Phone not accessing the internet after rule to avoid the router VPN

dma_pf

@dicmo I really think this is a Double NAT issue. pfSense is NATing traffic that is then being NATed again by the router. Somewhere in that process the routing is getting lost. Unfortunately, I have no experience working on that issue so my help is limited here.

I think the easiest thing to do is set the router to bridge mode....probably just the flick a switch. This will put all of the routing on pfsense which is certain to be more robust than on a commercial router. At that point your NAT rules should work.

If that's not an option you might want to check the pfSense docs here. There's also a pfSense Hangout that might be useful here. Then of course there's always searching around these forums and google for "Double NAT".

I'm sorry I can't shed more light on fixing the issue but please let me know how you resolve it. I'm really curious to know what fixes the issue.

Dicmo

@dma_pf hey, thanks for taking the time to look into this. At least, it gives me confidence that my rules make some sense. Since I am new to pfSense I was not so sure.

I will set the IPS Router in bridge mode in the next days, as I am busy right now trying to fix a couple other issues in the new system, as setting it in bridge mode was in the TODO list anyways. When I do I will report back. Hopefully it solves the issue, but what makes me not very hopeful is that accessing the ISP router was not working either and that is only one NAT. We will see. Again, thanks for your time.

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

Hopefully it solves the issue, but what makes me not very hopeful is that accessing the ISP router was not working either and that is only one NAT.

Double NAT to the web is a different issue than the router issue. Here's how to access the router correctly:

https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html

Dicmo

@dma_pf ok, so I am ready to set access to the router and set the router in bridge mode, but I have some doubts that I was hoping you could resolve before I do.

First, I have read the instructions of the last link you have posted, but the issue is that I do not have a PPPOE interface. The interface talking with the ISP router is defined as a normal WAN. So I can not create another interface to do the NAT to the ISP router like the link says.

Also, I am wondering if I need to set up a PPPOE interfacce to put the router in bridge mode. I have been reading quite a bit on the internet and I can not fully undestand how the bridge mode works. For what I understand the ISP modem will keep having the 192.168.1.1 address (some people say there is a need to change it, others do not), and the pfsense interface facing the ISP router has to be listening for the DHCP server of the ISP (not from the ISP router in my house, from the ISP server) to assign an internet IP just like it would assign to the ISP router when not in bridge mode. Set up this way, the ISP router will just pass all the traffic with the internet IP's from the ISP server to the pfSense router, and only will react when he sees a packet for 192.168.1.1.

Can you please correct the misunderstandings that I might have and clarify the process? Thank you.

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

The interface talking with the ISP router is defined as a normal WAN. So I can not create another interface to do the NAT to the ISP router like the link says.

Sorry about that. You'll have to create a vLAN first, then assign that vLAN to the same interface as the WAN. Then you can set the NAT Rules. Like this:

That should let you access the router's GUI.

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

For what I understand the ISP modem will keep having the 192.168.1.1 address (some people say there is a need to change it, others do not), and the pfsense interface facing the ISP router has to be listening for the DHCP server of the ISP (not from the ISP router in my house, from the ISP server) to assign an internet IP just like it would assign to the ISP router when not in bridge mode. Set up this way, the ISP router will just pass all the traffic with the internet IP's from the ISP server to the pfSense router, and only will react when he sees a packet for

The way the router is working now is like this:

ISP -> assigns WAN IP Address To Router - > Router uses DCHP to assign IP addresses to clients - Pfsense (acting as a client to the router) receives an IP (not the WAN IP) from the router 's DHCP server and binds it to the WAN Interface. Pfsense then uses it's DHCP to assign a different IP addresses to it's clients.

In bridge mode the router works like this:

ISP -> assigns WAN IP Address To Router - > Router passes along the WAN IP Address to pfsense who then binds it to the WAN Interface. Pfsense then uses it's DHCP to assign a different IP address to it's clients.

As you can see above, in bridge mode the router is passive. It's just letting the ISP forward the WAN IP address to pfsense which then does all of the DHCP assignments and routing for the internal works. The internal networks then get routed out the pfsense WAN to the the router which passively (No NAT) sends it out to the ISP.

Depending on the protocol used by the ISP, routers can connect to the ISP in different ways. In bridge mode you will have to match that protocol in the WAN interface settings in pfsense by selecting the correct "IPv4 Configuration Type":

Dicmo

@dma_pf Ok, great. Thanks again.

One thing that is confusing me is, in bridge mode, if the ISP Router does not have its own IP, how can you access its web configuration page?

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

One thing that is confusing me is, in bridge mode, if the ISP Router does not have its own IP, how can you access its web configuration page?

The router should have a default IP Address for the GUI from the manufacturer. If the ISP provides the router you should be able to find that info on the ISP's website. If not try googling for it. If it's not provided by the ISP google the make and model of the router.

If you want to take a wild stab at it try 192.168.1.1 ... it's handing out 192.168.1.0/24 addresses so it most likely in that network (192.168.1.1 to 192.168.1.254)

Dicmo

@dma_pf No, that is not the question. I can access the ISP router webconfigurator at 192.168.1.1 right now (if I am on its network obviously) and if I remember correctly the configuration allows to select the ISP router IP.

My doubt comes from this: when you put the router in bridge mode, you explain that the ISP gives an Internet IP to the ISP router and the router then passes that IP to the pfSense router. So the WAN interface of the pfSense has that IP. In that situation, which IP will I be able to use to access the webconfigurator of the ISP router?

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

My doubt comes from this: when you put the router in bridge mode, you explain that the ISP gives an Internet IP to the ISP router and the router then passes that IP to the pfSense router. So the WAN interface of the pfSense has that IP. In that situation, which IP will I be able to use to access the webconfigurator of the ISP router?

As I mentioned in my previous post, you'll access the router's GUI by the default IP address of the router provided by the manufacturer. Now, that assumes that the router is in it's default state. If you've changed that IP network yourself and have selected to use the 192.168.1.0/24 network (and it is not the default network) then I'm not quite sure. At that point it would be a matter of whether or not the router will revert back to the default GUI IP address, or if the one you have selected (192.168.1.1) will "stick", when you select bridge mode.

In either case, you'll need to go through the steps I posted above to add another interface to have access to the GUI. The only difference being which network you'll be using for the static IP address in the Interface's settings in pfsense. (see bottom of picture)
The static IPv4 IP address has to be in the same network as the GUI network, but not the same IP address as the GUI. So for example, if the GUI is 192.168.1.1, the static needs to be between 192.168.1.2 to 168.168.1.254 (your pick!).

brians

Is this standard on cablemodems to use VLAN 1 for their management interface when in bridge mode?

On my Telus modem, I can set bridge mode on port 1 and the remaining three LAN ports are normal. I just connect one of those to my managed switch on an untagged port separate VLAN to access.

Previous Shaw modems I had when I enabled Bridge mode I think I had to access the default subnet somehow during bootup, reset the modem using pin, or contact Shaw to take it out.

Dicmo

@dma_pf Now that the problem with the connection going down is solved, I have come back to this. I have managed to put the ISProuter in bridge mode and now the pfSense router is connecting to the ISP directly.

It is expected, but I feel the connection is more snapy, there is less lag between asking for a webpage and it opening. Not having a second NAT from a underpower router will do that I guess.

Also, you were completely right and now the phone is connecting fine, the firewall rule to have the static IP of my phone routed through the WAN instead of the VPN_WAN is working. It was indeed the double NAT that was giving trouble as you suggested.

Now that the ISP Router firewall is down I am getting a lot of activity blocked by the pfSense firewall in the WAN interface, but that was to be expected too. Most of it from China from what I have sampled, also to be expected.

In case there is another "noobie" that it is reading, what I had to do after I had set up the ISPRouter in bridge mode is in pfSense go to Status->Interfaces, then in WAN release the DHCP lease (this is the one that I had with the ISPRouter, usually address 192.168.X.X) and then adquire the lease again (now with the ISP directly, the IP is completely different, not 192.X.X.X). This worked, but pfSense was confused about the routing, it was giving me error 65, which websearching told me it was lack of routing. So I went to System -> Routing, I changed the "Default gateway IPv4" from Automatic to WAN_DHCP, Save and Apply. Apparently that made pfSense get a sense of the routing again and everything was working fine. I switched it back to automatic, save and apply, and everything was working well still. So apparently pfSense needed a trigger to reshape the routing or something.

Now, the only issue is that I can still not access the ISPRouter from behind the pfSense Router. It is not the biggest deal, since I do not need to touch it anymore and I can access it by connecting a ethernet cable to it directly from the laptop, but I would like to have access from the pfSense LAN network. I think I followed @dma_pf advice but still not connecting. Here is the relevant configuration (feel free to ask for anything):

I created the VLAN interface and gave it a static address in the range of the ISPRouter address:

Then I created the rule in the NAT:

The problem with this is that the firewall was blocking access to 192.168.1.1 (as it should by the rules I had), so I created a new rule to allow access (the last rule before the default reject rules):

With all of this the connection is still not going through. It times out. For the record, the IP of the ISP Router is included in the Local_Network alias, so the two previous rules that deny it do not affect it. More evidence to this is that when the last pass rule was not present, the traffic to the ISPRouterHost was being catch by the Default reject rule, so the other rules were not being triggered (as expected). Plus, I added the rule to the logs and it is getting triggered when trying to access the ISPRouter IP.

Do I need to create a gateway and set it up in the firewall rule or with the NAT rule should be enough? I have not been able to find anything relevant in the logs, what can I do to debug and see what is happening?

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

Do I need to create a gateway and set it up in the firewall rule or with the NAT rule should be enough? I have not been able to find anything relevant in the logs, what can I do to debug and see what is happening?

You don't have to set up a new gateway. But you do need to let the new ISPROUTERACCESS interface route out of pfsense to get to the router. Move this rule to the ISPROUTERACCESS tab in Firewall/Rules and change "LAN net" to "ANY" :

Dicmo

@dma_pf Still not working. This is what I did.

I moved the rule to ISPROUTERACCESS in the firewall and set destination to Any. The rule is logged. The problem here is that the origin is LAN and the Default reject rule of the LAN gets triggered, blocking the request from my LAN computer to the ISPRouter IP. The firewall rule at ISPROUTERACCESS never gets triggered.

I tried to duplicate the rule and have it both in LAN and ISPROUTERACCESS and still does not work. Only the rule in LAN gets triggered and the connection times out.

Maybe I misunderstood what you were suggesting.

dma_pf

@dicmo I looked over our discussion here, and also the configuration on the off-site pfsense where we have this working, more carefully. I do note that we have a rule set up in both the LAN and the router access interfaces.

The differences that I noted between our set up and yours are:

1. In the Routing/Gateways "Default Gateway IPv4" setting we have it set as WAN_DHCP and you have it as Automatic.

2. The LAN firewall rule on our pfsense looks like this:
   

3. The router access interface firewall rule looks like this:
   

In looking back at it more carefully, I'm not sure that the router access interface firewall rule is needed. I can't confirm that because have not tested without the rule and am not in a position to do so currently. But I do see that there isn't any traffic hitting the router access interface rule (0/0), whereas there is on the LAN rule (0/1.03).

4. I also noticed that in our NAT rules (which are in Hybrid Mode) there are 2 NAT rules that mention our modem's GUI network (192.168.100.0/24). The first one is a manual rule that looks like this:

The second one is automatic rule like this:

One last thought. Is the Web GUI on the router secured with a self-signed certificate? If so you may need to access it with https://192.168.0.1 if your browser does not automatically redirect to https in typing the IP address in the browser.

Good luck....I hope that helps!

dma_pf

@brians said in Phone not accessing the internet after rule to avoid the router VPN:

Is this standard on cablemodems to use VLAN 1 for their management interface when in bridge mode?

In my experience, when the router/modem is in bridge mode, this is the only way to access the GUI when you are trying to access the GUI from a network behind pfsense.

Dicmo

@dma_pf I tried all the same configuration you have and I can not connect. I even tried setting a gateway associated to the VLAN interface and route the traffic there. Rebooting. Nothing seems to work and I do not have the knowledge to really understand what is going on and fix it, so I think I will leave it, at least for now. I do not need to access the ISP router for anything now that it is in bridge mode and if I need to at some point I can access it by just connecting it to my laptop with an ethernet cable, so I do not think I will dedicate more time to this when I have a bunch of other stuff to set up. If anyone knows what is happening or has any suggestion, I will gladly try, but other than that, it is good how it is.

Once more, thanks a lot for the help, here and in the other post. I am not sure I would have succeeded setting everything up without your help and the help of this forum in general.

dma_pf

@dicmo I'm sorry we didn't get that last bit working. At this point I'm out of ideas but am fairly certain that this is not a pfsense issue. My gut sense says it's some setting in the router itself that is denying access to the GUI on the bridged port. But I'm glad you have a workaround if you need it. If you do figure it out some day please post the solution. I's love to know what it was.

I appreciate your thanks. It was a lot of fun getting you to where you are now. Seven years ago or so when I started using pfsense I really had no idea of networking. I've pretty much learned all of what I know through this forum. It's really a great community and I take pleasure in giving back to it when I can.