Newbie question, just want to use VPN function not as router.
-
Hello all...
My first post here, so be gentle...
:)I purchased a 2100 MAX for a nonprofit company my wife works for. They wanted VPN connectivity, but not replacing the router at this time.
I have never used Pfsense, only ClearOS, whivch is now horrible.
So the internet provider(Videotron) told me to connect the WAN of the Netgate to port 2 on their router, of which they put into DMZ mode. They told me to make the WAN DHCP. The LAN form the Netgate simply plugs into the network switch.
I am able to get to the GUI via LAN, I logged in and modified what I needed to with respect to IP subnet. The WAN received 192.168.0.153, and the LAN is 192.168.0.3
However i want to for now get to the GUI via the WAN side so i went into firewall and made port 80 and port 443 open so i can get to it from outside for now until i get vpn working.
However I cannot get to the GUI from outside?
What am I missing or forgot to do?
Sorry if i did not supply enough info, please let me know if i need to supply more info to get help...Thanks and have a great day!
-
@robmontreal said in Newbie question, just want to use VPN function not as router.:
The WAN received 192.168.0.153, and the LAN is 192.168.0.3
You can not have wan and lan on the same network..
However I cannot get to the GUI from outside?
And what IP did you go to, 192.168.0.153 is not going to work... You would need to put in the public IP on the isp routers wan, when they say they dmz mode - means they forward traffic that hits their routers public IP to the device plugged into that port.
-
@johnpoz I thought their router would take care of that routing, sorry, i am new at this.
So the WAN port on the Netgate, which is connected to port 2 on the ISP router which is a DMZ, should be the public IP.
OK so lets say the public IP is 24.201.102.116, found out by going to whatsmyip.org I put that as the WAN static IP, ok I get that, however i have no idea how to find out what the gateway is which the WAN needs to know in the config. I did do a tracert yahoo.com and saw that 24.201.102.1 was there, i tried that as the upstream gateway but received the below when trying to save.The gateway address 24.201.102.1 does not lie within one of the chosen interfaces's subnets
So not sure what I messed up there?
Thanks.
-
@robmontreal if your isp device is doing nat.. and they placed whatever is on port 2 of their device in the "dmz" that means they just forward traffic to that IP. There is no routing you need to do on pfsense for this to work via dhcp, since the isp would hand out its IP as the gateway, say 192.168.0.1 or 192.168.0.254.
You can look on pfsense to what it got for its gateway. Pfsense want should be dhcp.
You need to look on the isp device for what its wan IP is. Sure whats my ip could tell you.. But if some isp natting is also going on say cgnat or something that might not be the case - its best to look on the isp device for what the public IP on its wan is.
But you can not on pfsense have 192.168.0.x on its wan and 192.168.0.y on its lan - pfsense is not going to be able to route anything with such a setup..
In a double nat setup it works like this.
internet --- 1.2.3.4 (public IP) isp device -- 192.168.0.x ---- 192.168.0.y (pfsense) lan 192.168.1.1 --- 192.168.1.x (client behind pfsense)
Where the isp devices send all traffic to 192.168.0.y.. that hits it on 1.2.3.4
-
@johnpoz I do not have access to the ISP router, its managed by the ISP(Videotron)
They told me . put your device on port 2 make it dhcp and thats it, but DHCP gives me a local subnet(192.168.0.x), so that won't work as i understand now. I would have to call them for a 3rd time and wait on hold for 30 mins to ask them what their gateway is i guess.
Sorry for being a pain, maybe i should just replace their router with the netgate, setup would probably be easier and faster? This company does not have a static IP, so I would guess i would set the WAN interface as DHCP?
I ask the ISP, they told me there are no port forwards or any special configuration in it, so it should be straight forward then?
Thanks
-
@robmontreal First, you never give a subnet mask on either of the private addresses. If they aren't in the same subnet, it would work.
If they are in the same subnet, then as said, you can't do that.
If the ISP is giving you a private IP via DHCP, change your LAN address to another subnet or see if they can change theirs. Easier if you can change yours though. -
@robmontreal said in Newbie question, just want to use VPN function not as router.:
but DHCP gives me a local subnet(192.168.0.x)
No that can work and does all the time.. If they send traffic that hits the public IP to that IP. But what wont work is you having the same network both on pfsense wan and its lan... If your getting 192.168.0.something on your pfsense wan, change its lan to say 192.168.1 which is default anyway. why did you change it to 192.168.0?
Here is how you can test if they are sending traffic to pfsense. Sniff on pfsense wan interface for say port 5555, any port should work.. Now go to can you see me . org and send traffic - you should see that hit your pfsense wan.
example
See how when I send traffic on 5555 even though I have nothing open or forwarded for that port, my pfsense wan via the packet capture still sees the traffic.
If your not seeing the traffic - then either your not sniffing the pfsense wan? Or they are not forwarding traffic to the device plugged into port two IP, or pfsense not plugged into that port?
If when you do that test your not seeing traffic on pfsense wan - prob best to get with your ISP and say hey the "dmz" you setup isn't working, etc.
-
Yup, that^.
You just need to change the pfSense LAN subnet to something other than what the ISP router is using. The default 192.168.1.1/24 for LAN will work if it's not already in use somewhere on your network. But I suggest you don't use that, especially for a VPN server, because it can easily conflict with remote VPN clients. Use something obscure instead like, for example, 10.100.10.1/24.
Steve
