Setting up my SG-3100 questions about network layout
-
So i have my network setup like this: https://i.imgur.com/lcobYBf.png
I am trying to figure out how to best configure it. Initially i had it setup where the router had dhcp(192.x) and pfsense did as well(10.X). It worked briefly, but then stopped to the point where anything on the 10.x could not access the internet after i rebooted the firewall. I have no idea why that would have been so i had to remove the firewall so i could get some work done.
So i am thinking about just letting the router hand out IP addresses and just have Pfsense be a firewall(and also use for VPN and snort/suricata).
Any feedback regarding pros/cons to each setup would be helpful. Note that i can not put my xfinity router in bridge mode but i do have DMZ setup to forward everything to the port where pfsense is.
thanks in advance for the potentially noobish questions.
-
As u already heard somewhere it's best to put Xfinity in bridge mode, but if you can't, you can't. Are u renting this modem from Comcast? I don't see why they would refuse to furnish you with a plain modem, but I digress.
You are doing double-NAT but that's OK. It "should" work, I don't know why it doesn't. Modem's DHCP's affects only the PF's WAN port, it doesn't go beyond that, and the PF's DHCP services your LAN.
Very simple:
PF –> Diagnostic --> ping 8.8.8.8, if successful response then PF is able to "get out."
From any client, do IPCONFIG /ALL, I assume Windows, and GATEWAY === (should) === PF LAN IP. If this is blank or something else, you have configured PF DHCP wrong.
-
comcast - just buy your own modem and screw renting from them. I would look at your drawing but its not attached. And work blocks that url..
-
As u already heard somewhere it's best to put Xfinity in bridge mode, but if you can't, you can't. Are u renting this modem from Comcast? I don't see why they would refuse to furnish you with a plain modem, but I digress.
You are doing double-NAT but that's OK. It "should" work, I don't know why it doesn't. Modem's DHCP's affects only the PF's WAN port, it doesn't go beyond that, and the PF's DHCP services your LAN.
Very simple:
PF –> Diagnostic --> ping 8.8.8.8, if successful response then PF is able to "get out."
From any client, do IPCONFIG /ALL, I assume Windows, and GATEWAY === (should) === PF LAN IP. If this is blank or something else, you have configured PF DHCP wrong.
Thanks. Let me check this. Let me ask this. I was playing with the LAN interface. Should the IP be /24 or /32? Whatever i changed it was working and then upon a reboot, DHCP worked but no internet connection. If it persists ill provide the errors.
ETA: i cant use bridge mode because i use their security system which doesnt work in bridge mode. yea. its annoying and i am ditching it soon but cant yet.
-
comcast - just buy your own modem and screw renting from them. I would look at your drawing but its not attached. And work blocks that url..
Attachment added. see above but bridge mode isnt an options as of right now.
-
I was playing with the LAN interface. Should the IP be /24 or /32?
There is no such thing as /32. /24 at the PF's LAN interface would be standard, allowing 255 clients.
-
Ok. So i ended up going into console and reverting the configuration basically to the out of the box config.
Lets say my router is 192.168.1.1/24
Pfsense is 192.168.1.234
Pfsense Lan network is 10.0.1.1/24What should i configure the default gateway on the Wan/Lan interfaces? This is what threw me off last time and rendered my gui useless.
Also, should i consider not doing double NAT and just disabling DHCP on pfsense and just using it as a firewall/VPN?
Thanks.
-
I was playing with the LAN interface. Should the IP be /24 or /32?
There is no such thing as /32. /24 at the PF's LAN interface would be standard, allowing 255 clients.
/32 is a single address. Mask of 255.255.255.255.
-
If you leave both DHCP handle it, things should be automatic.
Gateway is the "upstream" device IP. So Router –-> FW ----> Client. FW Gateway is Router, Client Gateway is FW.
Am not aware you can use PF as a FW without it doing NAT, maybe somebody here will jump in and correct me.
-
You don't need to do NAT. But in the described case it is probably necessary.
But in most cases you would want to do a 1:1 NAT (usually erroneously called a DMZ host or something, which is maddeningly stupid but that's the industry today) in the upstream router to pfSense WAN so all inbound traffic is sent to the WAN port with no further rules require. Then you would port forward as normal on the pfSense WAN.
You probably need to outbound NAT as well because the upstream router won't know about routing to the LAN behind pfSense WAN.
-
If you leave both DHCP handle it, things should be automatic.
Gateway is the "upstream" device IP. So Router –-> FW ----> Client. FW Gateway is Router, Client Gateway is FW.
Am not aware you can use PF as a FW without it doing NAT, maybe somebody here will jump in and correct me.
Thanks. When i tried this i was getting a message saying that the gateway was not on the same subnet. In this example, the Lan interface had say a 10.0.1.1 IP and the router had a 192.168.1.1 IP. Am i doing it wrong?
-
You don't need to do NAT. But in the described case it is probably necessary.
But in most cases you would want to do a 1:1 NAT (usually erroneously called a DMZ host or something, which is maddeningly stupid but that's the industry today) in the upstream router to pfSense WAN so all inbound traffic is sent to the WAN port with no further rules require. Then you would port forward as normal on the pfSense WAN.
You probably need to outbound NAT as well because the upstream router won't know about routing to the LAN behind pfSense WAN.
Hmm thanks. I was wondering what 1:1 NAT setting was. So basically, that setting just forwards all traffic to the LAN or WAN ports. I think my router has a similar DMZ setting that was planning to use on the port where the FW is plugged in.
Maybe this was the reason in my first config that i lost internet access even though the networks were properly NAT'd and DHCP working?
-
That setting takes all unsolicited traffic coming into its WAN and forwards it to a specific IP address on the inside. That would be pfSense's WAN address.