168.1.100 to 192.168.10.100 for example.
In the end this will be a good thing for your network all though it can be disconcerting at first.I'll bet if you make that change and renew your IP address on the PC that's trying to connect, you'll find you have access again with a new local IP address.
-
I think my whole problem is my modem/service… when I switch from normal mode to bridged mode it resets and then I can't seem to connect to it, even when I attach a workstation directly, bypassing everything. If I eventually am able to log into it I notice that my WAN IP is IPv4 and not IPv6. But when I look up my public IP via browser it's clearly IPv6.
That's what it looks like when pfSense is not implemented. Pretty normal, devices getting IP from modem/router etc. Once I install the pfSense unit I can see that the DHCP server changes but I am never able to connect.
Which IP do I enter for WAN? or do I set it to DHCP6? Or am I just confusing myself? :P
-
Unless your actively setup for IPv6, I would leave that disabled for now to simplify things.
If you're getting an IP address of 192.168.1.x in Bridge mode - er, then you're not in Bridge mode or your modem switches out IPv4 when you as for IPv6.
You should get a valid external IPv4 address not a 192.168.x.x variant.
Your WAN should normally be setup to DHCP IPv4.Woops, just noticed you have DHCP enabled on the Xfinity, that shouldn't be the case in bridge mode.
Where/how did you think you've changed modes in the modem/router?
Does your ISP give you any helpful tips in this area? -
I found a thread on the ComCast forums that may be helpful, it has explicit instructions for changing over to Bridge mode:
http://forums.xfinity.com/t5/Home-Networking-Router-WiFi/Gateways-and-Bridge-Mode/td-p/2419143
-
Thanks, I wasn't aware that enabling bridge mode made it so only one port worked… that might explain why i couldn't access the modem afterward.
I will keep trying to figure this out; I will probably opt to use a mini itx board with dual LAN ports for pfSense, since they use a lot less power. That may actually make it a little easier to figure out as well, since the NIC I am currently using probably isn't compatible.
-
Yah, the general idea around Bridge mode is to bypass all the "router" functions of the dual mode device so you get a modem only setting.
That means all the nice router features are gone, but on the plus side pfSense can easily do those functions - and many more.
One last caveat, you're going to end up needing some other means of providing WiFi as that feature will be turned off in the Xfinity as well.
Most people simply attach a WiFi Access Point on their pfSense LAN (a WiFi router with DHCP turned off works well). -
Yes I have a pair of access points on the network, we never connected directly to the wifi on the router/modem anyway.
I kind of gave up on the setup I was using, but I have a mini ITX board with an NVIDIA network controller and a realtek PCIe card installed. Again, both interfaces are detected and I can assign the IP addresses no problem but I was never able to connect and see the web configuration.
Is it possible to leave the modem as the DHCP server for the LAN and have pfSense act as a forwarder? Reason being my modem seems to become inaccessible once bridged mode is enabled. On one occasion it set its own IP to 10.0.0.1 and I had to figure that out simply by bringing up the IP configuration via command prompt.
Having pfSense not be the router seems anti-productive but I just can't seem to get it to work :-\
-
You can try starting with a dual-nat setup to prove that pfSense will work for you.
The cabling is generally setup like:
Internet<->[ISP modem/router]{LAN}<->{WAN}[pfSense]{LAN}<->[NetworkSwitch]<->PC's
|->WiFi AP's
|->Everything elseThe modem/router is left in "Normal" mode and provides DHCP on its LAN port.
pfSense is setup for DHCP on WAN (default) and should get an internal IP address from your modem/router.
You'll want DHCP configured on the pfSense LAN interface as well so your various devices can get an address on your LAN network.
Make sure your pfSense LAN subnet is different from the subnet given by your modem/router to the pfSense WAN interfaceIf all is well, devices connected to your switch should be able to get an IP address.
You should be able to reach the Web GUI at the LAN interface address you setup and you can make sure you have a LAN Firewall rule allowing "Any - Any" to give you outgoing internet access for your devices.Once this works, you can:
- Mess with double port forwards from your modem/router to pfSense and then on to internal devices that need them.
- Take another stab at changing the modem/router back to bridge mode and figure out what you need to do to get internet access in bridge mode.
- Give up for a while and relax with a cold one or two until you're ready to attack 1) or 2) again (always my favorite) ;)
Don't give up this stuff is all doable, you just need your "Aha!" moment…
-
Alright, I think I know what to do. Since the pfSense device isn't the DHCP server it needs an internal IP from my modem/router. Enabling DHCP on the LAN interface makes it so the rest of my devices can get their IP's from the modem/router and through the firewall (pfSense)? I do have a question about the upstream gateway… is that asking for the local IP of my modem/router? I entered that figuring that's what it meant but it didn't really seem to do much. Is that something that only gets configured for the WAN interface?
-
Alright, I think I know what to do. Since the pfSense device isn't the DHCP server it needs an internal IP from my modem/router.
Not exactly, on pfSense you setup the WAN interface to use DHCP to automatically get a WAN IP address from the modem.
Because your modem is also a router, the address pfSense gets will be an "internal" RFC1918 address that cannot be routed on the Internet (192.168.x.x for eg.)
You need to make sure the pfSense WAN interface is setup for DHCP on IPv4, None on IPv6 and uncheck the box that says "Block private networks and loopback addresses".Enabling DHCP on the LAN interface makes it so the rest of my devices can get their IP's from the modem/router and through the firewall (pfSense)? I do have a question about the upstream gateway… is that asking for the local IP of my modem/router? I entered that figuring that's what it meant but it didn't really seem to do much. Is that something that only gets configured for the WAN interface?
pfSense does provide DHCP on its LAN interface (make sure to set it up that way).
DHCP on the pfSense LAN interface is provided to all your attached devices so that they get an "internal" (RFC1918) address that matches the subnet defined for the LAN interface.
They will ask pfSense to tell them how to get "out to the internet" (or anywhere other than their LAN subnet).
The neat thing is they have no idea (nor do they need any) how pfSense does that, they don't know about the modem/router or the WAN IPThey know the address/subnet pfSense gave them and that the pfSense LAN address is where they can go to get "outside".
This why you DO NOT WANT to enter a gateway address anywhere, leave it at default and pfSense can make things work.Another subtle gotcha in this setup is that the pfSense LAN subnet CANNOT be the same as the subnet handed out by the modem/router.
This goes back to my earlier advice to move off of the "default" RFC1918 addresses (192.168.0.x,192.168.1.x, etc)As always, the description of these setups is always WAAAAAY longer than actually doing them.