Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense behind ISP modem/router combo

    Scheduled Pinned Locked Moved General pfSense Questions
    26 Posts 5 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @viragomann
      last edited by

      @viragomann said in PfSense behind ISP modem/router combo:

      The double NAT is not an obstacle for running OpenVPN behind

      Very true - but users have issues with configuring their isp device doing nat in front of pfsense, and with the export of config where it gives the wan rfc1918 address vs the actual public IP.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        @cmos_battery said in PfSense behind ISP modem/router combo:

        I'm getting the packets like expected

        What packets are you getting exactly?

        What I would do here is run a packet capture on the pfSense WAN for the port you have OpenVPN running on (1194 by default). Then try to connect to it via some external network, using your phone as a hotspot for example. Make sure you see that traffic arriving on WAN from the expected external IP.
        If you don't then the ISP device is not correctly setup.

        Switching to L2TP over IPSec is not going to help here IMO.

        Double NAT will work fine for almost everything. One thing that will fail is UPnP and many games are unfortunately (and inexplicably!) completely reliant on it. It's a significant security risk anyway which is why UPnP is disabled by default.

        Steve

        1 Reply Last reply Reply Quote 0
        • CMOS_BATTERYC
          CMOS_BATTERY @viragomann
          last edited by

          @viragomann

          I’ve set in the OpenVPN wizard the two checked boxes at the end to enable it for the firewall and WAN. In addition, I did go ahead and removed the checked boxes for Bogon networks and private networks. My virtual network is 10.2.0.0/24. I’ll have to get off work and provide some more details and look through all the info and get pictures.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Block bogon or private networks should not normally make any difference. It would only change anything if the ISP device was source NATing forwarded traffic which is unlikely.

            If the ISP devic has ever forwarded any OpenVPN traffic you should see state creation on the firewall rule on WAN. That gets cleared if you rebooted though.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @CMOS_BATTERY
              last edited by johnpoz

              @cmos_battery said in PfSense behind ISP modem/router combo:

              I did go ahead and removed the checked boxes for Bogon networks and private networks

              With @stephenw10 - why? So amounts to randomly clicking shit, in a hope to get something work ;)

              In what scenario would you hitting your wan for vpn access via a bogon or rfc1918 address?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              CMOS_BATTERYC 1 Reply Last reply Reply Quote 0
              • CMOS_BATTERYC
                CMOS_BATTERY @johnpoz
                last edited by

                @johnpoz

                I’ll probably just have to drop attempting the VPN, I’m stuck in a bit loop of being able to access the it from the ISP router but nothing seems to be able to ever get outside when I’m on the public networks.

                I’ve created a port forward on the ISP device but lately it seems I can never get ports to open or get my port checkers to see them. Probably just a shit should we of a network I.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @CMOS_BATTERY
                  last edited by

                  This isn't rocket science... You have a public IP on your isp router 1.2.3.4 lets say, you forward UDP 1194 to your pfsense wan IP.. 192.168.1.50 for example.

                  Now you hit 1.2.3.4 from your client on 1194...

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  CMOS_BATTERYC 1 Reply Last reply Reply Quote 0
                  • CMOS_BATTERYC
                    CMOS_BATTERY @johnpoz
                    last edited by

                    @johnpoz

                    Well if that was the case I wouldn’t be in said position. I’ve used the wizard to create the OpenVPN, I’ve allowed bogon and private networks. I’ve used the pre done firewall and NAT rules, port forwarded the OpenVPN port to the WAN.

                    The main issue is that neither the ISP device nor the pfSense will open ports.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      If you can hit the OpenVPN server and connect when you client is in the 192.168.1.X subnet then pfSense is configured correctly.

                      Either the ISP device is not setup to forward the traffic to pfSense or the client is using the pfSense WAN IP to try to connect, 192.168.1.94. Obviously that won't work externally.

                      If you used the OpenVPN client export package what did you set 'Host Name Resolution' as?
                      By default it will use the WAN IP directly which would fail in your case.
                      Check the client connection logs. Be sure it's connecting to the real public IP.

                      It should definitely be possible to get this to work with a little troubleshooting.

                      Steve

                      CMOS_BATTERYC 1 Reply Last reply Reply Quote 0
                      • CMOS_BATTERYC
                        CMOS_BATTERY @stephenw10
                        last edited by

                        @stephenw10
                        Currently its using the interface IP address which would probably be the WAN. There are 3 other options; Multi-WAN IPs, Multi-WAN DDNS, and then installation hostname. Which should be used? Is there a way to specify my publics IP address rather?

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @CMOS_BATTERY
                          last edited by johnpoz

                          @cmos_battery said in PfSense behind ISP modem/router combo:

                          Currently its using the interface IP address which would probably be the WAN.

                          Which would be rfc1918, since your behind a nat - how would you get to that from the public internet.

                          Think about it for 2 seconds..

                          I really don't mean to sound rude or anything.. But you put up a drawing showing your pfsense interface as being rfc1918.. How would you get to that from the public internet? So how would you think the interface IP would work?

                          hint:

                          ip.png

                          Your actual PUBLIC IP! or FQDN that resolve to your public IP.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          CMOS_BATTERYC 1 Reply Last reply Reply Quote 1
                          • CMOS_BATTERYC
                            CMOS_BATTERY @johnpoz
                            last edited by CMOS_BATTERY

                            @johnpoz

                            Ok we’ll thanks for not being rude. My professors haven’t taught me too much on VPN’s seeing as I’m only a sophomore.

                            And I’m just seeing your hint. Thank you, I had seen other. Again, I’m just a sophomore in a CIS program. Thank you for giving me a learning moment, I haven’t been able to get much lab time with Covid and the professors eased up on our work. We haven’t been getting all the info we really need.

                            It is working so far within my home network, I have the servers address posted as the Public IP. Ill just need to go out to a close by store and test it.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @CMOS_BATTERY
                              last edited by

                              So you have not gone over what a public IP is vs rfc1918 yet? I would think that would be like day 1 or 2 ;) When learning about IPs..

                              This would be top of the list sort of stuff to understand when working with natting and routing and the internet. ;) Would clearly be a prerequisite for setting up a vpn server that does nat and is connected to the public..

                              Since pretty much every single home router does nat, well really napt. And uses rfc1918 space as their local network.. Understanding the difference between a public IP and a private IP would be pretty early in the lesson plan ;) Where you sick the first week and missed class? I kid you - but this is basic stuff here..

                              I have to blame the teacher I guess ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              CMOS_BATTERYC 1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                Unfortunately it's all too easy to come across as either incredibly patronizing or incomprehensible depending on the experience of the questioner. 😉

                                You said you were seeing packets as expected on the WAN which lead me down the wrong path.

                                Anyway I think that is your issue. As I test I would just set the client to use the external public IP manually and retest. If you can do that at the same time as having a packet capture running on the pfSense WAN (using a phone hotspot for example) you should see that traffic coming in even if the connection fails for some other reason.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • CMOS_BATTERYC
                                  CMOS_BATTERY @johnpoz
                                  last edited by

                                  @johnpoz
                                  Most of my classes that teach me that information wont come till the end of my sophomore year, next spring and fall. My entire freshman year and this upcoming fall semester is nothing but stats business calculus, and low level intro classes like your basic high school classes all over again and for a ton of money.
                                  I don't understand, even in my networking associates why we avoided VPN's so much. I remember briefly doing Public Vs. Private and that we should assume all 10.X.X.X addresses are private and a few others. For the most part we got told "you'll just learn it through the companies you work for." or the even better "If the company is good, you just need to maintain what they have." That's a great fantasy scenario from my professors, I mean really. What would I do if a branch popped up and my boss asked for them to get remote connection to the servers. I cant just say I don't know. At the same time, yeah I feel like a dumbass having to ask some questions here that I feel like my $30K degree should have taught me.

                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                  • JKnottJ
                                    JKnott @CMOS_BATTERY
                                    last edited by

                                    @cmos_battery

                                    One thing to bear in mind is there's nothing magic about VPNs. They're just one way to establish an IP connection between sites. Once they're set up, you use then as you would any other connection. Years ago, things like frame relay and fractional T1s were used. These days, out in the real world, you might come across MPLS or QinQ VLANs, As for setting up VPNs, you have to know which one and the specifics depend on the brand. For example pfsense supports OpenVPN, IPSec and Wireguard VPNs. But the details of configuring IPSec, for example, on Cisco would differ from pfsense. I don't know that a class such as your is the place to learn more than general principles, though you may get into setting up one. But when you get out into the real world, you could easily find yourself working with another. The principles will remain the same, the but details may differ and you'd be expected to work those out on your own. One thing I complained about years ago was the schools teaching Windows and Microsoft Office, rather than operating systems and office apps, so that a person would have portable skills. It's sort of like a auto mechanic class teaching only one make of vehicle, as though the others didn't exist.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.