Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can not get the simplest FW to work :-(

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 5 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fw_bob
      last edited by

      @cmb:

      Depends. Maybe your allow any any isn't on an interface where it will do what you think it will, or maybe it's just out of state traffic. You'd have to post exactly what the traffic log looks like to know.

      I have only applied any rules to the LAN interface, I have applied nothing to the WAN interface. Can I dump the rules from the CLI and then post them here? I have ssh access.

      Thanks

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        You didn't answer my question about the static route on the internet router. It must be there if you choose not to do NAT on the pfSense. Without that route it won't be possible to connect to the hosts that are on pfSense's LAN (192.168.1.128/25) from the network that is between the internet router and pfSense (192.168.1.0/25) because the internet router won't have a clue what to do with traffic destined for the 192.168.1.128/25 network.

        1 Reply Last reply Reply Quote 0
        • W
          W4RH34D
          last edited by

          It took me longer than I'm willing to admit to understanding the perspective of incoming and outgoing on the router.

          Can you just go to the log and find a block and auto add the rule?  Then you will know what pfsense likes in the firewall rules.

          Did you really check your cables?

          1 Reply Last reply Reply Quote 0
          • F
            fw_bob
            last edited by

            @kpa:

            You didn't answer my question about the static route on the internet router. It must be there if you choose not to do NAT on the pfSense. Without that route it won't be possible to connect to the hosts that are on pfSense's LAN (192.168.1.128/25) from the network that is between the internet router and pfSense (192.168.1.0/25) because the internet router won't have a clue what to do with traffic destined for the 192.168.1.128/25 network.

            Hi, thanks for the reminder. I did note the point you made and I am trying to find out if I can add a static route, but I don't think I can. I was trying to use the "DMZ" feature but that doesn't seem to work as expected either.

            The 'router' is a Genexis Titanium-24 and there is not a lot of options on it I'm afraid. I was hoping to use DMZ as other simple routers seem to do this, but it still doesn't work.

            Maybe I will have to go bridge mode? It seems a common scenario to me, using pfSense behind an ISP supplied router running NAT?

            eg;
            INTERNET
            |
            88.88.88.88/24 <- ISP public IP
            Genexis            <- ISP NAT router
            192.168.1.1/25 <- ISP Internal address pool
            |
            |
            192.168.1.3/25
            FireWall            <- pfSense Router
            192.168.1.129/25
            |
            |
            192.168.1.154/25
            Macbook

            What would be the ideal way to use the firewall in this instance?

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Ideally you would replace the ISP router with your pfSense system, that is the preferred way to use pfSense in all use cases. If that's not possible your choices are to use bridging, routing on pfSense without NAT (as you have already tried) or do NAT on the pfsense (so called double-NATing).

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                If your internet router does not allow routes, then why do you not just double nat?  This is like 30 seconds of setup and your done.

                pfsense wan on network your internet router is in.  Lan on a different network than pfsense wan = done.. This really is 30 seconds of setup..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • F
                  fw_bob
                  last edited by

                  Thanks everyone for all of your help.

                  I am going to try these suggestions at the weekend:

                  • Using DMZ
                  • Double-NAT
                  • Transparent mode

                  Will play with all 3 options and see how it goes.

                  I contacted my ISP (I have FTTP) and they can change my 'router' to a bridge (which would be ideal) but it would cost and extra USD 20+ per month!

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Well either pay the 20+ or just double nat..  Not sure where you come up with using dmz? And transparent or bridge mode is just stupid to do if you can not even get a simple plug and play double nat setup working.. This really should of been 2 minutes tops working..  There are a bijallian sort of setups where users just plug pfsense in behind their existing isp nat router and up and running in minutes.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • F
                      fw_bob
                      last edited by

                      @johnpoz:

                      And transparent or bridge mode is just stupid to do if you can not even get a simple plug and play double nat setup working..

                      Don't know why you think transparent firewall is "just stupid" and I have never tried double NAT because I want to avoid it if I can.

                      Anyway, found time for another play and setup the bridge mode (transparent) and it is all working beautifully.
                      Thanks everyone for your hints and tips. Its very reassuring to see such an active community even with this simple stuff.

                      For the record, it now looks like this:

                      INTERNET
                      |
                      88.88.88.88/24 <- ISP public IP
                      Genexis            <- ISP NAT router running DHCP
                      192.168.1.1/24 <- ISP Internal address pool
                      |
                      |
                      BRIDGE (WAN)
                      FireWall            <- pfSense Router
                      BRIDGE (OPT1, LAN reserved for local admin access)
                      |
                      |
                      192.168.1.0/24
                      Home network

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Its stupid because it serves no purpose and just complicates the setup.. ie stupid!  You could of had this up and running like really I am serious 3 freaking minutes tops if you had a slow box you were installing this on 2.5 of those minutes would of been the install. 30 seconds is setup time..  Click click done up and running.

                        Put pfsense wan IP in the DMZ host of your isp nat router and there you go up and running all forwards controlled on pfsense.  You will never notice that your behind a double nat unless your doing something really odd ball.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • F
                          fw_bob
                          last edited by

                          @johnpoz:

                          Its stupid because it serves no purpose and just complicates the setup.. ie stupid!  You could of had this up and running like really I am serious 3 freaking minutes tops if you had a slow box you were installing this on 2.5 of those minutes would of been the install. 30 seconds is setup time..  Click click done up and running.

                          Put pfsense wan IP in the DMZ host of your isp nat router and there you go up and running all forwards controlled on pfsense.  You will never notice that your behind a double nat unless your doing something really odd ball.

                          Now you're just spoiling things.

                          How do I VPN into my server behind the double-NAT? How does that work? How good is IPSEC via double NAT?
                          You have very strong opinions, but maybe listen more? Most of my work in inbound not outbound

                          Anyway thanks for the help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.