Help a noob out for simple setup

  • Hi,

    I hope it can get some assistance here, as the past numerous hours have left me in the dark..

    I'm in the process of replacing my old Asus RT-AC68U with my brand new Netgate sg-3100.

    The ASUS device was configured to automatically get DHCP config from the device provided by my ISP. This worked like a charm. I've attached a screenshot of the DHCP config it automatically received. The screenshot shows the gateway detected and the WAN ip (right side of the image).


    However! Setting up my brand new SG-3100 has been a pain so far.

    The first issue occurred as I could not reach the SG-3100 at for setting it up initially. It only showed up once I had unplugged the WAN ethernet cable. Only then I could reach the device and give it another IP.

    After the initial setup was complete, and I assigned my LAN to, I plugged the WAN ethernet cable back in. However, I'm still unable reach the internet with a simple ping request.

    I've attached a few screenshots of my settings, but is generally lost on what is the cause, since the ASUS device played so nicely. Note the ASUS device was acting as a router/firewall, not just an access point.

    With my current settings in pfsense, whenever I do a traceroute of, I end up at with the message that the destination net is unreachable. Interestingly, entering in a browser gives me the login page of a zyxel device that is not mine. The twist to all of this is, that I live at a dorm, which has its own IT equipment responsible for distributing the internet to all the residents that I cannot control/modify

    Any advice on what is wrong with my settings or how to move forward?



  • Please provide a simple network diagram showing how you have this connected.

    Edit: Seems like you have a double NAT issue with your ISP modem.
    Your WAN is and gateway
    You should put the ISP modem into bridge mode and allow pfSense to handle routing.

    How are you connected when trying to access the pfSense (with WAN cable plugged in and NOT plugged in)?
    Are you connected to ISP modem/router?

  • Thanks for your reply bartkowski!

    It's actually a super simple setup for now.

    Blank Diagram.png

    Yes, I was afraid it is a double NAT issue. Just keep wondering why my Asus router did not have an issue with it...

    Sadly, I cannot put the ISP modem into bridge mode as I do not have access to it, since it is the landlord's property.

  • @mkkl Can you get to pfSense using

    Haha, I didn't read far enough to see you couldn't modify the upstream equipment.

  • Interestingly, this more complicated setup works..

  • @bartkowski yes i can reach pfSense using :)

  • and it gives me this traceroute:

  • @mkkl Hmm, does the ISP/dorm use some ACL, allowing the ASUS but not SG-3100. Try copying the ASUS' mac.
    To recap, the issue is that you cannot get to the internet and NOT the fact that Zyxel responds to

  • @bartkowski You're the best!!!

    Entering a mac address in the mac address field of the WAN interface fixed it!!

    That's 6 hours of my life I'll never get back. But once again, thanks!

  • Also, I noticed that Asus shows a 10.x IP on WAN, but SG gets a 192.x on WAN - all while connected to the same cable coming from ISP[?] - why?

  • @mkkl Glad that helped! Perhaps you should reach out to the dorm IT with the SG-3100's MAC.

  • @bartkowski That is a very good observation and something that I've also pondered on. I have no clue why that is, but now my sg-3100 also gets 10.x WAN ip as the asus did when it worked.

    As a matter of fact, it turned out that entering any MAC address would fixed the problem, not just the mac of the asus device.

  • @mkkl said in Help a noob out for simple setup:

    any MAC address

    Your WAN interface has - or had - it's own MAC : that was the only one being refused ?
    And if it was refused, you wouldn't even get an IP (and gateway, and DNS) using DHCP from the upstream router, the Zyxel device used by the tenant, or, you did.

  • Netgate Administrator

    Yeah I would put money on one of your neighbours having connected their router incorrectly and it's handing out 192.168.1.X IPs. Whoever is admin on that network should be looking for them with a big stick but... 😉


Log in to reply