Can not get the simplest FW to work :-(

fw_bob

I am just starting out with my new pfSense and I am sure I have something very simple wrong. Ideas welcome.
Here is the setup:

router to internet
192.168.1.1/25
  |
  |
192.168.1.3/25
pfSense
192.168.1.129/25
  |
  |
192.168.1.154/25 (from DHCP)

FW rule on WAN: Any Any Any (allow everything)
FW rule on LAN: Any Any Any (allow everything)
NAT: Turned off
Default Gateway on WAN only: 192.168.1.1

From the pfSense all is good. From a shell I can get DNS and IP no issue.
When I move to the Macbook on the LAN I get nothing.

I have run pcap on the pfSense and I can see a ping being sent on the WAN and the reply being received on the WAN, but nothing on the LAN

Something very simple is wrong I am sure. Any ideas??
Thanks

kpa

That's an odd set up for sure with the /25s, why can't you just use /24s like the rest of us do ;D

Does the internet router know how to reach 192.168.1.128/25? It should have a static route in its routing table with 192.168.1.3 as the target (next hop) for the 192.168.1.128/25 subnet.

Also, make sure you turn off the "Block private networks and loopback addresses" -option in the WAN interface setup.

fw_bob

That is all working ok as I see the packets arrive at the psSense in the packet capture.

I have noticed this in the logs:

@5(1000000103) block drop in log inet all label "Default deny rule IPv4"

That makes sense but why isn't my permit any any overriding that deny?

fw_bob

@kpa:

That's an odd set up for sure with the /25s, why can't you just use /24s like the rest of us do ;D

You got me thinking, I could change it all to a /24 and use bridging?
Would that make it any easier?

I have used /25 to split the 192.168.1.0 into 2 networks for routing, and avoiding NAT. The internet router is using NAT already.

cmb

Using the /25s is fine, though potentially confusing for some future admin (unless it's just your own network).

You could bridge, but that won't necessarily make anything any easier (other than you won't need routing back on "router to Internet" as labeled in original post).

@fw_bob:

I have noticed this in the logs:

@5(1000000103) block drop in log inet all label "Default deny rule IPv4"

That makes sense but why isn't my permit any any overriding that deny?

Depends. Maybe your allow any any isn't on an interface where it will do what you think it will, or maybe it's just out of state traffic. You'd have to post exactly what the traffic log looks like to know.

fw_bob

@cmb:

Depends. Maybe your allow any any isn't on an interface where it will do what you think it will, or maybe it's just out of state traffic. You'd have to post exactly what the traffic log looks like to know.

I have only applied any rules to the LAN interface, I have applied nothing to the WAN interface. Can I dump the rules from the CLI and then post them here? I have ssh access.

Thanks

kpa

You didn't answer my question about the static route on the internet router. It must be there if you choose not to do NAT on the pfSense. Without that route it won't be possible to connect to the hosts that are on pfSense's LAN (192.168.1.128/25) from the network that is between the internet router and pfSense (192.168.1.0/25) because the internet router won't have a clue what to do with traffic destined for the 192.168.1.128/25 network.

W4RH34D

It took me longer than I'm willing to admit to understanding the perspective of incoming and outgoing on the router.

Can you just go to the log and find a block and auto add the rule?  Then you will know what pfsense likes in the firewall rules.

fw_bob

@kpa:

You didn't answer my question about the static route on the internet router. It must be there if you choose not to do NAT on the pfSense. Without that route it won't be possible to connect to the hosts that are on pfSense's LAN (192.168.1.128/25) from the network that is between the internet router and pfSense (192.168.1.0/25) because the internet router won't have a clue what to do with traffic destined for the 192.168.1.128/25 network.

Hi, thanks for the reminder. I did note the point you made and I am trying to find out if I can add a static route, but I don't think I can. I was trying to use the "DMZ" feature but that doesn't seem to work as expected either.

The 'router' is a Genexis Titanium-24 and there is not a lot of options on it I'm afraid. I was hoping to use DMZ as other simple routers seem to do this, but it still doesn't work.

Maybe I will have to go bridge mode? It seems a common scenario to me, using pfSense behind an ISP supplied router running NAT?

eg;
INTERNET
|
88.88.88.88/24 <- ISP public IP
Genexis            <- ISP NAT router
192.168.1.1/25 <- ISP Internal address pool
|
|
192.168.1.3/25
FireWall            <- pfSense Router
192.168.1.129/25
|
|
192.168.1.154/25
Macbook

What would be the ideal way to use the firewall in this instance?

kpa

Ideally you would replace the ISP router with your pfSense system, that is the preferred way to use pfSense in all use cases. If that's not possible your choices are to use bridging, routing on pfSense without NAT (as you have already tried) or do NAT on the pfsense (so called double-NATing).

johnpoz

If your internet router does not allow routes, then why do you not just double nat?  This is like 30 seconds of setup and your done.

pfsense wan on network your internet router is in.  Lan on a different network than pfsense wan = done.. This really is 30 seconds of setup..

fw_bob

Thanks everyone for all of your help.

I am going to try these suggestions at the weekend:

• Using DMZ
• Double-NAT
• Transparent mode

Will play with all 3 options and see how it goes.

I contacted my ISP (I have FTTP) and they can change my 'router' to a bridge (which would be ideal) but it would cost and extra USD 20+ per month!

johnpoz

Well either pay the 20+ or just double nat..  Not sure where you come up with using dmz? And transparent or bridge mode is just stupid to do if you can not even get a simple plug and play double nat setup working.. This really should of been 2 minutes tops working..  There are a bijallian sort of setups where users just plug pfsense in behind their existing isp nat router and up and running in minutes.

fw_bob

@johnpoz:

And transparent or bridge mode is just stupid to do if you can not even get a simple plug and play double nat setup working..

Don't know why you think transparent firewall is "just stupid" and I have never tried double NAT because I want to avoid it if I can.

Anyway, found time for another play and setup the bridge mode (transparent) and it is all working beautifully.
Thanks everyone for your hints and tips. Its very reassuring to see such an active community even with this simple stuff.

For the record, it now looks like this:

INTERNET
|
88.88.88.88/24 <- ISP public IP
Genexis            <- ISP NAT router running DHCP
192.168.1.1/24 <- ISP Internal address pool
|
|
BRIDGE (WAN)
FireWall            <- pfSense Router
BRIDGE (OPT1, LAN reserved for local admin access)
|
|
192.168.1.0/24
Home network

johnpoz

Its stupid because it serves no purpose and just complicates the setup.. ie stupid!  You could of had this up and running like really I am serious 3 freaking minutes tops if you had a slow box you were installing this on 2.5 of those minutes would of been the install. 30 seconds is setup time..  Click click done up and running.

Put pfsense wan IP in the DMZ host of your isp nat router and there you go up and running all forwards controlled on pfsense.  You will never notice that your behind a double nat unless your doing something really odd ball.

fw_bob

@johnpoz:

Its stupid because it serves no purpose and just complicates the setup.. ie stupid!  You could of had this up and running like really I am serious 3 freaking minutes tops if you had a slow box you were installing this on 2.5 of those minutes would of been the install. 30 seconds is setup time..  Click click done up and running.

Put pfsense wan IP in the DMZ host of your isp nat router and there you go up and running all forwards controlled on pfsense.  You will never notice that your behind a double nat unless your doing something really odd ball.

Now you're just spoiling things.

How do I VPN into my server behind the double-NAT? How does that work? How good is IPSEC via double NAT?
You have very strong opinions, but maybe listen more? Most of my work in inbound not outbound

Anyway thanks for the help.