Deploying pfsense behind ISP router with double nat
-
Hi,
Just been trying to setup a pfSense router today and not made much progress with my attempts, hence it's time for a forum post.
For background I've deployed my own custom Debian based routers before, but I am new to pfSense.
My ISP router does not support static routes, hence I require a double-nat'ted configuration.
I had my Debian based router setup at another address. I recently moved to a new address with a new ISP. The Debian based equipment all works fine here. But I can't get the pfSense box to work. I've probably overlooked something simple, but I can't figure it out.
The setup is quite simple. I have an ISP router which does NAT from the ISP assigned WAN IP address to the internal network address space of 192.168.0.X.
I assigned a static IP to the pfSense router of 192.168.0.200. Although this shouldn't be necessary. I also tried without. Neither config worked. This is for interface "WAN".
The pfSense box has another interface "LAN". It has static IP 192.168.100.254. It is connected to an unmanaged switch, and this is connected to another linux PC. This machine has the IP 192.168.100.1. This was assigned by pfSense DHCP.
If I try to ping 192.168.0.1 (ISP router) from the linux PC (other side of pfSense router) I get 100 % packet loss.
I'm not familiar with freebsd, so I don't know how to start going about diagnosing what is wrong. I've watched a couple of hours of youtube videos on how to set this up for "lab / home networks" and read some forum posts but not made any further progress. Perhaps the information is wrong, so I will not re-post it here.
To summarize, we have
[ISP] (192.168.0.1) <-> (192.168.0.200) [pfSense] (192.168.100.254) <-> (192.168.100.1)
And I cannot ping across the pfSense device.
What are the first steps I should take to debug this? Thanks.
Currently Firewall->NAT->Outbound is set ot "Automatic" and there are 4 rules...
2 for LAN, 2 for WAN. The source IPs are 127.0.0.0/8 ::1/128, the source ports are *, the destination IPs are *, and the dst ports are either * or 500. Description says "Auto Created Rule"
Unfortunately I can't paste what I can see easily because I can't access the pfSense device and the internet at the same time. If this information is important I can perhaps take a photo of it.
-
@hypernova said in Deploying pfsense behind ISP router with double nat:
My ISP router does not support static routes, hence I require a double-nat'ted configuration.
What does one have to do with the other?
-
Without NAT it doesn't work.
-
Again, what does double NAT have to do with static routes. They are completely unrelated. If the first router works with a static route, then you should be able to replace it with a similarly configured pfSense.
-
Ok I've been trying to figure this out, but mostly just got myself confused. I was pretty convinced double NAT was required, as nothing worked on my previous setup without it.
Now I am currently not so sure about it.
-
@JKnott I'm sorry I don't understand your point about static route.
My ISP router does not support static routes. I thought this was why double NATting was required - but having written some stuff down on paper I'm now not so sure.
-
Perhaps it is helpful to start from a simpler point.
I disabled NAT on the pfSense box.
I am trying to ping 192.168.0.1 from my PC. I cannot get a response. However I can ping the pfSense box.
So I cannot ping something on the other side of the pfSense box. Why is this is so, or what should I do to diagnose this issue?
-
As another test, if I use a laptop connected to the 192.168.0.X network to ping 192.168.0.1, it works. However I also cannot ping 192.168.100.254.
This is because my ISP router does not know where 192.168.100.X is.
NAT does not help in this case of course, but this is why I concluded NAT was required on the pfSense box. So that the network address range 192.168.100.X would be translated via nat into a 192.168.0.200:<port> address, which my ISP router does understand, because 192.168.0.200 is on the 192.168.0.X network...
-
@hypernova said in Deploying pfsense behind ISP router with double nat:
I'm sorry I don't understand your point about static route.
You were the one that first mentioned static routes. Those are not normally used for consumer level connections. I have absolutely no idea why you even mentioned that in the first place.
-
@JKnott I mentioned it, as I explained above, because I thought NAT was required due to the fact that my ISP does not support static routes.
I am not sure if I am mistaken about that. I've spent hours trying to get the pfsense box to work - or at least do something.
So far I've not had any success with it. I have no idea what diagnostics should be done.
If you have any suggestions about what I should do next I will be glad to hear them.
Essentially allow me to ask the most basic question.
I have an ISP router. I attach a pfsense box to it. How should I configure the pfsense box to get internet access to devices on the other side of the pfsense box.
-
Do you even know there's something with that 192.168.100.254 address? While any address within the local address block, other than .0 or .255, can be used for the router, typically .1 is used.
Since you want to use pfSense as a router, you should set your modem to be in bridge mode, not gateway. This will get rid of double NAT. PfSense will then receive the needed connection info via DHCP, so you have nothing to configure on the WAN side. Also, by using bridge mode, you may also get IPv6, assuming your ISP is providing it.
-
@JKnott said in Deploying pfsense behind ISP router with double nat:
Do you even know there's something with that 192.168.100.254 address? While any address within the local address block, other than .0 or .255, can be used for the router, typically .1 is used.
The pfSense box has the address 192.168.100.254. The attached desktop on the LAN side has address 192.168.100.1.
Did you actually read what I posted?
Since you want to use pfSense as a router, you should set your modem to be in bridge mode, not gateway. This will get rid of double NAT. PfSense will then receive the needed connection info via DHCP, so you have nothing to configure on the WAN side. Also, by using bridge mode, you may also get IPv6, assuming your ISP is providing it.
My ISP router does not have a bridge mode. It can receive an IP via DHCP. I have now set a reserved address. I don't know why you bring this up, I can't see the relevance of it.
-
I tried starting again with a fresh install of pfsense, keeping all the default settings.
I can now ping the ISP router, but I cannot ping anything further, such as 8.8.8.8.
Any suggestions?
-
@hypernova said in Deploying pfsense behind ISP router with double nat:
Any suggestions?
No, that really should work out of the box on LAN.
-
@Bob-Dig said in Deploying pfsense behind ISP router with double nat:
@hypernova said in Deploying pfsense behind ISP router with double nat:
Any suggestions?
No, that really should work out of the box on LAN.
I would have thought so too... Here's some traceroute info. I don't know if this is helpful?
Through pfsense router:
traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
1 pfSense.localdomain (192.168.1.1) 0.268 ms 0.266 ms 0.273 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
(end of output)Through my debian based router:
traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
1 pigrey (192.168.2.254) 0.214 ms 0.242 ms 0.283 ms
2 192.168.0.1 (192.168.0.1) 3.293 ms 4.517 ms 5.505 msThe second output looks sensible. The first does not look at all sensible.
After a reboot I was able to ping 8.8.8.8, but the response was slow.
I was not able to ping www.google.com. So this suggests perhaps there is something wrong in the configuration which is interfering with the ability for DNS to resolve.
In the logs I am seeing a lot of instances of a particular error:
"wan dhcp sendto error (error 65)"
This might be related?
-
@hypernova I hope you don't Block private networks on WAN?
-
@Bob-Dig said in Deploying pfsense behind ISP router with double nat:
@hypernova I hope you don't Block private networks on WAN?
Interfaces->WAN/LAN->Reserved Networks
both checkboxes unchecked - is this what you refer to?
-
Well this is strange... I managed to get something working, and I think I'm now connected via the pfsense router...
I added a new USB interface - a gigabit one, connected via USB 2.0 (so it won't actually be gigabit.)
I was using a USB 2.0 to 100Mbs interface. That is still attached as WAN, and the other one is now attached at OPT.
Why is this other USB interface working when the other one did not? Is this a known issue, some form of compatibility problem with certain USB interfaces?
-
Having thought about this for a while, I believe I remember what got me down the path of implementing double nat some months ago.
I think I am correct in stating that this is required for external access, such as to ssh ports.
The reason being that with most ISP routers (at least all the ones I have come across) there is no way to open a port to anything other than the immediate local network.
For me this is 192.168.0.X.
However I wish to direct ssh traffic to another machine, on another network.
Hence why double nat is required?
-
1:
Without the pfSense box doing NAT on the WAN , your ISP router needs a static route (for the linux lan), in order to send the ping reply packages back to (via) the pfsense box.
You might be "bitten" by RFC1918 default blocking of inbound wan packets too.2:
If you let pfSense NAT on the wan port , you won't need any routes in the ISP Router, as all apears to come from the pfSense , that is on a known Lan (The ISP inside Lan)3:
You might want to look at your ISP routers "Portforwarding possibilities".
I had such a ISP setup , where the ISP outer did NAT , and i needed to run a Linux FTP/WEB server behind it.I had an option to portforward "everything" to one specific inside ip address (easy setup).
Just portforward everything on your ISP router to the pfSense , and then portforward the interesting ports in the pfSense to the correct pfSense inside ip's.
/Bingo
PS:
If you let pfSense NAT , and does not block RFC1918 on WAN (Your ISP router uses RFC1918, on the inside Lan).Then your ping/access of your ISP router from teh Linux PC , should work flawlessly.