New to pfSense and trying to make sense of it.
-
My current configuration is Comcast Business 50mb with their Netgear CS3000 modem feeding our Sonicwall TZ215 which is end of life and Im tired of paying subscriptions. I did a bit of research and had a few recommendations which lead me to pfSense, so I picked up a Protectli device, got it loaded an configured per the youtube channel Lawrence Systems "2020 Getting started with pfSense" and all went well. I can log in from my laptop and make the minimal configurations changes I thought were necessary to get things working like setting LAN static IP. However this is where things went sideways, when I took the device and put inline with our modem and switch it had issues picking up a WAN side link. I futz with the WAN options and took some time to get used to the interface but I was scratching my head. So this all lead me to googleing if there is any sort of recommended setup specific to Comcast and pfsense, where I see some recommendations to put the Comcast Modem into Bridged Mode, however this comes with big draw backs in my opinion. The modem is no longer a device I can see on the network, log into, or even reconfigure if needed. So Im not overly thrilled with this idea. If this happens to be best practice then I will have to consider it but this is my reason for posting. To see if there is an alternative better way to using the modem, pfsense firewall, and my current network configuration without having to re-engineer everything. Can someone explain the reasoning of why pfsense isnt able to work out of the box with a Comcast modem or other modems without bridge mode? I think it has to do with NAT but Im not clear on why. Ive since pulled the unit back out of the network and back onto my laptop for further testing but now I cant even seem to ping it. The Protectli boots so Im sure its running but I guess I need to hook up a monitor to see whats going on with it since I cant get into the web Gui.
So a little more detail, my network is a 20 node IPv4, DNS and DHCP is handled by my servers, not much more complexity then that. All traffic is routed through a gigabit switch which the wirewall is connected to and all clients get the firewall IP as their gateway.
Im looking for some helpful expertise that can lead me in the right direction. Thanks and Happy Holidays. -
@usaevo7 said in New to pfSense and trying to make sense of it.:
CS3000 modem
Not really a modem - its a gateway. It does nat.. There is no reason why can not do double nat.. But why would anyone want to.. Who cares what that devices does for nat or the basic firewall features it has when pfsense would be doing that. So yes best practice is use that device as just a modem and let pfsense do the nat and firewall.
Any wifi of that OLD device is N300 anyway.. So that is pretty useless as well.
But if you want to run it as nat router - then do so.. Pfsense will work just fine. But you can not use the same network on the wan as use on your lan.
If pfsense wan is 192.168.1/24 then its lan needs to be something else 192.168.2/24 for example.
This plug it in and it works - there really is nothing to do.. Other than make sure you wan and lan are not the same network.
Doesn't matter if pfsense has wan connection or not - if you can not get into the webgui from the lan side of the network.. Then its not even setup to do anything.. It would work out of the box no matter what your isp or device is.. Out of the box this is clickity clickity up and running.
-
Daggonit johnpoz! An easy question to this forum I haven't been on in several months. It's only been posted for 11 minutes and I start crafting my response. And then, the Jedi Master has to crush this Padawan's dreams of contributing.
All kidding aside, johnpoz stole my thunder. He is absolutely on point with his response.
Additional things I can contribute:
I'm making the assumption that you don't have a static IP from Comcast, right? I have noticed with several "Cable" ISPs that when you switch out routing appliances you need to power off the modem for at least 15 minutes. If that modem has a battery, unplug it too. The ISP needs to forget the MAC address in their routing tables and taking the modem off the network for a few minutes will allow that to happen. You could spoof your WAN MAC on the Protectli device to get it working more quickly but I'd recommend against that for other reasons.
With that said, if you are an actual "business" there is no good reason that I can think of why you would not want your modem in bridge mode. Some really crappy ISPs won't let you set your modem into bridge mode. At that point I'd got to place the pfSense's WAN IP into the DMZ of the modem. That sucks! Whenever setting up a business I ALWAYS get that modem into bridge mode if I can. I don't want it doing anything except providing that business with their public facing IP to pfSense. There is no way I'd trust that Netgear device to be a better firewall than pfSense, so I'm not screwing with it. So if you are asking if "Bridge Mode" is "Best Practice", the answer is an astounding Yes.
-
@thatguy said in New to pfSense and trying to make sense of it.:
I have noticed with several "Cable" ISPs that when you switch out routing appliances you need to power off the modem
That would be with a modem, not the gateway device he has doing nat.. Unless your on to something and its doing passthru of a public IP.. But I doubt it..
His problem right now is his device running pfsense is not working - if it was he would be able to get to the webgui. Be it has a wan connection or not - the only thing that might happen is if there is no wan, it could be slow due to dns timeouts.. But it would still respond even if sluggish.
Its never going to do anything if he can not even access the web gui from the lan side connection.. When you plug your laptop into the lan interface of this pfsense device - does it get an IP from dhcp? I would console into this device and validate that its actually even booting.. If you had removed power from it without a proper shutdown - it could be borked.. And might need to have pfsense reinstalled..
-
Yeah johnoz, you’re probably right. I went back and read the initial post and missed the part about “I can’t ping pfSense”. Sounds like you’re also on to something with a NAT issue with the WAN and LAN IP’s being the same. Now get this, I’ve seen other appliances that I have replaced where the WAN and LAN are on the same freaking network. First thought, How the hell is this working? Maybe the SonicWall has got some kind of workaround for that. They are known to be the “Lego Bricks of Routing Appliances”.
A question for usaevo7. If you currently don’t have the Netgear modem in Bridge mode and the SonicWall isn’t handling DNS or DHCP what the heck is the purpose of the SonicWall? Is it doing anything other than acting as an additional firewall?
-
Thank you for the replies, I resolved the webui issue as an oversight on my part. Last thing I did before pulling it back off the network was change the LAN side static IP to put both firewalls inline for further testing but because I was in a rush and it was late, I forgot this big detail now that its a couple days later.
I think Im going to reconfigure the modem to alleviate the identical IP on LAN/WAN side issue (this is how the Sonicwall was setup) and test static IPs between modem and pfsense. Once I get more familiar with things and get up the courage I can implement the bridge mode on the modem. -
@thatguy Content filtering and some other odds and ends. The Comcast modem/gateway is extremely simplistic.
-
OK, here is what I would do before you jump off the cliff's ledge and put the pfSense device into production.
-
Backup your Netgear Modem’s config. Why? If you put the thing in bridge mode and can’t get things working, you’re gonna want that config to get back on that cliff.
-
Backup your SonicWall config. Why? You may need it.
-
Put your Netgear Modem into Bridge mode. Reboot the modem. It may tell you that you need to do that anyway.
-
Reboot your SonicWall?
-
Does your network still work? If it does, great. If it doesn’t, depending on how much time you have to tinker to get this working you may need to consider restoring that modem config to get back on that cliff.
-
Let’s say it works, great. Now, match your pfSense’s LAN IP to the same as your old SonicWall’s LAN IP. Since you’re running DHCP from another Server, obviously, make sure it ain’t running on pfSense.
-
Find out what your SonicWall’s WAN NIC’s MAC address is.
-
Put that MAC address into pfSense’s WAN MAC. You’re gonna make your ISP think you never changed your appliance. You do this by going to pfSense WebGUI-->Interfaces-->WAN and enter in the MAC Address field. The reason why you are doing this is so you can make a quick switch between the SonicWall and pfSense appliances and see if it still works. As I stated earlier a lot of cable ISP's look at that MAC address.
-
Does your network still work? If it does great. If not, depending on your time it may be best to put that SonicWall back in. You're call on this one.
-
Remove all power from your modem (including battery if it has one). Wait at least 15 minutes.
-
While you are waiting go back into pfSense’s WAN and remove that MAC address you spoofed earlier. I don't like keeping spoofed MAC addresses as when you are looking at certain network traffic or information you may not realize that what you see is not what it really is. Using NTOP is a good example of this.
-
After you have waited at least 15 minutes power the modem back up. Patiently wait till it comes back online. I know, it’s hard.
-
Once it is back up and the modem shows it’s online does your network still work? Did pfSense pull an IP address from the modem?
Most importantly, even if things work plan on getting some feedback from end users on problems they may be having as you may need to do some tweaking with your pfSense appliance due to the switch out.
-
-
Up and running now, thanks guys. It seems the complication were specific to my configurations so once a few settings were changed it all clicked into place and started working. Happy Holidays!