Setup Test PFSense
-
Jailer,
Sorry if I'm being dense but let me clarify. Your recommending I place the PFSense router directly connected to my ISP WAN cable (plugging in the WAN cable from the DDWRT and inserting into PFSense WAN) and turn off DHCP on the DDWRT and give it a static LAN IP outside of the PFSense DHCP range?I currently have a complicated setup for my FIOS utilizing 3 routers https://www.dslreports.com/faq/16858 to trick the real FIOS router into thinking it's plugged into the ONT via a Cat6 cable when it's my DDWRT that is the primary router. I'm trying to follow https://nguvu.org/pfsense/verizon/pfsense-verizon/ blog which is alot to setup so I can get rid of the secondary router and have PFSense be both primary and secondary. So I would prefer not to disturb the current setup until the PFSense box is ready to go (minimize down time/family upset).
-
Crazy stuff happens when I enable the lan on a different subnet. Either the GUI breaks and I can't connect with SSH or it goes into a continuous loop rebooting. I think I found the fix from the manual as I'm running an AMD Athlon X64 and Intel 4 port em0-3 NIC
Intel igb(4) and em(4) Cards
Certain intel igb cards, especially multi-port cards, can very easily exhaust mbufs and cause kernel panics, especially on amd64. The following tweak will prevent this from being an issue:In /boot/loader.conf.local - Add the following (or create the file if it does not exist):
kern.ipc.nmbclusters="1000000"
That will increase the amount of network memory buffers, allowing the driver enough headroom for its optimal operation.Is it normal not to be able to login to the GUI from the WAN port after setting up a LAN?
-
"Is it normal not to be able to login to the GUI from the WAN port after setting up a LAN?"
From which direction? If your on the lan, then sure hitting the wan IP would not be blocked unless you blocked it on the lan rules. But if coming from the outside hitting your wan IP then yes out of the box that would be blocked. Since there are no allowed ports into the WAN out of the box.
Why would you be hitting the wan IP to access the gui? You sure your not overlapping networks?
When you create a new OPT interface on pfsense there are NO rules like there are on the lan out of the box. So until you create allow rules on your new interface everything would be blocked.. Other than you could get a dhcp address if you enable dhcpd on that interface since when you do that hidden rules are created to allow for dhcp to function.
-
My current setup is the PFSense WAN em3 is connected to my current network and getting an IP of 192.168.1.111 WAN. I can access the GUI from the WAN IP 192.168.1.111. When I enable the LAN port on em1 (4 port NIC) 192.168.60.0/24 I can't acess the GUI interface from the WAN on another computer on this network 192.168.1.0/24
So your saying that PFSense will block access to the WAN when the LAN in enabled and I could access the GUI only from the LAN IP if I hook up a laptop to the LAN port of the PFSense? (will try when I get home).
-
"So your saying that PFSense will block access to the WAN when the LAN in enabled and I could access the GUI only from the LAN IP if I hook up a laptop to the LAN port of the PFSense? (will try when I get home). "
Huh??? When pfsense only has 1 interface.. Your wan as your calling it.. Then yes the gui would be available on this IP.. If you then turn on a lan interface then you would not longer be able to access the web gui from the wan unless you create a rule for that to happen.
When there is only 1 interface, the wan - the the antilockout rules would be on that interface.. Once you enable the lan - the anti lockout rules would be on that interface..
If you want to be able to access the gui on the wan once you enable a lan interface then you would need to put in a firewall rule to allow for that on the wan.
-
"So your saying that PFSense will block access to the WAN when the LAN in enabled and I could access the GUI only from the LAN IP if I hook up a laptop to the LAN port of the PFSense? (will try when I get home). "
Huh??? When pfsense only has 1 interface.. Your wan as your calling it.. Then yes the gui would be available on this IP.. If you then turn on a lan interface then you would not longer be able to access the web gui from the wan unless you create a rule for that to happen.
When there is only 1 interface, the wan - the the antilockout rules would be on that interface.. Once you enable the lan - the anti lockout rules would be on that interface..
If you want to be able to access the gui on the wan once you enable a lan interface then you would need to put in a firewall rule to allow for that on the wan.
Thanks johpoz that was the perfect explanation.
-
Glad it was helpful.. Still trying to understand your ultimate goal. Are you wanting to use pfsense as downstream router? Normally pfsense is at the edge, and it actually has a real wan that is either a transit to the public internet or actual public IP on that interface.
So you are not looking to put pfsense at the edge? There will be rfc1918 on its wan - will any devices be on this network, or will it just be your transit to your edge router? Using pfsense downstream requires some extra settings.
-
Long term goal: replace DDWRT with PFSense and have 2 LANS. One on a VPN for all the computers/servers in my home. Second for my FIOS router and netfilx not thru the VPN and allow traffic from one of my servers on the VPN side to talk to the TVs.
Short term goal: Create all the settings on PFSense without messing with current setup. So I will move it to the edge after setup to minimize down time.
My current setup is with 3 routers : Main DDWRT ->static IP to WAN of secondary router. Lan of secondary router same subnet as outside FIOS ISP connected to Actiontec router WAN. It connects to the STBs with coax cable.
Initially I connect the PFSense to the DDWRT LAN so I could access the GUI from another computer on the network but as soon as I turned the LAN on it disconnected the WAN access and I didn't have any access to the LAN on the PFSense as it was in a different room. Now I connected it to the LAN of the secondary to simulate my ISP and can adjust the settings from a laptop connected to the LAN port of the PFSense.
Let me know if my long term goals are not achievable. Thanks for your help and sorry about the long explanation.
-
"My current setup is with 3 routers"
Why? Do you mean your using 2 of the routers as just wifi APs? It would be overly complex and pita to run 3 nat routers actually doing nat, etc. Pfsense for sure can be your edge device to the internet be its behind a nat from your fios router or actually getting a public IP. You can then put how ever many vlans/networks behind pfsense as you want. You can then setup vpn on pfsense and route whatever devices you want through the vpn. And other devices out your normal isp connection, etc.
-
Need the 3 router setup to replace my fios router with a router with more features and better wifi and keep Caller ID and Remote DVR access on my FIOS system. The PFSense would be primary and the directly connected to the internet. http://www.dslreports.com/faq/16858 if you want to see more about it. Hopefully I replace the secondary router with one of the Ethernet ports on the PFSense and have control of what uses the VPN and what doesn't.
