Help a noob out for simple setup

mkkl

Hi,

I hope it can get some assistance here, as the past numerous hours have left me in the dark..

I'm in the process of replacing my old Asus RT-AC68U with my brand new Netgate sg-3100.

The ASUS device was configured to automatically get DHCP config from the device provided by my ISP. This worked like a charm. I've attached a screenshot of the DHCP config it automatically received. The screenshot shows the gateway detected and the WAN ip (right side of the image).

However! Setting up my brand new SG-3100 has been a pain so far.

The first issue occurred as I could not reach the SG-3100 at 192.168.1.1 for setting it up initially. It only showed up once I had unplugged the WAN ethernet cable. Only then I could reach the device and give it another IP.

After the initial setup was complete, and I assigned my LAN to 172.16.10.0/24, I plugged the WAN ethernet cable back in. However, I'm still unable reach the internet with a simple ping request.

I've attached a few screenshots of my settings, but is generally lost on what is the cause, since the ASUS device played so nicely. Note the ASUS device was acting as a router/firewall, not just an access point.

With my current settings in pfsense, whenever I do a traceroute of 8.8.8.8, I end up at 192.168.1.1 with the message that the destination net is unreachable. Interestingly, entering 192.168.1.1 in a browser gives me the login page of a zyxel device that is not mine. The twist to all of this is, that I live at a dorm, which has its own IT equipment responsible for distributing the internet to all the residents that I cannot control/modify

Any advice on what is wrong with my settings or how to move forward?

THANKS!!
Mathias

bartkowski

Please provide a simple network diagram showing how you have this connected.

Edit: Seems like you have a double NAT issue with your ISP modem.
Your WAN is 192.168.1.199 and gateway 192.168.1.1
You should put the ISP modem into bridge mode and allow pfSense to handle routing.

How are you connected when trying to access the pfSense (with WAN cable plugged in and NOT plugged in)?
Are you connected to ISP modem/router?

mkkl

Thanks for your reply bartkowski!

It's actually a super simple setup for now.

Yes, I was afraid it is a double NAT issue. Just keep wondering why my Asus router did not have an issue with it...

Sadly, I cannot put the ISP modem into bridge mode as I do not have access to it, since it is the landlord's property.

bartkowski

@mkkl Can you get to pfSense using 172.16.10.1?

Haha, I didn't read far enough to see you couldn't modify the upstream equipment.

mkkl

Interestingly, this more complicated setup works..

mkkl

@bartkowski yes i can reach pfSense using 172.16.10.1 :)

mkkl

and it gives me this traceroute:

bartkowski

@mkkl Hmm, does the ISP/dorm use some ACL, allowing the ASUS but not SG-3100. Try copying the ASUS' mac.
To recap, the issue is that you cannot get to the internet and NOT the fact that Zyxel responds to 192.168.1.1?

mkkl

@bartkowski You're the best!!!

Entering a mac address in the mac address field of the WAN interface fixed it!!

That's 6 hours of my life I'll never get back. But once again, thanks!

bartkowski

Also, I noticed that Asus shows a 10.x IP on WAN, but SG gets a 192.x on WAN - all while connected to the same cable coming from ISP[?] - why?

bartkowski

@mkkl Glad that helped! Perhaps you should reach out to the dorm IT with the SG-3100's MAC.

mkkl

@bartkowski That is a very good observation and something that I've also pondered on. I have no clue why that is, but now my sg-3100 also gets 10.x WAN ip as the asus did when it worked.

As a matter of fact, it turned out that entering any MAC address would fixed the problem, not just the mac of the asus device.

Gertjan

@mkkl said in Help a noob out for simple setup:

any MAC address

Your WAN interface has - or had - it's own MAC : that was the only one being refused ?
And if it was refused, you wouldn't even get an IP (and gateway, and DNS) using DHCP from the upstream router, the Zyxel device used by the tenant, or, you did.

stephenw10

Yeah I would put money on one of your neighbours having connected their router incorrectly and it's handing out 192.168.1.X IPs. Whoever is admin on that network should be looking for them with a big stick but...

Steve