Pfsense as lan router and port forwarding problems?

josephchrzempiec · Jul 7, 2022, 5:22 AM

Hello, I setup pfsense as lan router. My ISP have a modem/router all in one build in. It comes with a static ip address. The problem I have is I need to portforward a ip address because it runs my webserver. The only problem I have is Do I open the port on the pfsense router or on the isp modem/router? I have tried both and enble both port forwarding however the pfsense router is 192 address and my isp a different interal address. I'm not sure what to do can someone please help me to figure this problem out?

Joseph

marvosa · Jul 7, 2022, 5:34 AM

@josephchrzempiec Sounds like you're double NAT'd. Ideally, you'd want to have your ISP configure your modem/router in bridge mode so PFsense gets a public IP.

josephchrzempiec · Jul 7, 2022, 5:44 AM

@marvosa Thanks for the reply back. I called them and sked them about the bridge mode. They don't have it in there routers. I'm not sure whatelse I can do?

Joseph

Patch · Jul 7, 2022, 7:32 AM

@josephchrzempiec said in Pfsense as lan router and port forwarding problems?:

My ISP have a modem/router all in one

What physical interface is the WAN, ie what comes into the ISP router? ADSL / VDSL / Fibre optic / Ethernet.
What is the ISP provided modem?
If the ISP modem does not provide bridge mode perhaps you could just use a different modem to enable you to connect your pfsense router directly.
if you are stuck with a double NAT you will need set up the port forwards in both routers

josephchrzempiec · Jul 7, 2022, 8:39 AM

@patch My ISP is comcast, It's comcast fiber. The support lady said Well I don't see a way to put it in bridge mode. and the option is not in the modem/router. So I called again and had someone else looked into it. This is what they told me. Yes we can do bridge mode. However you modem/router doesn't have this feature in it. He also said this is very strange even the firmware is different from what they normally have on this model. They are going send me a new modem/router. I was second person in my town to get fiber from comcast.

P.s.s Problem solved it seems this modem/router firmware is not the same as what they noramlly use. I guess I wasn't seeing things then when I didn't see it.

I did look something else up on this model. Googlefiber uses the same modem/routers as well. But I can not confirm that is what the comcast guy told me.

Joseph

SteveITS · Jul 7, 2022, 2:15 PM

@josephchrzempiec If there is no bridge mode then another way to do this is to set a DMZ in the Comcast router so it forwards everything to your pfSense. So if the pfSense is 10.1.10.5, the Comcast router sets 10.1.10.5 as its DMZ. Then on your pfSense you also create NAT rules to forward port 443 to your web server.

Alternately you can forward Comcast port 443 to 10.1.10.5:443 and then create another NAT rule on the pfSense to forward port 443 to your web server.

josephchrzempiec · Jul 8, 2022, 2:11 AM

Hello, I got my new modem/router in today. Wow that was fast. Found out they have a small office 5 minutes from me and I never known it, So I picked it up there. I was able to get it up and running. I also found out I not only got one Static ip address but I have block of 5. I totally forgot I paid for it.

So I assigned a static ip to the pfsense router and it works. I'm noticing one thing. Sense My Pfsense router is a 192.168 address and my comcast fiber is on another static ip I'm able to ping between both and see both no matter which network it's on. Is there a way to stop that?

Joseph

stephenw10 · Jul 8, 2022, 2:06 PM

Prevent pfSense and Comcast pinging each other?

I'm not sure why you would want to do that. You can add firewall rules in pfSense to block that if you really want to though.

Steve

SteveITS · Jul 8, 2022, 2:36 PM

@josephchrzempiec If you're talking about pinging the Comcast 10.1.10.1 address that IP works, even when "bridged" and using a static IP on your router. It allows one to browse to the Comcast router to manage it. Also allows one to plug a laptop into their router to test, bypassing the customer router. But yes in some cases we block access to 10.1.10.1 from certain networks, allow from a management IP, etc.

josephchrzempiec · Jul 8, 2022, 5:02 PM

@steveits this modem/router haves a 10.0.0.1 address. How can I apply those rules? I know nothing about firewalls.

Joseph

SteveITS · Jul 8, 2022, 5:45 PM

@josephchrzempiec OK around here Comcast's default is a 10.1.10.x subnet.

re: rules, first I would take some time to learn more about firewalls so you don't lock yourself out. Second, write down what you're trying to accomplish, in words. Rules on an interface are processed in order. By default LAN is allowed to connect anywhere.

https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html
for example rules (not that you need any of these): https://docs.netgate.com/pfsense/en/latest/recipes/example-basic-configuration.html

To restrict access to the Comcast router from LAN, something like this:

allow from my_ip to 10.0.0.1
block from LAN Net to 10.0.0.1

So you can see no one else on LAN except my_ip can connect to 10.0.0.1.

josephchrzempiec · Jul 8, 2022, 9:36 PM

@steveits said in Pfsense as lan router and port forwarding problems?:

https://docs.netgate.com/pfsense/en/latest/recipes/example-basic-configuration.html

Here are the following steps I tried from what I can see online and videos to block the address.

I went to firewall/rules/lan. I hit the add button.
Action: block
Interface: lan
address family: IPv4
Protocol: TCP/UDP
Source: Single host or alias Address 10.0.0.1
Deination: Any
discription: Block 10.0.01.

Is there anything I got wrong or need to change?

Joseph

P.s.s applying these rules and saving the change did not stop me from pining 10.0.0.1 address.

SteveITS · Jul 8, 2022, 9:54 PM

@josephchrzempiec
Pinging is ICMP not TCP or UDP. TCP would block, say, an HTTP connection.
Source is the source of the packet so would be the IP you want to block. So probably LAN Net.
Destination is where the packet is going, so 10.0.0.1.

stephenw10 · Jul 8, 2022, 9:54 PM

@josephchrzempiec said in Pfsense as lan router and port forwarding problems?:

Protocol: TCP/UDP

That does not include ICMP which ping uses.

josephchrzempiec · Jul 8, 2022, 10:12 PM

Hello , Thank you. I put LAN net in the source. and keep the destination at single host or alias with the address of 10.0.0.1. I have tried that and I'm still able to ping that address. Now I can not go to it but I can see it is there still.

I'm so confused. but Trying.

Joseph

SteveITS · Jul 8, 2022, 10:13 PM

@josephchrzempiec Did you change the Protocol to ICMP?

josephchrzempiec · Jul 8, 2022, 10:15 PM

This post is deleted!

josephchrzempiec · Jul 8, 2022, 10:21 PM

@steveits I'm so dumb right now. I'm srry you said protocol ICMP. That is myfault there. I'm changing it now. Thank you

Joseph

josephchrzempiec · Jul 8, 2022, 10:29 PM

Just an update. Thank you all for the information and help. This is a great community I got it all blocked now. however I need to figure out how to block not only 10.0.0.1 but all the addresses. I just tried to ping 10.0.0.34 which my laptop is on and I was able to ping that as well. Is there a way to stop all the addresses in that range?

Edit: I did mange to figure that out I changed Destination to network and the address 10.0.0.1 and it blocked everything on that.

Joseph

stephenw10 · Jul 9, 2022, 1:23 AM

The destination should really be 10.0.0.0/24 there like: