PfSense firewall BEHIND router
-
Phil,
Thank you for the reply. The last time I tried to set up pfSense it would not let me set the LAN to DHCP. It kept telling me it had to be static. I don't know if this had to do with my WAN settings being on the same subnet. I will try it again this weekend.
~Magoo
-
I think what Phil is suggesting here is to enable the "Services->DHCP Server" for the static LAN interface.
That way pfSense will have a fixed LAN address (192.168.2.1 within a /24 subnet) and can supply other 192.168.2.??? addresses to everything else you have on that LAN network.
Your PC's, and other devices may need to reboot/reconnect to get a new address at first, but it should be pretty seamless.As Phil mentioned, you definitely can't have LAN and WAN on the same subnet.
-
This is a new DSL modem that my ISP just installed.
A router is doing SPI/NAT and a modem not! This is your real problem here as I see it right.
You could try out to set your ISP router into the so called "bridge mode" that this router is
acting then likes a pure modem. This would also my personally first choice to try out.Internet –- modem --- pfSense --- small switch --- LAN clients
|
|opened & forwarded ports
|DMZ
|
Game ServerThis might be the most common option to handle and solve your "problem" in my eyes.
The second choice would be to create a router cascade or also called "double NAT" situation.
You set up on your ISP router the following things:
Network: 192.168.1.0/24 (255.255.255.0)
IP Address: 192.168.1.1/24 static or fix
DHCP: offpfSense WAN:
Network:192.168.1.0/24 (255.255.255.0)
IP Address: 192.168.1.2/24 static or fix
DHCP: off
DNS: 192.168.1.1/24pfSense LAN:
Network:192.168.5.0/24 (255.255.255.0)
IP Address: 192.168.5.1/24
DHCP: on IP range from 192.168.5.2 - 192.168.5.254/24
DNS: 192.168.1.2/24 -
It worked!!!!
Thank you both so much. I still have to port forward the game but at least now the Win7 Client is able to access the internet from behind the firewall.
I set WAN to 192.168.1.4 and LAN to 192.168.2.1 and let LAN act as DHCP server. It took a reboot, but after that everything seems fine.
Now I have to figure out how to ban certain IP's (cheaters) that Steam/Valve/Gearbox won't do anything about.
Thanks again.
~Magoo
-
Okay,
Now I have the game server up and going. Firewall question …
I have made aliases with all the IP's that I would like to ban. I have called them:
A_cheaters
B_cheaters
C_cheaters
etc.In order to ban these IP's from communicating with my server I will place a firewall rule for each one of them. For this to work I will put the rule on?...
Rule on LAN source - A_cheaters, destination?
I am not sure if the destination should be LAN address or LAN net. If I only ban UDP protocol will this speed up the throughput for less lag, or should I leave it to ban any protocol?
Or is the above totally off base, and the ban should go on the WAN?
~Magoo
-
If you do not want those IPs in your aliases to get to your server through your forwards. Then you want to put them on rules on your wan BEFORE you allow the traffic in on your forward.
Or they need to be included in your NAT where your source is a NOT, and then an aliases listing the IPs you don't want in. That is difficult with multiple aliases.
When you put a rule on the lan, that would be traffic outgoing from your lan. So if your server was going to create the connection to those IP then you would want them on the LAN side of it. But if you allow them in, this will create a state. And then your server would be allowed to answer no matter what rule you had on the LAN side saying not to talk to those IPs.
Rules are looked at INBOUND to an interface… Top down, first rule wins.
So you have to look to where pfsense would first see the SYN, ie the start/request for a conversation. For stuff inbound into your network starting conversations this is on your WAN.. For your devices on your LAN starting conversations outside of LAN, this would be the LAN interface..
-
Thank you for the reply.
To see if I understand, if I want to ban "A_cheaters" alias list I would put:
Firewall –> Rules --> WAN --> Add new rule -->Block, WAN, IPv4, any protocol, source = single host or alias-A_cheaters, destination = any?
If I wanted to further ensure that my server doesn't make an outgoing connection to these I would put the same rule on the LAN where source = ?, destination = A_cheaters.
If my computer does connect to any of these IP's from my end, then it will negate the incoming firewall blocking rule.
Correct?
-
If you don't want your servers connecting to those IPs, ie create the connection to them (not answer) then yes rule would go on your LAN. Not sure where your server would ever make a connection to them??
As your wan rule yeah putting those blocks on the top of your rules list would prevent then from hitting any allow rules for your forwards.
-
Ok thanks, I think I have it. I'm still not sure what the destination for the WAN rule should be, so I set it to any.
Steam has been allowing cheaters to still join my server by routing them through a Valve server. That is why I am interested in the outbound blocks as well. The game I am hosting is peer-to-peer. I have noticed that banned IP's still connect via Valve. If needed, I will ban the Valve servers to keep them from allowing the cheaters in.
~Magoo
-
Your destination would normally be your WAN IP.. Since to be honest that is the ONLY IP it could ever be dest for.