Changing from Asus router to pfsense prevents access to hosts on internal network
-
I have recently changed my router from an Asus DSL-AC88U to pfsense on a Protectli FW6B
The reason for doing this is because I changed from a standard rate ISP (10 mbs) to an ISP providing fibre (300 mbs)- and the NordVPN that I have been using could only manage around 20 mbs on the Asus router.
I installed pfsense based on the following two links
https://protectli.com/kb/how-to-install-pfsense-ce-2-4-on-the-vault-2/
https://www.tecmint.com/installation-and-configuration-of-pfsense-firewall-router/I then set up a LAN bridge based on the following link:
https://protectli.com/kb/how-to-enable-lan-bridge-with-pfsense/After completion of the above, most functionality that I had before is now working, but there are a couple of exceptions
The diagram below looked Ok in Notepad++, but may not appear correctly when posted--------|
pfsense | -> |--------|
| | 8 port | -> |------|
| | switch | | R Pi |
| | | |------|
| | |
| | | -> |------|
| | | | Enec |
| | | | sys |
| |--------| |------|
|
| --------------------------------> |---------|
| | Linksys | -> |--------|
| | Velop | | 5 port | -> |---------|
| -> PC | --------| | switch | | Freesat |
| -> | | |---------|
| -> | | -----------------> |----------|
--------| | | -> |---------| | IPTV |
|--------| | Nvidia | | streamer |
| Shield | |----------|
|--------- I have a Raspberry Pi set up to:
a) act as a server to an Enecsys solar panal Zigbee interface
b) send solar panel readings to a logging site - https://www.pvoutput.org/
Both of these items have a static IP address and are attached to an unmanaged switch, which itself is connected to one of the network interfaces on the Protectli
The Enecsys interface can 'see' the Rapsberry Pi, and the Raspberry Pi sends readings to the logging site
BUT
I can no longer ssh pi@<pi static ip>, whereas with the Asus router I could, now I get port 22: Connection timed out
I can no longer navigate in a browser to http://<enecsys static ip>, whereas with the Asus router I could, and I get
ERR_CONNECTION_TIMED_OUT- I have enabled
AND if I connect the Raspberry Pi and Enecsys interface directly to the spare pfsense router LAN ports, the Enecsys can no longer 'see' the Pi, and the Pi stops sending solar panel readings to the logging site
- I have a Freesat recorder connected to a 5 port switch (in a different room to the 8 port switch)
I can no longer navigate in a browser to http://<Freesat static IP>, whereas with the Asus router I could
Also ping returns 'request timed out'
After a bit of 'Googling' I came across the following link:
https://www.cyberciti.biz/faq/how-to-pfsense-configure-network-interface-as-a-bridge-network-switch/
which suggests adding a firewall rule on the Opt interfaces
I added the rule on the Opt interfaces and also on the Bridge0 interface, but neither case made a differenceI've posted in the General section, but please advise if it should go elswhere
I'm new to pfsense, so would appreciate any help
Thanks for reading and any advice -
@geoffdh said in Changing from Asus router to pfsense prevents access to hosts on internal network:
I then set up a LAN bridge based on the following link:
Why? What are your trying to achieve?
@geoffdh said in Changing from Asus router to pfsense prevents access to hosts on internal network:
The diagram below looked Ok in Notepad++, but may not appear correctly when posted
Hard to see anything there. You should provide a useful network diagram.
Seems to me, everything is connected to switches on only one subnet, but cannot be not sure on base of that.@geoffdh said in Changing from Asus router to pfsense prevents access to hosts on internal network:
BUT
I can no longer ssh pi@<pi static ip>, whereas with the Asus router I could, now I get port 22: Connection timed out
I can no longer navigate in a browser to http://<enecsys static ip>, whereas with the Asus router I could, and I get
ERR_CONNECTION_TIMED_OUTDid you also change your network when replace the ASUS router by pfSense?
-
viragomann - thanks for your quick reply
I don't have a drawing package, so sorry for the original effort at a network diagram
The quickest way was to do a hand drawn sketch and take a photo, which I hope is now attached
login-to-viewI will try and expand a bit more by answering your questions
-
Why? What are your trying to achieve?
The Protectli FW6B has 6 network ports
One is used for the WAN, so I wanted to try and use the other 5 in the same way as the ports on my previous Asus router
That way I could eliminate the 8 port switch and connect the Raspberry Pi and Enecsys interface directly to the Protectli FW6B, as the Asus router did not have enough ports -
Did you also change your network when replace the ASUS router by pfSense?
I did not change any of the existing network
The network to the right of the vertical dashed line is as it was when the Asus router was in place of the Protectli / pfsense
Above and below the horizontal line represents different physical locations
The Linksys Velop provides a wireless access point, centrally located within the house; it only has two network ports: one in and one out
I hope that makes sense and thanks for reading
-
-
@geoffdh said in Changing from Asus router to pfsense prevents access to hosts on internal network:
so I wanted to try and use the other 5 in the same way as the ports on my previous Asus router
Not a good idea at all - if you want switch ports, use a switch.. Also I assume that velop is doing nat.. So doesn't matter really what its wan IP is, its still going to nat.
You should use your wifi router as just AP if you want your stuff to all be on the same network.. You sure that is not doing nat - and is just an AP?
Nice hand drawing btw! ;)
For future reference - in a pinch you want to do some ascii network drawings ;)
https://textik.com
http://asciiflow.com/online drawing for network
https://creately.com
https://online.visual-paradigm.com/drive/#diagramlist:proj=0&new=NetworkDiagramThere are many many more options.. But your hand drawing is very nice!