pfSense behind router without bridge mode
-
Hey guys! Having some issues setting up my upstream gateway.
Basically, I am on a rural connection with a 4G router, which to no surprise does not support bridged mode.
I have tried to setup the router as a upstream gateway but for some reason ive had no luck. my setup as follows.
LAN >> 172.16.0.0/24
WAN >> 192.168.1.2/30
Router >> 192.168.1.1/30WAN interface connected directly to the router LAN interface.
I've tried it on DHCP and static. No matter what happens I am unable to ping the router at 192.168.1.1 from pfSense.
I would imagine I need to have the "block private networks" and possibly "block bogan networks" tick boxes disabled.
Is there something I'm missing or a nice step by step guide for this setup?
Thanks in advance.
-
The subnet's look good, not conflicting, but the LAN interface IP needs to be an actual address not a network. So you could use: 172.16.0.1/24 there for example.
I would leave the WAN set as DHCP so pulls all the details from the upstream router.
Steve
-
Thanks for the reply Steve,
Sorry for the misunderstanding but the interface itself is set to 172.16.0.1 o network 172.16.0.0/24
I did also try DHCP, aswell as static but on both occasions I could not ping my upstream gateway. I did however login to the router by plugging into the back of it and I could see that there was an active ARP entry and DHCP lease for the hostname of my pfSense.
Still not sure why unable to ping.
Cheers
-
You were able to connect to the router only on the serial console?
The default firewall rules on LAN will allow pings but only from the LAN subnet.
The upstream device may not allow pings. If that's the case you should see the gateway monitoring IP to something further upstream.
Steve
-
@stephenw10 thanks for the reply.
I got it going, its really difficult to operate behind the router when not in bridge mode. I am now double NATing and things are a bit of a pain. Certain packets etc getting dropped like VPN traffic etc.
Is there any tips you can give me to make this whole setup a little more clean?
-
Most traffic will work fine behind double NAT as long as all the subnets involved are unique.
Mostly it's port forwarding that is problematic or anything that relies on UPnP.
VPN traffic getting dropped is not something I'd associate with double NAT directly. If the upstream router is doing something with the traffic it will affect it. Some devices try to be too clever with things like IPSec 'helpers'. Generally breaks more things than it ever helps IMO!
Steve
-
@stephenw10 Thanks again for your help!
I think after checking the logs, it appears the WAN interface link keeps dropping. I put this down to possible because the interface was set to DHCP so every time the lease expired, the interface would drop when a new lease was obtained?
Sep 14 23:11:29 kernel ue0: link state changed to DOWN
Sep 14 23:11:29 kernel ue0: link state changed to UP
Sep 14 23:11:29 check_reload_status 378 Linkup starting ue0
Sep 14 23:11:29 check_reload_status 378 Linkup starting ue0
Sep 14 22:17:35 check_reload_status 378 Linkup starting ue0
Sep 14 22:17:35 kernel ue0: link state changed to DOWN
Sep 14 22:17:35 kernel ue0: link state changed to UP
Sep 14 22:17:35 check_reload_status 378 Linkup starting ue0
Sep 14 21:23:39 check_reload_status 378 Linkup starting ue0
Sep 14 21:23:39 kernel ue0: link state changed to DOWN
Sep 14 21:23:39 kernel ue0: link state changed to UP
Sep 14 21:23:39 check_reload_status 378 Linkup starting ue0
Sep 14 21:23:36 check_reload_status 378 Linkup starting ue0
Sep 14 21:23:36 kernel ue0: link state changed to DOWN
Sep 14 21:23:36 kernel ue0: link state changed to UP
Sep 14 21:23:36 check_reload_status 378 Linkup starting ue0Not sure why this would be? Any ideas? It does seem to be good now.
Also, I can reach my upstream gateway from my LAN. I'm guessing it has just added a static route to the subnet from my LAN subnet.
Is there anyway to remove the route and only allow pfSense to access the upstream gateway? Im guessing this would be a specific static route that I need to add. I must admit I have not had a huge amount of experience with static routing. I always get the SOURCE and DESTINATIONS wrong haha.
Thanks again!
-
@deanfourie said in pfSense behind router without bridge mode:
connection with a 4G router
and
@deanfourie said in pfSense behind router without bridge mode:
Sep 14 23:11:29 kernel ue0: "UP DOWN UP DOWN UP DOWN UP DOWN ...."
"eu0" means you 'forgot' to tell us your are using a USB Ethernet dongle ??
Then remind me that we will not forget to tell you that Wifi support on FreeBSD is plain 'bad'.
Same thing for Ethernet over USB.
And even if you have something that actually works (I can't exclude that) you could have another issue :
The Wifi (radio) connection comes up. A DHCP request is fired from pfSense to the 4G router. It obtains an IP (and mask, gateway, DNS etc etc) from the 4G router. Then the radio connection goes down. Comes up again, DHCP re negotiations restarts, and so on.
I advise you to use a cabled connection between pfSense and the 4G router. All your issues will be gone. -
@gertjan Thanks, so is this issue just between the 4G router and pfSense.
My setup.
Onboard LAN >> pfSense LAN (LAN)
USB Ethernet >> 4G Router LAN (WAN)So do you suggest I use the onboard NIC for the WAN connection rather then the LAN?
-
I suggest you use USB ports only and limited to a serial emulation for the console access. That's some 115200 bits per sec.
Using it for ethernet traffic : just don't.
Your pfSense device has typically two NIC's (at least). This often, boils down to : invest in a second NIC (a couple of $$$).
These might be 'electric' or even fibre. Nothing else.And so you know it : If you see NICs that use the 're' driver, also known as 'Realtek' : just run away, fast.
( or get your hands on them, send the NIC over to your worst enemy and observe the result )
( send him your USB to Ethernet stick also ) -
If you are still having difficulty:
- Inexpensive LTE modems that support bridge mode.
https://www.netgear.com/home/mobile-wifi/lte-modems/
- Then configure your existing router as a dumb AP.
I use one for failover WAN connection.
-
Yeah, you should not see the interface lose link like that.
The only time you might see it is if you're running Snort/Suricata in in-line mode?
It's much better not to use USB Ethernet at all but you could certainly try swapping the WAN and LAN as a test. It might be more stable on the LAN side.
Check the modem though. It could be losing link because that's rebooting for example. The 6hr intervals there seem very regular. If it was the USB NIC flapping I would expect something much more random.
You are able to reach the WAN gateway with no routing at all because it's in a locally connected subnet; WAN.
If you can reach that but nothing else you may have lost your default route or have a bad default route.
Go to System > Routing > Gateways and set the default v4 gateway to the WAN gateway.If you have more than one gateway and it's set to automatic it might be switching to the wrong gateway. You probably shouldn't have more than one gateway there though, if you do you may have something misconfigured.
Steve
-
@gertjan said in pfSense behind router without bridge mode:
Your pfSense device has typically two NIC's (at least). This often, boils down to : invest in a second NIC (a couple of $$$).
No can do sir, I'm running pfSense on a NUC. No room for upgrades there haha!
@stephenw10 Yes, they are very regular intervals. I will see how it goes and monitor it.
I am able to reach everything on my LAN including my upstream gateway. I was thinking for "security" reasons, make the upstream gate inaccessible even from the LAN.As for the default gateway, my DHCP server is dishing out my pfSense LAN interface as the default gateway rather then the actual WAN router (upstream gateway?) to clients. Is this correct?
Thanks guys!
-
Yes, that's correct. LAN side clients should be using the pfSense LAN IP as their gateway.
pfSense should only have one gateway itself though in a simple setup like that. If it has more that one (probably wrong) it might be choosing the wrong one. Setting the default gateway to WAN_DHCP does not hurt in any case.
Steve
