pfSense as a parallel device
-
Hello everyone,
I'm setting up pfSense for the first time in my home network and aiming to route internet traffic through it. Because I don't want to disturb my family working from home, I wanted to try a parallel connection until I can manage it better.
However, I’m running into connectivity issues when I set pfSense as the gateway and DNS on my laptop. Here’s my setup and the specific issue:
Physical Configuration
1-ISP's Modem (No Wi-Fi)
-WAN IP: Public IP
-LAN IP: 192.168.100.1
*LAN1 Port: 192.168.100.2 Wifi Router
*LAN2 Port: 192.168.100.3 pfsense2-Wireless Router providing Wi-Fi
-WAN IP: 192.168.100.2
-LAN IP: 192.168.3.1 (DHCP Server enabled for 192.168.3.x subnet)
*LAN1 Port: 192.168.3.2 pfSense FirewallDHCP Server: Disabled on pfSense LAN
(Wireless router’s DHCP handles IPs for 192.168.3.x subnet)3-pfSense (Connected to both Modem and Wireless Router)
WAN PORT: 192.168.100.3 Modem
LAN PORT: 192.168.3.2 Wifi RouterAnd when my laptop is connected to wifi
Laptop IP: 192.168.3.55
Gateway: 192.168.3.1
DNS: 192.168.3.1I was quite sure that I can go to internet through pfsense if I put its local IP as gateway and DNS for my laptop.
Like; 192.168.3.2
But it doesn't work as expected. (am I the only one expecting it?)
I can ping the pfsense on 192.168.3.2 with this configuration, but cannot resolve names and cannot connect to internet.And now I got lost after reading about forums, DNS settings, forwarding, resolving, redirecting and so on.
Any help in diagnosing why pfSense won’t pass traffic or resolve DNS requests would be greatly appreciated.
Thanks in advance,
-
Yeah you can easily run into asymmetry issues with that sort of setup.
It would be better to connect pfSense behind the existing router whilst you test and not in parallel with it.
-
@stephenw10 That makes sense, no need to stuck in this. Thanks for the feedback!
-
@Rookiesense What is that modem that is the ISP providing you with? The fact that it provides a private IP (NAT) means that it already has a firewall built in, and you are double NATed for no real reason.
It would be better to connect the wifi Router on a LAN port (and turn off DHCP). That way you turn it into an AP/Switch and manage all your hosts etc from the modem. And in that case, pfsense would also receive it's IP from the modem (still only connected in one place. But this way it doesn't matter if it's "in front of" or behind the router as it is now only a switch so both sides are on the same subnet.
Next step would be to dump the modem completely and replace it with pfsense, still keeping your wifi router as an AP/switch.
If that is not possible for some reason, look for a way to put into "bridged mode", passing along the public IP to pfsense. But in most cases you just replace it with something of your own. Some times you have to spoof the MAC address in pfsense, using the MAC from the ISP provided device... -
@Gblenn thanks for the reply.
"in front of" pfSense;
ISP provides connection with a DOCSIS cable, so I can't replace the ISP's modem with my pfSense device. And the management interface of this modem is restricted to very few options. Luckily there is the chance to disable the firewall. I did so. I expect this eliminates Double NAT situation. There is also the option to assing a DMZ Host. Do you think this will make it even better if I introduce pfSense ip as a DMZ on this modem?"behind" pfSense;
When I plug in the LAN interface of pfSense to the WAN interface of the wifi router, then the fw has only one client, the router. So I cannot effectively manage devices on the LAN network. I tried to put the router in bridge mode, but there is no such setting.As per your suggestion, I tried to connect to LAN interface to make it act like an access point, disabled DHCP, change the gateway as pfSense ip, but I couldn't make wifi clients connect internet. I can ping pfSense, and pfSense DHCP cannot give ip address to wifi clients. I keep trying to make this work.
I can onyl try in the weekends, because my family works from home, so by the end of Sunday evening, I must have everything back online. :)
-
@Rookiesense Well in that case you have no option but to keep the ISP modem.
But you should look for an option called "bridge mode" (or perhaps "pass thru" mode). In that mode, you should get a different IP on pfsense WAN. The same you would see if you go to whatsmyip.com = your public IP.If not, you have to live with a double NAT situation, but then the DMZ is your best bet.
In the ISP modem, make sure you give pfsense a static IP, does not matter which. Then in the DMZ setting, you enter that IP. This way all ports are open towards pfsense.Then you turn the wireless router into an access point and connect one of it's LAN ports to the pfsense LAN (your home network). All you have to do to make it into an AP is typically just log in and turn off DHCP. Important not to use the WAN port on this router.
So connections go:
ISP Modem -> pfsense -> any swithe(s) -> Wireless AP (router)