Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Getting PFSense to See Internal Network

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 5 Posters 1.9k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      greg.dreelin
      last edited by greg.dreelin

      I have done a lot of searching for this answer and I see a lot that have asked similar questions but it did not answer it. Now not going to beat a dead horse about Google Wifi and PFSense since there is only one solution and that is to put the PFSense in front of the main Google Wifi since they cannot be put in AP mode or full bridge mode with several Wifi pucks. The part I am trying to solve an issue with internal IPs behind the main Wifi puck. I need to get PFSense to see some of the devices behind the Google Wifi which I setup port forwarding for those on the Google Wifi, added a port forward on ISP's modem too from it to the PFSense and lastly one on PFSense when it gets a request for that port to go back into the LAN. I can see the requests on WAN side come in but then they are blocked by Default Rule. I put in a rule to allow those requests from any port to the internal port of the device. Still no joy getting it through. Is there any way to get PFSense to see the backside of the Google Wifi's with some type of gateway or static route?

      Home Network Layout.jpg

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You can try routing to 1921.168.30.0/24 via 10.2 but it probably won't work unless you can add rules to pass that in Google wifi. And it doesn't have some hidden rule you can remove.
        If that was a second pfSense box there it would route the inbound traffic same as any other interface.

        If you are seeing port forwarded traffic blocked by the default rule on WAByour port forward / firewall rules are wrong. Port forwards add their own linked firewall rules by default so unless you changed that it must be the port forward. Show us a screenshot.

        What are you actually trying to access on the wifi subnet? Can it open a tunnel of some sort outbound?

        Steve

        1 Reply Last reply Reply Quote 0
        • G Offline
          greg.dreelin
          last edited by

          Yeah the only thing that Google will let you do is put in Port Forwards from each device but no way to put in a rule from the 32.0 to the 10.0 network.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            It would have to be the 10.X to the 192.168.30.X subnet.

            So can whatever you're trying to connect to create an outbound tunnel instead?

            Steve

            1 Reply Last reply Reply Quote 1
            • bingo600B Offline
              bingo600
              last edited by

              How far away is the switch ?
              Could you "sneak" a pfSense interface into the switch , and make the connection that way.

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              G 1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                I assumed that was just depicting the wifi mesh there, not a real switch?

                bingo600B G 2 Replies Last reply Reply Quote 0
                • bingo600B Offline
                  bingo600 @stephenw10
                  last edited by

                  @stephenw10 said in Getting PFSense to See Internal Network:

                  I assumed that was just depicting the wifi mesh there, not a real switch?

                  Ahh could be šŸ‘

                  If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                  pfSense+ 23.05.1 (ZFS)

                  QOTOM-Q355G4 Quad Lan.
                  CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                  LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    greg.dreelin @stephenw10
                    last edited by

                    @stephenw10 Google Wifi's allow you to directly connect them via Ethernet to improve performance of the mesh. You get way better speeds if they are meshed by Ethernet too. So yes they are all interconnected through a switch. The pucks just see it as that is a faster path to devices vise using wireless if they are near one of the other pucks. It is sort of like they are mini routers using RIP or OSPF to get to a part of the network.

                    1 Reply Last reply Reply Quote 0
                    • G Offline
                      greg.dreelin @bingo600
                      last edited by

                      @bingo600 Yeah I thought of that too but it would bypass the security needs and defeat the purpose of having the firewall. The limitation is that you can't static route through the Google Wifi pucks.

                      bingo600B 1 Reply Last reply Reply Quote 0
                      • bingo600B Offline
                        bingo600 @greg.dreelin
                        last edited by bingo600

                        @greg-dreelin
                        This link does not have to be insecure.
                        You can add rules to that interface , that deny's anything you don't want to transport.

                        In fact it could be as secure as the link you suggest (going to the top google wifi).
                        Assumption :
                        1:
                        192.168.32.0/24 has def-gw on the google inside (32.1?)

                        2:
                        All packets going to the internet will have (be natted to) the google device outside IF.

                        That would mean that you see all internet bound traffic (on the pfSense) via the google outside ip (192.168.10.2)

                        TLDR Brainstorming in public - See Summary
                        On the top (10.1) interface , you could :
                        Block src any dest 192.168.32.0/24 ports any (I'd set dest to RFC1918)
                        Permit src any dest any ports any

                        Or (i suppose the google thingy nats all to (10.2)
                        Instead of src any you could use src 192.168.10.2 (google wifi outside)

                        That would effectively block anything comming in from that IF , to the "inside"

                        But you should never see any packets destined for 192.168.32.0/24 , on the google outside , as it shuold be kept on the inside IF.

                        You could manage the pfSense vial the "new switch pfSense IF"
                        Then you wouldn't even have to open pfSense management from the google device.

                        The only thing (i see right now), is to watch out for would be assymetric routing , when going (outbound) to the internet.
                        But if you keep (use) def-gw as the google inside ip , all internet traffic would go that way , and be seen in the pfSense as comming from 192.168.10.2
                        And pfSense will route return packets that way.

                        Summary
                        Basically i think you don't need to do anything wrt. rules on the pfSense-Google IF, the routing would handle that (keep 192.168.32.0/24 packets inside).

                        Since you say that the requests to the 192.168.32.0/24 devices will be initiated from the pfSense.
                        The new pfSense-Switch IF , could be made even with "no rules" on it, so that it effectively blocks anything (inbound to pfSense) initiated from the 192.168.32.0/24 Net , aka. the pfSense can initiate to "inside devices" , and "inside devices can ansver" , No "inside devices" can initiate via that IF.

                        I'd might allow pfSense mgmt via the "new IF"

                        Well brainstorming is a bit messy , so many possibilities.
                        I hope you get the idea.

                        Edit:
                        Since your def-gw is on the google , you might have to add a specific return route on the devices that must be reached from (via) the pfSense (if packets originate from another pfsense network) than the .32.0 network

                        /Bingo

                        PS:
                        Are the devices you need to reach behind wifi or in the switch ?
                        Can you create multi lans on the google inside interface ?

                        PPS: Idea
                        Can you disable DHCP on the Google ??
                        That would open up for (DHCP) using the pfSense DHCP / DNS / NTP etc ....
                        And maybe prevent a bit of "Big brother..."

                        PPPS: Idea (hack)
                        Can you do static routes on the google ?
                        If yes , you might be able to set the google def-gw to the new pfSense IF.
                        And if you're lucky , disconnect the google outside IF , and it'll keep using the static def-gw.
                        And effectively make it an AP.
                        But knowing google , they prob want to "own/track" all your outbound traffic, and prevent that "hack"

                        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        1 Reply Last reply Reply Quote 1
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Again, what are you actually trying to connect to on the inside subnet?

                          You could have a separate interface in pfSense that connects to the switch directly and only carries inbound traffic. You would have to outbound NAT it in pfSense to prevent asymmetry.

                          Steve

                          G 1 Reply Last reply Reply Quote 0
                          • G Offline
                            greg.dreelin @stephenw10
                            last edited by

                            @stephenw10 said in Getting PFSense to See Internal Network:

                            Again, what are you actually trying to connect to on the inside subnet?

                            You could have a separate interface in pfSense that connects to the switch directly and only carries inbound traffic. You would have to outbound NAT it in pfSense to prevent asymmetry.

                            Steve

                            Well I have a Plex Server I want to allow access to someone in my family. I have put in port forwarding from the device through the Google Wifi, through the PFSense, and the ISP's gateway. When the person tries to access it I can see the request come in on the PFSense but for the internal IP and it denies it. I am assuming since it cannot see the 192.168.32.0 net it dumps it. I have tried a rule to allow but it keeps denying it. I am at a loss right now on getting it through.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by stephenw10

                              If you are seeing traffic with a destination in the 192.168.32.x subnet hitting something on a pfSense interface then you have one of those port forwards setup wrong. Probably the one in pfSense since it's actually arriving there.
                              Adding a port forward will normally automatically add a firewall rule on WAN to pass that so I assume you either changed that or chose not to have it added.
                              Port forwards happen before the firewall so if your port forward is configured to use the 192.168.30.x destination and you have removed (or just added) the rule you will see that blocked on WAN.
                              However that's wrong anyway because the pfSense forward should be to the Google WIFI node IP, 10.2. The forward in Google WIFI should be to the 192.168.32.X IP.

                              Can we see a screenshot of the forward and WAN rules?

                              What are you running Plex on? You can probably tunnel to pfSense from there and get past the WIFI as I initially suggested.

                              Steve

                              G 1 Reply Last reply Reply Quote 1
                              • G Offline
                                greg.dreelin @stephenw10
                                last edited by

                                @stephenw10 I am running the Plex on a 14Tb UnRAID rack mount system. It is a docker on the UnRAID platform. This issue is getting connection to in from the outside. Dynamic DNS is a bit hokey at best.

                                bingo600B 1 Reply Last reply Reply Quote 0
                                • bingo600B Offline
                                  bingo600 @greg.dreelin
                                  last edited by

                                  @greg-dreelin

                                  Why don't you split the WiFi Lan and "Switch Lan" into two lans, each with a pfSense interface.

                                  Make (keep) a Lan/Vlan just having the WiFi stuff (192.168.32.0/24)

                                  Make a new one 192.168.33.0/24 , where you put all your non wifi attached stuff.

                                  You could be quite permissive on the pfSense wifi interface , as it is also a trusted zone.
                                  Allow ip src 192.168.10.2 dest 192.168.33.0/24

                                  Traffic from Wifi to "Switch" should not be an issue (well it would be natted to the google outside) , prob. but not a problem.

                                  Traffic initiated from "Switch" to Wifi would be troublesome (portforward needed) , but do you really have any need for that ?

                                  If done like that , then you'll get kind of two separate segments in your house.
                                  But at least one of them will be "normal".

                                  /Bingo

                                  If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                  pfSense+ 23.05.1 (ZFS)

                                  QOTOM-Q355G4 Quad Lan.
                                  CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                  LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S Offline
                                    stephenw10 Netgate Administrator
                                    last edited by stephenw10

                                    Well I'm pretty sure you could setup a tunnel from Unraid to pfSense. Even if that's a, probably unnecessary, VPN tunnel. Then have Plex listen on the tunnel subnet too. You could then port forward to it in pfSense as though it's directly connected.

                                    But if you can port forward in Google WFI you just need to get all three port forwards setup correctly.

                                    Or, yes, move the Unraid box to a different interface on pfSense dircetly.

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • G Offline
                                      greg.dreelin
                                      last edited by

                                      Thank you all for some great ideas. Unfortunately I can't VLAN with Google Wifi networks (yep it blows), the switch can but the wifis can't figure it out. I theory it should work with port forwarding and punching through the PFSense but I am missing something that is not allowing the push from the firewall to the local network behind the first Google Wifi. I am interested in the second line idea and may try that. I appreciate all the advice and help.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Your google wifi is also doing nat.. If you want something from outside to get to something on the google network, you would have to do 2 port forwards.

                                        1 at edge, and then again at your downstream nat router.

                                        Here is the thing - if you want to run a big boy network.. Your not going to do it with soho stuff designed for home users.

                                        Get APs that support vlans. Get switch(es) that do vlans if you want.. Your only going to cause yourself grief trying to do enterprise grade networking with home user stuff..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          It's ugly (triple NAT!) but you can port-forward in Google WIFI: https://support.google.com/wifi/answer/6274503?hl=en-GB

                                          This will work if you have all three port forwards setup correctly.

                                          The fact you were seeing blocked traffic in pfSense shows at least one port forward is wrong. See my comments above.

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • G Offline
                                            geoffrey Banned
                                            last edited by

                                            This post is deleted!
                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.