Some questions please
-
@johnpoz said in Some questions please:
What I suggest you do is look on your isp device - what is its WAN IP??
Currently, "what's my ip" is saying I am on : 223.205.xxx.xx the WAN info my (ISP) router gives: 100.72.xx.xx
Edit: Ps: The ISP provides a DDNS service and also in the ISP router I can setup No-IP (DDNS)
Edit2: Added the word ISP to the router.
-
Ok well yes 100.72.x.x is CGNAT.. Does your isp allow fowarding traffic to this IP? If not your never going to get inbound traffic - ie to your nas or anything else.
The 223.205.x.x address is the actual public address they are natting your 100.72 address to.. For you to be able to see inbound traffic from the public internet they would have to forward ports from that 223 address to your 100.72 address.
Do they do that? If they do, seems odd that they would be using cgnat in the first place. Unless they have some portal or something where you could request ports to forward to your cgnat IP..
-
Yes they do!!
They have that portal in place (link here: https://fiber.3bb.co.th/en/%E0%B8%8A%E0%B9%88%E0%B8%A7%E0%B8%A2%E0%B9%80%E0%B8%AB%E0%B8%A5%E0%B8%B7%E0%B8%AD/3bb-ddns/ ) in which you can forward 10 ports (for me in the range 34xxx)
I can post you a screenshot to the actual portal but I doubt you can understand much as it's in Thai
As I am just investigating (nothing bought yet) I just wanna do it the right way from the start that is why I am looking for advice on this!
Thx
-
Well - if you can get traffic to your isp router, and you can either forward it there. Or you can put your future pfsense in the "dmz" of the isp router then sure you can do what you want. No matter what the IPs are.. example
public IP -- isp (100.64/10) cgnat - isp router - 192.168.1/24 - pfsense - 10.0.0/24 -nas
Then sure you can get traffic that hits this public IP to get to your nas on port X..
edit: I personally would not suggest you open your nas to the public.. If you want to access your nas while remote its better to vpn into your network.. This is much more secure setup.
-
Thx. Yes Port forwarding I can do on the ISP Router no problem, I already tested that. Port forwarded on the ISP router which got handled by the ASUS and got sent to a Sample Webserver on a PI! Works great.
That VPN setup I will get back to in the future as that's my ideal goal! But better take it step by step!
Another question if I may.
Are the any caveats (read: precautions) I have to look out for when putting the pfsense in the DMZ? (edit 2: Any reading material ???)
Thx, really appreciated!
Edit: First step for me is to incorporate the pfsense in the network and let it handle DHCP / Firewall etc before going to the step of opening up the network to the outside world)
-
@iammike said in Some questions please:
I have to look out for when putting the pfsense in the DMZ?
No.. Its no different than if it was exposed to the public internet.. All the isp router dmz is a really a big port forward off all traffic that hits its wan.
Out of the box pfsense blocks all unsolicited inbound traffic to its wan..
edit: The point of the dmz thing on the isp router, is so you don't have to setup port forwards on it.. Because you will be controlling what gets to your actual devices via port forwards on pfsense.
-
This post is deleted! -
Update:
Pfsense ordered coming in the next week or so.
I went again to my provider and asked about the DDNS, and they made me a better offer.
I now (in the next couple of days) have 1 (Public) IP Address and thus get rid of CG-NAT. And because of a promotion they are having I am getting an increase in speed from 100/100 -> 300/300, 1 Static Ip address all for the same monthly fee as before.
-
Yep, you can often get a better deal if you call your provider occasionally and see what they have to offer. I have done that several times with both my cable services and cell phone.
-
Thx yes indeed, but we only live less then 1 year at this address, and normally they don't change promotions here until that year has past. But now the contract for the "new" one is 2 years.
Oke now for something completely different
I am thinking of setting the Netgate 1100 (which I ordered) like this.
ISP Modem network
192.168.1.1ISP Modem DMZ
192.168.1.2Pfsense wan
192.168.1.2Pfsense lan
10.0.0.1Would this work in my case?
TiA
-
Makes no difference what rfc1918 space you use.. As long as your wan and lan do not overlap.
I sure hope you don't plan on using 10.0.0.0/8 as your mask for your lan ;) I would assume /24 is more than enough for your devices.
Also just clarification on terminology.. The isp "network" would not be 192.168.1.1, that is a host address. 192.168.1.0/mask would be a network.
With your new deal with your isp - is there a way to get rid of the double nat, and just put your isp device in bridge mode, so you get your shiny new public IP directly on pfsense wan?
-
@johnpoz said in Some questions please:
Thanks for the clarification. Yes will use 10.0.0.0/24 for my LANWith your new deal with your isp - is there a way to get rid of the double nat, and just put your isp device in bridge mode, so you get your shiny new public IP directly on pfsense wan?
Unfortunately NO, I asked but it was a BIG NO-NO (why, no idea they wouldn't give me an explanation), but I will try and ask again in a couple of weeks, also will "pester" their Phone Support
-
I thought you said you were getting a public IP.
"I went again to my provider and asked about the DDNS, and they made me a better offer."
-
@jknott said in Some questions please:
I thought you said you were getting a public IP.
"I went again to my provider and asked about the DDNS, and they made me a better offer."
Yes I am getting (already have) a Public IP address (1.4.x which shows both in the Wan Section of the ISP Router and in What's my IP), but the question from @johnpoz was about them putting the ISP modem in Bridge Mode so that the Pfsense can handle everything and that they refused to do that.
Edit: Or do you mean something else?
-
Sorry of this is off topic, remove if it is.
Question, about connecting to a remote server through a VPN when the local network subnet address is the same as the remote network.
My friend started to get enthusiastic what I am trying to do with the pfsense. His network is identical as mine (so 10.0.0.0/24 for the lan same as mine)
When setting up the VPN server in his ASUS when connecting with an iPhone via 4G it works great, but when connecting with the PC in my House I can't connect.
VPN is connected and it also shows in the Asus that I am connected.
My Guess it has something to do with that the local network subnet address is the same as the remote network. (Both 10.0.0.0/24)
Correct or am I missing something here?
-
@iammike said in Some questions please:
Correct or am I missing something here?
Your not... Why would traffic go down a vpn tunnel to get to 10.0.0.X if 10.0.0 is the local network..
Use something different than 10.0.0, its COMMON! Just like 192.168.0 or 192.168.1 are.. Use 10.42.0/24 for example for your network.
Then you don't have a problem except for the idiots using 10/8 for their local network ;)
-
Thx for the confirmation.
Now I have to start arguing with my friend on who is going to change their network
Thx again, really appreciated.
-
There are ways around it with nat.. But why, when you both should change to something not so "common"
-
@johnpoz said in Some questions please:
There are ways around it with nat.. But why, when you both should change to something not so "common"
Thx, but no I don't want that (read: ways around it). I am just experimenting with this (on the ASUS) till the pfsense arrives, and this exercise was a good learning experience.
And using the pfsense for this will be the goal (and I think my friend is going to order one as well) and the ASUS will end up being only a Wifi AP.
So any range in the 10.0.0.0 would do?
For example
Me 10.124.0.0/24 and him 10.95.0.0/24 ?
Ps: Why these numbers they are our house numbers
-
ASUS routers get regular updates as well as pfsense.
They have WIFI built in andcan do MESH which is important if you have a multistory house.
Pfsense is a homelab/small business firewall and nothing else.
