Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What am i doing wrong ?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    18 Posts 8 Posters 2.1k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lean-on-heL Offline
      lean-on-he
      last edited by

      Just bridge the 2 it will still "firewall" the traffic

      1 Reply Last reply Reply Quote 0
      • H Offline
        heper @heper
        last edited by

        @pigy

        your have a broken system/setup. your wan & lan subnet are the same with NAT&routing enabled. this can not work correctly.

        so you either change your subnet or you setup bridging instead of routing on your pfsense.

        define 'protect' ...

        @pigy said in What am i doing wrong ?:

        Can you please elaborate why i should remove pfsense or the wireless router ?

        Doesn't Pfsense still protect the computers on the network ? The computers are connected after PF

        I can't remove the wireless router because it is connected to voip system.

        1 Reply Last reply Reply Quote 0
        • pigyP Offline
          pigy
          last edited by

          When you say WAN do you mean the public IP ? - The Public IP is static
          Or are you referring to the ISP router?

          Sorry if i sound silly but im new to all this.

          If i understood correctly you are probably saying the following , correct me if i am wrong.

          ISP Router - Change the default gateway IP address & subnet to something l ike 192.168.0.1 with a Subnet of 255.255.255.128

          Another stupid question . Must i change the IP address also instead of just changing the subnet or must both be changed?

          and for Pfsense - Maintain 192.168.1.1 / 255.255.255.0

          1 Reply Last reply Reply Quote 0
          • EveningStarNME Offline
            EveningStarNM
            last edited by EveningStarNM

            You are correct that the problem is having your wireless router in front of the firewall. There are two options:

            1. Create a port forwarding rule in Firewall > NAT through the port your printer uses and direct it to the printer.

            2. Install a protected wireless router behind the firewall, and use the ISP's wireless router for your guest network.

            1 Reply Last reply Reply Quote 0
            • H Offline
              heper
              last edited by heper

              @pigy
              i'm referring to your wan & lan interface on pfsense, having ip-addresses in the same subnet. this does not work

              you can find information about subnets on google. or https://www.techrepublic.com/blog/data-center/ip-subnetting-made-easy-125343/

              basically you want for example 192.168.1.0/24 on wan | 192.168.2.0/24 on lan

              But still:
              remove one of your routers. Either dump your ISP wifi router or remove pfsense.

              It's pointless to have both & makes the network more complicated then it has to be.

              pigyP 1 Reply Last reply Reply Quote 0
              • pigyP Offline
                pigy @heper
                last edited by

                @heper

                The reason why i cant dump the ISP router it has PPOE configured, I couldn't get PFsense to work as first router ( tried ppoe but it just didnt work ).

                Second reason is the phone lines are connected the the ISP router
                Third reason is there is a built in SIM card to the ISP router

                // basically you want for example 192.168.1.0/24 on wan | 192.168.2.0/24 on lan
                So /24 on WAN/LAN is the same subnet correct ?

                Thank you for your advise much appreciated

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  @pigy said in What am i doing wrong ?:

                  So /24 on WAN/LAN is the same subnet correct ?

                  That's the same subnet size but not the same subnet. You cannot have both as 192.168.1.X as you have now.

                  I would recommend using something more obscure to avoid the possibility of conflicts should you ever setup a VPN in the future. Say for example LAN set to 172.20.1.1/24, but you could use any private subnet there.
                  https://en.wikipedia.org/wiki/Private_network

                  Steve

                  1 Reply Last reply Reply Quote 1
                  • pigyP Offline
                    pigy
                    last edited by

                    How do i allow access to the printer/server for people using the ISP router ?

                    Printer/server is connected to switch which is behind PFsense

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      You can setup a port forward to it, if you know what ports are required.
                      https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html#adding-port-forwards

                      But really you would be better off moving the PPPoE connection onto pfSense and using the ISP router as a wifi access point IMO.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • pigyP Offline
                        pigy
                        last edited by

                        @stephenw10
                        I actually did try to move the PPoE connection on to the pfsense but it failed. Also at that point i didnt think much about the VOIP.. which is connected to the ISP router.

                        ( isp provides static IP )
                        Im not exactly sure why the PPoE connection failed, is there a way to find out ? Also contacting the ISP and figuring this out has been difficult because the person on the other end is not well versed with this..

                        How do i find out the ports for the printer if the documentation of the printer does not state ?

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Ah, yes if the ISP is providing VoIP from their router it probably needs to stay there.

                          Printer ports are usually pretty standard. It could get complex pretty quickly though. You should think about re-arranging the network so that is not necessary. Can the printer go on the WAN side? Why are there clients on the WAN side?

                          Steve

                          pigyP 1 Reply Last reply Reply Quote 0
                          • pigyP Offline
                            pigy @stephenw10
                            last edited by

                            @stephenw10

                            Can the printer go on the WAN side?
                            Do you mean move the printer from the switch to the ISP router ?

                            Why are there clients on the WAN side?
                            The ISP router is also a wireless router, some clients connect to wireless because they use a laptop.
                            And because of this they can't access the printer.

                            Moving the printer to the ISP router is one thing, but the other issue is the server... If i put the server on the ISP router it is no longer behind Pfsense. Im not sure what to do here. Will port forwarding work in this scenario ?

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              You can do it this way, is it optimal setup - not really.

                              Step 1, make sure your networks are different. 192.168.1/24 and say pfsense lan 192.168.2/24

                              Now if you want stuff to access stuff behind pfsense from the isp network 192.168.1/24 you would do port forwards and those devices would access pfsense wan IP 192.168.1.X and be forwarded in to whatever.. Common printer port is 9100.. But need to understand what printing protocol(s) your using... Airprint for example is not going to work in such a setup. And sounds like maybe you have a printer server running?

                              A better solution might be to just turn off wireless on this isp device, and bridge it if possible - and then put everything behind pfsense (get an AP if you want wireless)... And then isolate stuff via different vlans you want to isolate from each other..

                              No matter what you do, step one in making sure your not using the same networks on wan and lan of pfsense is required. If your issue is accessing the printer.. Putting it on the wan side network of pfsense would prob be easier, since default lan rules are any any on pfsense, so no port forwarding.. And devices on your pfsense wan network would be able to access your printer as well.. Airprint for example would then work for all devices on your wifi network.

                              How best to setup what your trying to do without full redesign would require more information. What printer, what printing protocols, are you using printer server - that you really want behind pfsense, etc. etc.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              1 Reply Last reply Reply Quote 1
                              • rtoledo2002R Offline
                                rtoledo2002 @pigy
                                last edited by rtoledo2002

                                @pigy All the posts so far are spot on , BUT if this is going over your head allow me to suggest a simple way. get a second wireless router they are cheap on Amazon and ebay set it up BEHIND the pfsense and turn OFF the wireless on you ISP's router. turn on the wireless on the SECOND router you bought . It might also help to figure out how to BRIDGE the ISP router you now have as your edge device, by doing this the pfsense becomes your edge device .

                                I get a bit paranoid about ISP's use of TR-069 (CPE WMP) (Verizon FIOS as a example); for management of their Actiontec router and STBs via port TCP/4567." and you can't disable that.

                                BTW look up WIFI 6 like for example the RAX20 by Netgear . look for 802.11ax Dual Band WiFi 6 and WPA 3.

                                take my advice with a grain of salt as I'm not a network expert , just play one at home and work ;)

                                Y 1 Reply Last reply Reply Quote 0
                                • Y Offline
                                  yaminb @rtoledo2002
                                  last edited by

                                  Yep, I second @rtoledo2002 advice as another non network expert.

                                  Keep it simple.

                                  1. Turn off wireless on your ISP gateway. I have a cable modem from my ISP with wireless and do the same thing.
                                  2. Buy a wireless access point. Many wireless routers can be put into AP mode as well.
                                  3. Plug the wireless AP into the Pf sense Lan. In my case, I plug it straight into the lan side switch of my sg-3100.

                                  Everything works nice.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.