How to configure pfSense with ISP router (no bridge mode)



  • I am trying to setup a new pfsense box but can't find any info and I am not sure how to proceed. Here is my current setup:

    Crappy ISP ADSL modem / router (MUST USE and no bridge mode option :( )
    8-port switch (unmanaged)
    Single ethernet cable connects router to switch
    Some devices use ISP router's wifi (not essential)

    What I thought would work was to simply connect pfsense WAN port to ISP router and pfsense LAN port to the switch. This however resulted failed pings, either local or remote, no web GUI or internet anywhere on the network. I tried resettting to factory default settings and manual config but still nothing. Connecting an extra ethernet cable from ISP router to switch (Obviously this is not a useful setup) allowed me to ping and access web GUI but oddly if I unplug pfsense WAN cable I loose all connection to pfsense as before so it seems I am connecting to WEB GUI via WAN port and cant connect via LAN port. Why is that?

    What is the proper way to configure my ISP router and pfsense? I dont need any iSP router feaures but there is no way to disable them and there is no bridge mode option. I also assume PPPoE is not an option here since it's an ADSL router and so would still need a modem?


  • LAYER 8 Global Moderator

    "What I thought would work was to simply connect pfsense WAN port to ISP router and pfsense LAN port to the switch. "

    That really is all that is required.. Where you have could have a problem is the the network your isp router using overlap with the lan network of pfsense.

    While double nat is not normally the desired mode of operation.. It will work just fine.. It really is just click and go..



  • @johnpoz:

    "What I thought would work was to simply connect pfsense WAN port to ISP router and pfsense LAN port to the switch. "

    That really is all that is required.. Where you have could have a problem is the the network your isp router using overlap with the lan network of pfsense.

    While double nat is not normally the desired mode of operation.. It will work just fine.. It really is just click and go..

    Ok so at least I know it should as simple as I thought. Regarding overlapping IPs, I did see that error when trying to set static IP for WAN in Web GUI but it was and is now DHCP so I am not sure how I can avoid overlaps in this case. Is DHCP the correct option for WAN port in the first place? DHCP is enabled on the ISP router too, should it be disabled/enabled on the ISP router and/or pfsense?



  • @dominicm:

    @johnpoz:

    "What I thought would work was to simply connect pfsense WAN port to ISP router and pfsense LAN port to the switch. "

    That really is all that is required.. Where you have could have a problem is the the network your isp router using overlap with the lan network of pfsense.

    While double nat is not normally the desired mode of operation.. It will work just fine.. It really is just click and go..

    Ok so at least I know it should as simple as I thought. Regarding overlapping IPs, I did see that error when trying to set static IP for WAN in Web GUI but it was and is now DHCP so I am not sure how I can avoid overlaps in this case. Is DHCP the correct option for WAN port in the first place? DHCP is enabled on the ISP router too, should it be disabled/enabled on the ISP router and/or pfsense?

    You can set the IPv4 network on the LAN page.  Just chose a block that' different from where the WAN address is.  Then make sure DHCP is set up for that network.



  • @JKnott:

    @dominicm:

    @johnpoz:

    "What I thought would work was to simply connect pfsense WAN port to ISP router and pfsense LAN port to the switch. "

    That really is all that is required.. Where you have could have a problem is the the network your isp router using overlap with the lan network of pfsense.

    While double nat is not normally the desired mode of operation.. It will work just fine.. It really is just click and go..

    Ok so at least I know it should as simple as I thought. Regarding overlapping IPs, I did see that error when trying to set static IP for WAN in Web GUI but it was and is now DHCP so I am not sure how I can avoid overlaps in this case. Is DHCP the correct option for WAN port in the first place? DHCP is enabled on the ISP router too, should it be disabled/enabled on the ISP router and/or pfsense?

    You can set the IPv4 network on the LAN page.  Just chose a block that' different from where the WAN address is.  Then make sure DHCP is set up for that network.

    I actually had static IP config in the LAN interface which I guess explains why I couldnt connect. For it to work with static LAN IP I would have had to configure clients manually right? I tried changing it to DHCP but I get this error:

    The DHCP Server is active on this interface and it can be used only with a static IP configuration. Please disable the DHCP Server service on this interface first, then change the interface configuration.
    

    This makes no sense since DHCP is not used on LAN interface.



  • If you use static config on the LAN, instead of DHCP, you have to configure everything, including default gateway and DNS on every device.  Is there some reason you don't use DHCP?  It saves a lot of configuration.  Regardless, your LAN network cannot overlap your WAN IP.  I'm not sure why you're getting that error, as I can't see your config.

    What is the WAN address and what are you configuring your network for?



  • @JKnott:

    If you use static config on the LAN, instead of DHCP, you have to configure everything, including default gateway and DNS on every device.  Is there some reason you don't use DHCP?  It saves a lot of configuration.  Regardless, your LAN network cannot overlap your WAN IP.  I'm not sure why you're getting that error, as I can't see your config.

    What is the WAN address and what are you configuring your network for?

    That was just a mistake, I do want to use DHCP. I did a factory reset just now, lost web GUI access on 192.168.1.1

    Connected monitor assigned WAN and LAN interfaces, no other changes. With WAN cable disconnected there is no IP shown on the screen as opposed to with WAN cable connected. LAN ip shows up as 192.168.1.1 but no WEB GUI access on that ip http or https. In ISP router web interface pfsense shows up as 192.168.0.18 but that IP doesnt work for web GUI either. No clue why default settings are failing. Now even with both lan and wan cables connected I have no web GUI.



  • I did a factory reset just now, lost web GUI access on 192.168.1.1

    Is your computer configured for DHCP?  That's the default configuration for pfSense.

    Once you get back in, verify your WAN address and then chose a network address for your LAN that does not overlap the WAN address.



  • Yes, I tried on a DHCP laptop and static IP linux desktop - no access to webgui. Internet works ofc as cable is connected from ISP router to switch.

    I have no idea how to get back in to webui, I can config some things from shell though.

    Once you get back in, verify your WAN address and then chose a network address for your LAN that does not overlap the WAN address.

    There is no WAN address when ISP router to switch connetion is disconnected. How can I choose address for LAN, didn't you say LAN should be configured as DHCP?



  • It's really hard to tell where you are in this.  What happens when you connect your laptop to the ISPs router?  What address and subnet mask do you get?

    I thought you said you reset to factory default.  Was this pfSense or the router?



  • @JKnott:

    It's really hard to tell where you are in this.  What happens when you connect your laptop to the ISPs router?  What address and subnet mask do you get?

    I thought you said you reset to factory default.  Was this pfSense or the router?

    The laptop is connected via wifi to the ISP router. Laptop IP is 192.168.0.13 Subnet is 255.255.255.0

    Factory reset was on the pfSense box. I did also reboot it after interfaces were assigned, no change.



  • OK, so now you know to avoid 192.168.0.0 /24 for your local LAN.  However, when you get pfSense going again, you should check the WAN address to verify.

    After rebooting pfSense, connect your notebook to the LAN side and see what address you get.  The default gateway will tell you what the pfSense address is.  Try connecting to it with a browser.



  • @JKnott:

    OK, so now you know to avoid 192.168.0.0 /24 for your local LAN.  However, when you get pfSense going again, you should check the WAN address to verify.

    After rebooting pfSense, connect your notebook to the LAN side and see what address you get.  The default gateway will tell you what the pfSense address is.  Try connecting to it with a browser.

    By  192.168.0.0 /24 do you mean this one specific address ( 192.168.0.0 /24) or is it a range with 0 being 0 to 255?

    When you say connect the notebook to the lan port do you mean directly or via switch? If directly don't you need a crossover cable? I assume WAN port makes no difference in this scenario at all right?



  • An address such as 192.168.0.0 /24 specifies the network address and how large it is.  So, any device connected to the network will have an address between 192.168.0.1 and 192.168.0.254.  192.168.0.0 /28 would allow for 192.168.0.1 - 192.168.0.14.  The lowest and highest addresses are not available for devices.

    As for connecting, I meant directly, to keep things simple.  Also, crossover cables are not needed with gigabit equipment.  You only need a crossover with 10 or 100 Mb connections.  Even then, some 100 Mb equipment is capable of auto crossover.

    So, connect your computer directly to the LAN side of the pfSense system and see what happens.



  • Ok I connected just 1 cable at a time to windows laptop with wifi off and tried both ports just in case port labels are reversed here are the results:

    WAN - 192.168.1.100 - 255.255.255.0
    LAN - 169.254.12.210 - 255.255.0.0

    WAN port was the one that could reach WEB GUI on 192.168.1.1. After connecting The other port to ISP ROUTER I got internet on the laptop too so it seems port labels do not match interface names.

    That being said after I swapped th cables and connected the real LAN port to the switch I lost access to the interface again even though I have it on the laptop when connected directly.

    I used the default values and changed nothing in the interfaces setup. The default value for WAN was DHCP. LAN interface defaulted to static ipv4 192.168.1.1. Attempting to change that leads to the same error as before so it's not my config that's the issue as it was the default values. It also seems correct as otherwise the webGUI ip would change if it was dhcp no? Laptop connected automatically too with no manual config. Iam at a loss what's going on here…


  • LAYER 8 Global Moderator

    OH MY GAWD…

    LAN - 169.254

    That is a APIPA address..  why would you set that?  Did you try and dhcp lan as dhcp again?

    Plug it in and it works... Its not freaking rocket since here... Connect your laptop to the lan port..  It will get dhcp.. from pfsense.  When your setting up pfsense change the IP of lan to say 192.168.2/24... Now your device connected to lan will get a dhcp address of 192.168.2.x -- hit the gui and finish the setup... If this takes you more than a few minutes then your doing it wrong...  It really is plug it in and it works..  If not then your doing something wrong..  Trying to setup 1 interface at a time is not good idea unless you know what your doing - clearly that is not the case here. ;)

    Since pfsense will setup rules on wan interface to allow access into gui, then when you ad another interface for lan those rules will be removed, etc. etc..

    Here is an idea... Change your current routers lan network to be something other than the pfsense default.  So now changing the network of pfsense lan does never has to happen and it can use 192.168.1/24 which is its default.


  • Banned

    @dominicm:

    The default value for WAN was DHCP. LAN interface defaulted to static ipv4 192.168.1.1.

    That is correct. If you want your LAN in a different network just change the static IP of the LAN interface from 192.168.1.1 to for example 192.168.2.1 and that's it.

    @dominicm:

    Attempting to change that leads to the same error as before so it's not my config that's the issue as it was the default values. It also seems correct as otherwise the webGUI ip would change if it was dhcp no? Laptop connected automatically too with no manual config. Iam at a loss what's going on here…

    You do not change the LAN interface to DHCP, that means the LAN interface would require a dedicated DHCP server (not pfSense) in your network to get it's IP. If you want your LAN clients to use DHCP you have to activate/configure the DHCP server on pfSense, you can find it in the WebUI at Services -> DHCP Server.



  • @johnpoz:

    OH MY GAWD…

    LAN - 169.254

    That is a APIPA address..  why would you set that?  Did you try and dhcp lan as dhcp again?

    169.254.0.0 /16 is the link local range.  It's what computers assign themselves when there's no DHCP server.

    I think he's getting to the point where he may have to reinstall pfSense and start from scratch, as we have no idea what he's done.  Or at least run the Wizard again, if he can get that far.


  • LAYER 8 Global Moderator

    I know what is is.. ;) As I stated its APIPA address.  My guess is he set his lan as dhcp without a dhcp server available.



  • @johnpoz:

    I know what is is.. ;) As I stated its APIPA address.  My guess is he set his lan as dhcp without a dhcp server available.

    I figured you knew, but the OP didn't.  Still, I think he should start from scratch, as we have no idea what he's done.


  • LAYER 8 Global Moderator

    Agreed..

    If changing the pfsense lan IP seems to be a challenge for him… I would suggest he first change his current routers network to something else 192.168.2/24 for example.  Get that working for him..

    Then plug in pfsense so he doesn't have to change its local network and should just work right out of the box with only a couple of clicks.



  • Guy, like I already said I did a factory reset and used almost all default options except for a few (seemingly) inconsequential options like timezone etc…

    I also said that there was an issue with port labels on the device and interface numbering not matching which meant I was using the wrong ports (LAN and WAN reversed) at first but now I swapped them to the correct position but still had some issues.

    I dont find it a challenge to change LAN address or many other options, but blindly changing options when you dont know how they work is a bad idea. I was confused with some of the options worked like DHCP on LAN. I didnt see seperate DHCP option, that makes sense to me now. Thanks @Grimson for the DHCP explanation.

    Te reason it did work with laptop connected irectl but not over network was bit silly, laptop was connecting to wifi from ISP router before firewall an desktop I tried had static ip (192.168.0.50) when pfsense used 192.168.1.1, so no wonder it didnt work.

    Will try changing the ISP router ip next so my static ip's dont have to change when used with pfsense.


Log in to reply