pfSense Behind Another Router
-
How can I set up my pfSense behind another router with the WAN port connected to my LAN?
Currently, I have it set so that a LAN port is connected to my LAN. This has limited some functionality. I use my pfSense XG-1541 for an OpenVPN server to connect to my home network.
Can I connect the WAN port to my LAN and use it as an OpenVPN server? How would that connect to my internal network devices though?
Is there a way to bridge things (i.e., connect the WAN port to my cable modem's second port and connect a LAN port on the XG-1541 for my internal LAN)?
Looking for recommendations how to best set this up. It was working perfectly for IPv4, but now that I'm trying to implement IPv6 it's gotten a little tricky.
Thanks!
-
???
What exactly is it you're trying to do? You can't have both the WAN and LAN sides connected to the LAN? If you connect only the WAN side, then you'll have another LAN.
-
I'm trying to connect remotely to the XG-1541 as an OpenVPN server and access my home network. I'm also wanting IPv6 connectivity tunneling all connections through the VPN.
-
The best solution here is to put the cable modem (router?) in bridge mode so the XG-1541 gets a public IP on it's WAN directly. Then connect your internal network to it's LAN.
If you can't do that then double NATing it next best. All your internal devices on the XG-1541 LAN and only the XG-1541 WAN connected to the cable routers LAN.
It is possible to use the XG-1541 as purely a VPN server. It only needs one interface in that situation. But you will easily hit asymmetric routing if you're not careful.
The 'correct' way to avoid that it to put the VPN server in a separate subnet on your router so traffic in and out of it goes through the router but that may not be possible on a basic ISP supplied device. The common workaround it to outbound NAT all the VPN client traffic to the pfSense WAN so replies go directly. That limits you to only inbound connections though.Can we see a diagram of what you have? What you need?
Steve
-
@stephenw10 Some home routers provided by ISPs have a 'DMZ' option that can be used to connect a downstream pfSense firewall WAN interface.
You can continue to use the home router's LAN for the connections in the home that you don't want protected by pfSense. E.g. guests that just want to use your home router's WiFi without you monitoring their traffic.
Your real LAN, sits behind pfSense and is only connected to the pfSense LAN interface. It is not directly connected to the home router. The pfSense WAN interface is connected to the home router by Ethernet cable and the home router's DHCP should be configured to serve a static/reserved IP address to the pfSense WAN interface so it has the same 192.168.1.x IP address every time.
When the reserved IP address has been configured as a DMZ in your home router, all incoming traffic to the home router will be presented to the DMZ IP address. I have seen this implemented differently on different devices. Some will bridge the DMZ port so that pfSense will show an external IP on the WAN interface. Some will just NAT the traffic so pfSense sees the 192.168.1.x address on the WAN interface.
