What am i doing wrong ?



  • Currently if i use wireless i am not able to access my printer. I assume this is probably because the wireless router is not behind the firewall. ( correct me if i am wrong )

    Also a few other concerns i have.

    The ISP router gateway is 192.168.1.254
    The PFsense router is 192.168.1.1
    I believe both have DHCP enabled, is this an issue ?

    How do i fix the wireless problem ?
    This is my current network setup.

    alt text



  • what is the point of pfsense in your diagram? remove either the wireless router or remove pfsense or bridge either of the two



  • Can you please elaborate why i should remove pfsense or the wireless router ?

    Doesn't Pfsense still protect the computers on the network ? The computers are connected after PF

    I can't remove the wireless router because it is connected to voip system.



  • Just bridge the 2 it will still "firewall" the traffic



  • @pigy

    your have a broken system/setup. your wan & lan subnet are the same with NAT&routing enabled. this can not work correctly.

    so you either change your subnet or you setup bridging instead of routing on your pfsense.

    define 'protect' ...

    @pigy said in What am i doing wrong ?:

    Can you please elaborate why i should remove pfsense or the wireless router ?

    Doesn't Pfsense still protect the computers on the network ? The computers are connected after PF

    I can't remove the wireless router because it is connected to voip system.



  • When you say WAN do you mean the public IP ? - The Public IP is static
    Or are you referring to the ISP router?

    Sorry if i sound silly but im new to all this.

    If i understood correctly you are probably saying the following , correct me if i am wrong.

    ISP Router - Change the default gateway IP address & subnet to something l ike 192.168.0.1 with a Subnet of 255.255.255.128

    Another stupid question . Must i change the IP address also instead of just changing the subnet or must both be changed?

    and for Pfsense - Maintain 192.168.1.1 / 255.255.255.0



  • You are correct that the problem is having your wireless router in front of the firewall. There are two options:

    1. Create a port forwarding rule in Firewall > NAT through the port your printer uses and direct it to the printer.

    2. Install a protected wireless router behind the firewall, and use the ISP's wireless router for your guest network.



  • @pigy
    i'm referring to your wan & lan interface on pfsense, having ip-addresses in the same subnet. this does not work

    you can find information about subnets on google. or https://www.techrepublic.com/blog/data-center/ip-subnetting-made-easy-125343/

    basically you want for example 192.168.1.0/24 on wan | 192.168.2.0/24 on lan

    But still:
    remove one of your routers. Either dump your ISP wifi router or remove pfsense.

    It's pointless to have both & makes the network more complicated then it has to be.



  • @heper

    The reason why i cant dump the ISP router it has PPOE configured, I couldn't get PFsense to work as first router ( tried ppoe but it just didnt work ).

    Second reason is the phone lines are connected the the ISP router
    Third reason is there is a built in SIM card to the ISP router

    // basically you want for example 192.168.1.0/24 on wan | 192.168.2.0/24 on lan
    So /24 on WAN/LAN is the same subnet correct ?

    Thank you for your advise much appreciated


  • Netgate Administrator

    @pigy said in What am i doing wrong ?:

    So /24 on WAN/LAN is the same subnet correct ?

    That's the same subnet size but not the same subnet. You cannot have both as 192.168.1.X as you have now.

    I would recommend using something more obscure to avoid the possibility of conflicts should you ever setup a VPN in the future. Say for example LAN set to 172.20.1.1/24, but you could use any private subnet there.
    https://en.wikipedia.org/wiki/Private_network

    Steve



  • How do i allow access to the printer/server for people using the ISP router ?

    Printer/server is connected to switch which is behind PFsense


  • Netgate Administrator

    You can setup a port forward to it, if you know what ports are required.
    https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html#adding-port-forwards

    But really you would be better off moving the PPPoE connection onto pfSense and using the ISP router as a wifi access point IMO.

    Steve



  • @stephenw10
    I actually did try to move the PPoE connection on to the pfsense but it failed. Also at that point i didnt think much about the VOIP.. which is connected to the ISP router.

    ( isp provides static IP )
    Im not exactly sure why the PPoE connection failed, is there a way to find out ? Also contacting the ISP and figuring this out has been difficult because the person on the other end is not well versed with this..

    How do i find out the ports for the printer if the documentation of the printer does not state ?


  • Netgate Administrator

    Ah, yes if the ISP is providing VoIP from their router it probably needs to stay there.

    Printer ports are usually pretty standard. It could get complex pretty quickly though. You should think about re-arranging the network so that is not necessary. Can the printer go on the WAN side? Why are there clients on the WAN side?

    Steve



  • @stephenw10

    Can the printer go on the WAN side?
    Do you mean move the printer from the switch to the ISP router ?

    Why are there clients on the WAN side?
    The ISP router is also a wireless router, some clients connect to wireless because they use a laptop.
    And because of this they can't access the printer.

    Moving the printer to the ISP router is one thing, but the other issue is the server... If i put the server on the ISP router it is no longer behind Pfsense. Im not sure what to do here. Will port forwarding work in this scenario ?


  • LAYER 8 Global Moderator

    You can do it this way, is it optimal setup - not really.

    Step 1, make sure your networks are different. 192.168.1/24 and say pfsense lan 192.168.2/24

    Now if you want stuff to access stuff behind pfsense from the isp network 192.168.1/24 you would do port forwards and those devices would access pfsense wan IP 192.168.1.X and be forwarded in to whatever.. Common printer port is 9100.. But need to understand what printing protocol(s) your using... Airprint for example is not going to work in such a setup. And sounds like maybe you have a printer server running?

    A better solution might be to just turn off wireless on this isp device, and bridge it if possible - and then put everything behind pfsense (get an AP if you want wireless)... And then isolate stuff via different vlans you want to isolate from each other..

    No matter what you do, step one in making sure your not using the same networks on wan and lan of pfsense is required. If your issue is accessing the printer.. Putting it on the wan side network of pfsense would prob be easier, since default lan rules are any any on pfsense, so no port forwarding.. And devices on your pfsense wan network would be able to access your printer as well.. Airprint for example would then work for all devices on your wifi network.

    How best to setup what your trying to do without full redesign would require more information. What printer, what printing protocols, are you using printer server - that you really want behind pfsense, etc. etc.



  • @pigy All the posts so far are spot on , BUT if this is going over your head allow me to suggest a simple way. get a second wireless router they are cheap on Amazon and ebay set it up BEHIND the pfsense and turn OFF the wireless on you ISP's router. turn on the wireless on the SECOND router you bought . It might also help to figure out how to BRIDGE the ISP router you now have as your edge device, by doing this the pfsense becomes your edge device .

    I get a bit paranoid about ISP's use of TR-069 (CPE WMP) (Verizon FIOS as a example); for management of their Actiontec router and STBs via port TCP/4567." and you can't disable that.

    BTW look up WIFI 6 like for example the RAX20 by Netgear . look for 802.11ax Dual Band WiFi 6 and WPA 3.

    take my advice with a grain of salt as I'm not a network expert , just play one at home and work ;)



  • Yep, I second @rtoledo2002 advice as another non network expert.

    Keep it simple.

    1. Turn off wireless on your ISP gateway. I have a cable modem from my ISP with wireless and do the same thing.
    2. Buy a wireless access point. Many wireless routers can be put into AP mode as well.
    3. Plug the wireless AP into the Pf sense Lan. In my case, I plug it straight into the lan side switch of my sg-3100.

    Everything works nice.


Log in to reply