Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense behind ISP Router

    Scheduled Pinned Locked Moved Routing and Multi WAN
    16 Posts 5 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      networkingpeasant
      last edited by

      Hello everyone. I just finished installing pfSense on a pc i built with scraps laying around because I wanted to try it out. Basically I have my ISP provided Bell HomeHub3000 (192.168.2.1) connected via fiber --> Then my pfSense WAN (192.168.2.43) interface is connected to the HomeHubs LAN port. the pfSenses LAN (192.168.38.1) interface is connected to my switch which has only a laptop connected. Then I have a PC connected to the homehubs other LAN port.

      I am having an issue where the laptop behind the firewall cannot ping/communicate with the PC or any other devices outside of the firewall. The PC outside the firewall also cannot ping/communicate with the devices inside behind the firewall. I would love to get this working because I want to be able to access the devices inside the firewall from my other computer in the house that is not behind the firewall.

      I have attached an image with my setup so someone can understand what I am talking about better.

      Any help is much appreciated, thanks!!!Capture.PNG

      KOMK 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM @networkingpeasant
        last edited by

        @networkingpeasant By default, WAN blocks all rfc1918 addresses so you won't be able to access your LAN from the Internet without editing that setting, and you're stuck with a double-NAT config so you're screwed anyway. You should check with your ISP to see if your modem can be switched to bridged mode.

        As for your LAN clients, "can't communicate" is pretty vague. Can they ping 8.8.8.8? Can they resolve www.netgate.com via nslookup? Default LAN rules allow all LAN clients anywhere.

        N 1 Reply Last reply Reply Quote 0
        • N
          networkingpeasant @KOM
          last edited by

          @kom Thanks for the reply, I will give them a call and see if I can switch the modem to bridged mode. As for the LAN clients, they can ping 8.8.8.8 and resolve www.netgate.com.

          Is there no workaround for the double-NAT config? Say I can't switch the modem to bridged mode, that means im screwed?

          KOMK 1 Reply Last reply Reply Quote 0
          • KOMK
            KOM @networkingpeasant
            last edited by KOM

            @networkingpeasant OK so LAN clients seem to be working. I'm confused by what you meant when you said LAN clients had Internet but couldn't communicate with devices outside the firewall. What devices? The machine at .2.68? How is .2.68 connected here, direct from an ethernet port on the modem?

            Unless you are able to configure port forwards on the modem (very unlikely) then unsolicited inbound traffic from the Internet won't be forwarded to your LAN. Not much you can do without bridge mode.

            N 1 Reply Last reply Reply Quote 0
            • N
              networkingpeasant @KOM
              last edited by

              @kom So I have my laptop behind the firewall. It can access the internet with no problem. When I ping my PC (192.168.2.62) from my laptop (192.168.38.10) or vice versa, there is no reply. The PC (192.168.2.62) is connected to a LAN port on the modem. I am able to configure port forwarding, if I were to port forward, what would I do?

              I want to be able to access the pfSense web gui from my .2.62 PC

              KOMK 1 Reply Last reply Reply Quote 0
              • KOMK
                KOM @networkingpeasant
                last edited by

                @networkingpeasant You don't need a port forward. You need to go to Interfaces - WAN and uncheck the Block private networks and loopback addresses box.

                Next, go your Firewall - Rules. Select the WAN tab. Add a Pass rule for Source 192.168.2.68, Destination This Firewall, Dest Port 80 or 443 depending on what you configured WebGUI to use.

                N 2 Replies Last reply Reply Quote 1
                • N
                  networkingpeasant @KOM
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • mr.roshM
                    mr.rosh
                    last edited by mr.rosh

                    Go, Interfaces, WAN, right at the bottom,
                    6bd627d2-c69e-44b8-8c45-456363b2c708-image.png

                    untick those two options.

                    save and apply

                    then in Firewall | Rules, LAN Tab, create rules where source is your LAN network and destination is ur wan ip addresses, and allow ports/protocol as required.

                    save | apply and test

                    N 1 Reply Last reply Reply Quote 0
                    • N
                      networkingpeasant @mr.rosh
                      last edited by

                      @mr-rosh No luck

                      1 Reply Last reply Reply Quote 0
                      • N
                        networkingpeasant @KOM
                        last edited by

                        @kom No luck either

                        Bob.DigB 1 Reply Last reply Reply Quote 0
                        • Bob.DigB
                          Bob.Dig LAYER 8 @networkingpeasant
                          last edited by

                          @networkingpeasant Don't connect anything other then the pfsense to the isp-router.

                          N 1 Reply Last reply Reply Quote 0
                          • N
                            networkingpeasant @Bob.Dig
                            last edited by

                            @bob-dig I will unplug the PC from the modem and into my switch (which is behind the firewall)
                            There are still 2 clients connected to the modem but i do not need access to them, will it affect them is anyway?

                            mr.roshM 1 Reply Last reply Reply Quote 0
                            • mr.roshM
                              mr.rosh @networkingpeasant
                              last edited by

                              @networkingpeasant technically to avoid further issues, move all devices off modem [except pfsense], and plug them into switch and ensure they are on 192.168.31.x ip range. reset should painless.

                              GertjanG 1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan @mr.rosh
                                last edited by Gertjan

                                @networkingpeasant

                                pfSense behind ISP Router

                                That kind of setup is not rare, I guess it's even the most common.

                                My ISP router uses 192.168.10.1/24 - pfSense obtains on it's WAN interface 192.168.10.3, because it's using the default DHCP client on WAN.

                                I can visit the GUI of my ISP router just fine : 192.168.10.1 :

                                790ea68b-dc41-4406-a225-15d1b7291454-image.png

                                If I was connecting some other device like a PC to my ISP router (it has a 4 port LAN switch), it would obtain an IP like 192.168.10.x/24 and I would be able to ping this device from behind pfSense.

                                My pfSense WAN firewall rules :

                                3c4b45f3-cdfe-4a3f-ad1a-3fba9fe97b5c-image.png

                                The first rule : my pfSense WAN IP (192.168.10.3) replies to ping. This is purely optional.
                                The second rule is my OpenVPN access from the outside world. My ISP router has the same NAT rule (entering UDP port 1194 to the IP of pfSense).
                                The third rule is sued for my "Munin" setup. Pure optionnal.
                                The last (4) rule is an explicit "block everything"

                                As said above : you should plac all your local devices behind pfSense.
                                You shouldn't even use the Wifi capabilities of your ISP router, place an AP behind pfSense and use that one.

                                There are exceptions : I have a TV box that has to be connected directly to the ISP box.
                                Some of us have a VOIP phone box, this should also be connected to the ISP router directly.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                N Bob.DigB 2 Replies Last reply Reply Quote 0
                                • N
                                  networkingpeasant @Gertjan
                                  last edited by

                                  @gertjan said in pfSense behind ISP Router:

                                  If I was connecting some other device like a PC to my ISP router (it has a 4 port LAN switch), it would obtain an IP like 192.168.10.x/24 and I would be able to ping this device from behind pfSense.

                                  In this scenario, your pfSense is behind the ISP router which a PC is connected to, and you would be able to ping that PC from the pfSense LAN devices? For me my LAN is 192.168.38.x, and i cant ping any devices outside the firewall, which use 192.168.2.x

                                  1 Reply Last reply Reply Quote 0
                                  • Bob.DigB
                                    Bob.Dig LAYER 8 @Gertjan
                                    last edited by

                                    @gertjan said in pfSense behind ISP Router:

                                    The last (4) rule is an explicit "block everything"

                                    Since when is this needed? 😨

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.