Can not get the simplest FW to work :-(

kpa

You didn't answer my question about the static route on the internet router. It must be there if you choose not to do NAT on the pfSense. Without that route it won't be possible to connect to the hosts that are on pfSense's LAN (192.168.1.128/25) from the network that is between the internet router and pfSense (192.168.1.0/25) because the internet router won't have a clue what to do with traffic destined for the 192.168.1.128/25 network.

W4RH34D

It took me longer than I'm willing to admit to understanding the perspective of incoming and outgoing on the router.

Can you just go to the log and find a block and auto add the rule?  Then you will know what pfsense likes in the firewall rules.

fw_bob

@kpa:

You didn't answer my question about the static route on the internet router. It must be there if you choose not to do NAT on the pfSense. Without that route it won't be possible to connect to the hosts that are on pfSense's LAN (192.168.1.128/25) from the network that is between the internet router and pfSense (192.168.1.0/25) because the internet router won't have a clue what to do with traffic destined for the 192.168.1.128/25 network.

Hi, thanks for the reminder. I did note the point you made and I am trying to find out if I can add a static route, but I don't think I can. I was trying to use the "DMZ" feature but that doesn't seem to work as expected either.

The 'router' is a Genexis Titanium-24 and there is not a lot of options on it I'm afraid. I was hoping to use DMZ as other simple routers seem to do this, but it still doesn't work.

Maybe I will have to go bridge mode? It seems a common scenario to me, using pfSense behind an ISP supplied router running NAT?

eg;
INTERNET
|
88.88.88.88/24 <- ISP public IP
Genexis            <- ISP NAT router
192.168.1.1/25 <- ISP Internal address pool
|
|
192.168.1.3/25
FireWall            <- pfSense Router
192.168.1.129/25
|
|
192.168.1.154/25
Macbook

What would be the ideal way to use the firewall in this instance?

kpa

Ideally you would replace the ISP router with your pfSense system, that is the preferred way to use pfSense in all use cases. If that's not possible your choices are to use bridging, routing on pfSense without NAT (as you have already tried) or do NAT on the pfsense (so called double-NATing).

johnpoz

If your internet router does not allow routes, then why do you not just double nat?  This is like 30 seconds of setup and your done.

pfsense wan on network your internet router is in.  Lan on a different network than pfsense wan = done.. This really is 30 seconds of setup..

fw_bob

Thanks everyone for all of your help.

I am going to try these suggestions at the weekend:

• Using DMZ
• Double-NAT
• Transparent mode

Will play with all 3 options and see how it goes.

I contacted my ISP (I have FTTP) and they can change my 'router' to a bridge (which would be ideal) but it would cost and extra USD 20+ per month!

johnpoz

Well either pay the 20+ or just double nat..  Not sure where you come up with using dmz? And transparent or bridge mode is just stupid to do if you can not even get a simple plug and play double nat setup working.. This really should of been 2 minutes tops working..  There are a bijallian sort of setups where users just plug pfsense in behind their existing isp nat router and up and running in minutes.

fw_bob

@johnpoz:

And transparent or bridge mode is just stupid to do if you can not even get a simple plug and play double nat setup working..

Don't know why you think transparent firewall is "just stupid" and I have never tried double NAT because I want to avoid it if I can.

Anyway, found time for another play and setup the bridge mode (transparent) and it is all working beautifully.
Thanks everyone for your hints and tips. Its very reassuring to see such an active community even with this simple stuff.

For the record, it now looks like this:

INTERNET
|
88.88.88.88/24 <- ISP public IP
Genexis            <- ISP NAT router running DHCP
192.168.1.1/24 <- ISP Internal address pool
|
|
BRIDGE (WAN)
FireWall            <- pfSense Router
BRIDGE (OPT1, LAN reserved for local admin access)
|
|
192.168.1.0/24
Home network

johnpoz

Its stupid because it serves no purpose and just complicates the setup.. ie stupid!  You could of had this up and running like really I am serious 3 freaking minutes tops if you had a slow box you were installing this on 2.5 of those minutes would of been the install. 30 seconds is setup time..  Click click done up and running.

Put pfsense wan IP in the DMZ host of your isp nat router and there you go up and running all forwards controlled on pfsense.  You will never notice that your behind a double nat unless your doing something really odd ball.

fw_bob

@johnpoz:

Its stupid because it serves no purpose and just complicates the setup.. ie stupid!  You could of had this up and running like really I am serious 3 freaking minutes tops if you had a slow box you were installing this on 2.5 of those minutes would of been the install. 30 seconds is setup time..  Click click done up and running.

Put pfsense wan IP in the DMZ host of your isp nat router and there you go up and running all forwards controlled on pfsense.  You will never notice that your behind a double nat unless your doing something really odd ball.

Now you're just spoiling things.

How do I VPN into my server behind the double-NAT? How does that work? How good is IPSEC via double NAT?
You have very strong opinions, but maybe listen more? Most of my work in inbound not outbound

Anyway thanks for the help.