How to configure pfSense using a Hitron router?
-
Thanks for the heads up guys. Yes, as you may have guessed, I am new to this whole thing of pfSense and creating my own router/firewall. I am technically sound with my main job role (when in work) being a computer engineer / programmer but more from a PC standpoint rather than infrastructure.
From what I'm reading I'm taking it that you don't advise using a dual DHCP; one pre and one post pfSense as the WiFi would not be protected by pfSense at all.
I do have an old (Netgear VM Residential) router, which to be honest I preferred to the Hitron. I'm thinking about possibly using this post pfSense as an AP and using the Hitron as the front end / gateway only. It's all experimental to me at this stage but I understand why you suggest using a new AP.
The main reason I haven't looked at the Netgear right now is that I'm not sure about its functionality when not connected to the Virgin cable infrastructure or even if it will function at all. I'll give it a go and will post back on whether that has been successful or not.
In the meantime, if I have incorrectly understood what you are suggesting then please feel free to comment back, or if you think of anything else, I'd always be grateful.
Thanks again in advance.
-
You will want to use the Netgear VM Residential router as just a basic WiFi access point (AP). For that you need to:
- Do not connect its WAN side to anything
- Connect its LAN side to your local LAN (e.g. to the switch on the LAN side of pfSense)
- Disable any DHCP on the Netgear VM Residential router
- Setup its WiFi SSID/password…
The idea is that WiFi users will get an IP address from DHCP on pfSense LAN, and will use pfSense LAN as their gateway. The Netgear VM Residential "router" will just be bridging packets between WiFi and pfSense LAN.
-
You will want to use the Netgear VM Residential router as just a basic WiFi access point (AP). For that you need to:
- Do not connect its WAN side to anything
- Connect its LAN side to your local LAN (e.g. to the switch on the LAN side of pfSense)
- Disable any DHCP on the Netgear VM Residential router
- Setup its WiFi SSID/password…
The idea is that WiFi users will get an IP address from DHCP on pfSense LAN, and will use pfSense LAN as their gateway. The Netgear VM Residential "router" will just be bridging packets between WiFi and pfSense LAN.
Hi Phil and thanks for the reply. My initial concern was that, because there was no physical network connection from Virgin, the unit would not boot and enable configuration of the unit, but it does; it just shows a blinking light to show there's no connection to the Virgin network. I have managed to configure it how I would like and I have setup the WiFi section as it would have been on the Hitron (using 2G and 5G). I have disabled the DHCP and made sure there are no ports being forwarded and will be using a single Cat-5 cable to connect in line to the pfSense PC. I may even use the other 3 ports as an addition switch if I go over capacity with the current one I have.
I am now going to reinstall the server on my spare PC and start from scratch with the following IP settings.
Hitron (Gateway): 192.168.0.1
pfSense WAN: 192.168.0.2 (Gateway: 192.168.0.1)
pfSense LAN: 192.168.1.1
pfSense WiFi (Netgear): 192.168.1.2 (Front of building)
pfSense WiFi #2: 192.168.1.3 (Rear of building) <- This is a sticking point as I would rather make this a repeater rather than a separate WiFi but not sure if I can do this as it's Wireless N but only 2G. In addition I have never really understood how repeaters work; is it a simple case of making sure they have the same SSID and passphrase or is it more in depth than that.
LAN range: 192.168.1.150 to 192.168.1.200
Static IP: [DHCP Reserved] (< 192.168.1.150) for servers, PCs, VoIP phones, printersI was thinking possibly of changing the LAN to use the 10.0.0.0 or 172.16.0.0 private addressing just to make sure there's some distinction between WAN and LAN but I'm not sure if that would really be necessary.
Any further tips greatly received.
-
That will work. And I would change he LAN to be in one of those other parts of private IPv4 address space. Choose something like 10.42.42.0/24 (pick your own "random" numbers in place of "42").
In future you might setup some VPN to/from somewhere or road warrior. If the other end of the VPN happens to be in some coffee shop or friend's home that uses 192.168.1.0/24 for its local LAN, then it will be a hassle. Moving your LAN range elsewhere reduces the chance of having a future conflict.
-
That will work. And I would change he LAN to be in one of those other parts of private IPv4 address space. Choose something like 10.42.42.0/24 (pick your own "random" numbers in place of "42").
In future you might setup some VPN to/from somewhere or road warrior. If the other end of the VPN happens to be in some coffee shop or friend's home that uses 192.168.1.0/24 for its local LAN, then it will be a hassle. Moving your LAN range elsewhere reduces the chance of having a future conflict.
Never thought about it in that way before. I won't want to connect whilst out and about too often anyway so I wasn't really thinking of adding a VPN just yet. It is something I'm thinking of for the future though. For now I'm just going to get the server/router/WiFi setup and running correctly and then make a backup so when I do decide to add other features I have something to go back to when I mess up ;)
-
OK, everything is up and running, well, almost!
I have no clue why but I am unable to access any of my web hosts or mail servers externally.
I have created the required rules (I think) as shown in the attachments. I would have included them in the message but I can't as I can't access my sites externally (hence the reason for this post).
I can go anywhere and browse anything, I just cant get anything to come in. What have I missed?
As always, thanks in advance…
-
Is the Hitron device in some bridging mode so that pfense WAN gets the public IP address?
If not, are the needed ports forwarded from the Hitrom public internet side through to the pfSense WAN IP?
Something of the above needs to happen for packets arriving at the public IP to find their way into pfSense.
-
You just wanted to get rid of Hitron router functions, but instead of doing it you have built the double NAT, using private addresses. This was NOT a good idea. You need to get public IP on your pfSense WAN address.
http://www.rogers.com/web/support/internet/home-networking/247?setLanguage=en DO that and put you pfsense WAN interface to DHCP. -
Even if you forward on your hilton to the pfsense wan since your double natting. That forward is going to be rfc1918, and you still have the block rfc1918 addresses enabled.
-
@w0w:
You just wanted to get rid of Hitron router functions, but instead of doing it you have built the double NAT, using private addresses. This was NOT a good idea. You need to get public IP on your pfSense WAN address.
http://www.rogers.com/web/support/internet/home-networking/247?setLanguage=en DO that and put you pfsense WAN interface to DHCP.As I explained in my original post, this is not possible as the Hitron from VB, as it currently stands, will only allow a DYNAMIC and not STATIC IP to work when this mode is activated. However, I will try again but I will need to reconfigure my router system as the IP address changes (on the Hitron) from 192.168.0.1 to 192.168.100.1 which is not changeable.
As for the private addressing I did this on suggestion from phil.davis.
Are you saying it's the WAN that needs to have the DHCP? I thought this was supposed to be on the LAN which is how it's currently configured.
Is the Hitron device in some bridging mode so that pfense WAN gets the public IP address?
If not, are the needed ports forwarded from the Hitrom public internet side through to the pfSense WAN IP?
Something of the above needs to happen for packets arriving at the public IP to find their way into pfSense.
I even tried turning on DMZ on the Hitron to the WAN IP but this didn't resolve the issue either.
Even if you forward on your hilton to the pfsense wan since your double natting. That forward is going to be rfc1918, and you still have the block rfc1918 addresses enabled.
So should this "block" be disabled? Sorry, I'm still new to all this and I don't really understand what the rfc1918 is all about. All I know after reading a few snippets about it is that is was implemented to get ready for IPv6 and to prevent IPv4 from running out. Source: http://whatis.techtarget.com/definition/RFC-1918
-
What???
Yeah you reading that wrong ;) yes with the use of NAT and rfc1918 space not everyone needs public for all their devices. And sure allows less ipv4 public IPs.. But that is not what rfc1918 space is..
rfc1918 are IPs, that do not route on the internet - they are meant for private use only..
10.x.x.x
172.16-31.x.x
192.168.x.xYour wan is that 192.168.0.2
So on your isp router.. you need to forward what you want to forward, 80 443 to 192.168.0.2, or put 192.168.0.2 (pfsense wan IP) into the DMZ of your isp router..
since your isp router is sending traffic to 192.168.0.2 that hit your public IP on 80/443, pfsense says hey wait - that is rfc1918.. I block that shit!!! So you need to turn off that rule!!! Normally pfsense would have a public IP on its wan, and then that rule is fine..
-
So if I set my WAN IP as my PUBLIC IP but still use the 192.168.0.1 from the Hitron as the gateway this would prevent these issues? Am I understanding that correctly now?
Excuse my ignorance, but we all have to learn from somewhere.
I have tried the DMZ route but that fails too. Going to set WAN IP to PUBLIC IP now and see if that fixes things…
Well, that didn't work. Taking a break to watch the rugby and then I'll get back to it! Thanks for all the help everyone in trying to get my head to understand how this all works.
-
-
The best thing to do, if it is possible, is to configure the Hitron in "pass-through" "bridging" mode (I am not sure the exact term that Hitron would use - if it does it at all). If you can get it to just act as a "dumb modem" and pass all the external traffic directly through to pfSense WAN, then:
Set pfSense WAN interface to DHCP (it will be a DHCP client, and will ask for an IP address from its upstream, which will be your ISP) and it should receive the "static" IP that your ISP has given you; or
If the ISP has told you the static IP to use and does not give it by DHCP, then put that static IP as the pfSense WAN IP. -
If the Hitron will not go into "pass-through" mode, then:
Make the Hitron forward the ports that you want to be public through to your pfSense WAN IP 192.168.0.2
Keep the pfSense WAN IP 192.168.0.2 with gateway 192.168.0.1
On the Interfaces->WAN page, do not tick the Block RFC1918 box (you want to receive traffic from the Hitron 192.168.0.1)
The diffculty with helping you is that we do not know exactly what control you have over what the Hitron can do, so we are giving lots of "if this then do that" advice.
-
-
I think this whole issue I'm having is with the Hitron and the VB service itself.
When I set the Hitron into modem only mode (disable the router function) I can assign an IP using DHCP to the WAN address which in turn gives me a DYNAMIC address (86.x.x.x). However, when the Hitron is set as VB expect it to be in order to get the STATIC IP, I get the STATIC IP (62.x.x.x) but then I can't forward anything through to pfSense WAN, even using DMZ OR by disabling the default blocking rules.
I really think I'm going to have to revert to a DYNAMIC IP and, if I do, VB can come take this bit of garbage out from my house and I'll revert back to VM.
I won't give up trying to get this sorted and I do really appreciate everyone trying to help. If you need specific information from me, screenshots or whatever, I'll gladly provide them.
-
At least we need to know exact model of this Hitron-
shmitronrouter to confirm that it does or does not support bridge/dumb modem mode.
From what I found it looks like it can be enabled but I may be wrong. That FAQ url I've posted stated that you can't connect to hitron interface when this mode enabled and you must reset it to get back router functionality, this looks like dumb modem in my eyes.will only allow a DYNAMIC and not STATIC IP to work when this mode is activated.
In bridge mode it act like bridge, just dumb interface that brings ISP network to your pfSense WAN, you should not receive or set any IP on hitron side. But we don't know is it real bridge mode or something else you have tried.
Sometimes static IP means that you don't touch anything on your own side but your modem/router just get static IP by DHCP static lease, you don't need to configure anything. If it's not that way on your ISP than you should try to disable Residential Gateway in Hitron and connect pfSense to that "one active port" as stated in rogers FAQ — if it applied to your model, then you should change pfSense WAN IP to that external static IP you've got from ISP manually. -
Hmm… May be your ISP assigns static IP by MAC address of your
modemHitron and you need to do a spoof of MAC… I am not sure. -
@w0w:
Hmm… May be your ISP assigns static IP by MAC address of your
modemHitron and you need to do a spoof of MAC… I am not sure.No, VB (Virgin Business in case you hadn't figured that yet) have a stupid section in the Hitron where you have to set up a tunnel to connect to the STATIC IP. Unlike other providers who assign a static IP direct to the router, VB assign a Dynamic and then you're required to log in to this tunnel in order to get the static.
Anyway, I think I have good news. Having tinkered with NAT and Firewall rules, I think I may have sorted it even with the BLOCK rules in place. All I changed was the "Filter Rule Association" on the "Firewall->NAT->Port Forward" page to "Pass" instead of "Create new associated filter rule" and it all appears to be working. I can access my sites and I can connect to my mail server and SSH.
I'm not sure if this will create any security issues or not (I'm hoping not) but at least it's working.
If this is likely to cause security loopholes or issues, please let me know and I will have to speak direct with VB in order to try and get this resolved.
Thanks again to everyone for your help. Not sure if there is any "kudos" or "rep" on this forum, but I'd certainly like to give some if it's possible.
-
http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2
Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.
-
So on your isp router.. you need to forward what you want to forward, 80 443 to 192.168.0.2, or put 192.168.0.2 (pfsense wan IP) into the DMZ of your isp router..
I have one client location where his ISP uses a Zyxel modem/router combo. I used the DMZ option johnpoz mentioned here and as soon as the pfSense router was placed into the DMZ all the port scanning and door knockers on ports 22, 23 and others started showing up on the pfSense firewall log that were not there before. I knew then that pfSense router was then exposed to the world and not behind the Zyxel's firewall anymore. This is certainly one way to pass that traffic (and see all the door knockers on your ports from CN, RS, IN, etc).
-
@w0w:
http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2
Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.
Thanks for the heads up. I'll take a look at this tomorrow although believe it or not I searched high and low (or at least thought I did) on the VM site for info on this. Perhaps I was searching the VB rather than VM site.
GRRR - modified this post then added kudos (or Karma as it's called her) to a couple of people and lost my edit because I forgot to save! Anyway, as I was saying…
I reviewed a lot of the 13 pages of posts on the above site but most of it was about people ranting and raving about flaky speeds and not being able to use the fixed IP on anything but the Hitron itself. Needless to say I posted my $0.01 (or more like $2.00) worth on the forum to let them know of my recent experience.
