Help me with a simple pfSense config
-
Hello,
I'll explain my situation, i have lost days and night before post this to try to config the pfSense firewall without successThis is the actual, my heredity, configuration:
This is, at least, what i can and what i want to do:
Actual situation:
- PfSense firewall has 6 hardware port, last version installed
- PfSense firewall have an IP on 192.168.10.x network
- I CAN'T move the Servers IPs, the NAS IPs and the Phone IPs (192.168.10.x)
- I CAN'T change router IPs (192.168.10.1 - 192.168.10.253 - 192.168.10.254)
- I CAN move the PCs IP, so i'd like to have a /16 network for that
- IP Phone can communicate only with 192.168.10.1, there are specific static IPs
- NAS aren't configured to navigate outside, LAN only
What i'd like to do:
- Put every router on single WAN interface on pfSense firewall (until that, i can do it :D) so three router, three WAN
- One LAN will exit from pfSense router and go to the Switch
Now the "hardest part"
- I want a failover setup gateways, so the PC can navigate on every WAN1-WAN2-WAN if one on the networks goes down, with a specific priority (WAN3-WAN2-WAN1)
- PCs on 192.168.0.0/16 can see Server and NAS on 192.168.10.x
- Phone IP can communicate only with 192.168.10.1
Tha's all. Please someone can guide me step-by-step and help a young guy to resolve this hell situation?
I'll be very very graful! Thanks! -
@GPane Some initial thoughts at least...
You can't have the same IP on WAN as you have on LAN, so when you say you CAN'T move the IP's of the NAS and Phone, this creates a bit of an issue...
So first question... do you have management access to the three routers and would be able to change the IP's to something different than .10?
If so, you are pretty much done with the network config and can change the LAN IP on pfsense to .10 and leave everything as is, PC, NAS and Phone IP's...I realize now you say can't change the routers IP's either. which means you need some more elaborate scheme to make this work, involving VLAN's or some NAT setup. Not sure exactly what would be the simplest way forward though...
Wrt failover, if you want all three routers on the same port, you need a switch in between. Then you need to set up a gateway for each of the three routers. And then go into System > Routing > Gateway groups where you create a Failover group. Select WAN3 as Tier 1, WAN2 as Tier 2 and WAN 1 as Tier 3.
Then go back to System > Routing and at the bottom you select your new Failover group as the default gateway... -
@Gblenn
"do you have management access to the three routers and would be able to change the IP's to something different than .10?"No, i don't access to the routers, only the ISP has access on it
"so when you say you CAN'T move the IP's of the NAS and Phone, this creates a bit of an issue..."
Phone are on network 192.168.10.x, same as NAS and Servers. I can't change this IPs.
But if i set to the LAN 192.168.0.0/16, everything are on the same LAN no?"if you want all three routers on the same port"
I don't want the three routers on the same port, as i have say the pfSense has 6 hardware port, so 1 port for every router, one port for the LAN we have 4 port used, i have another 2 in any case.
If you mean the same port as the LAN port, yes. -
@GPane said in Help me with a simple pfSense config:
No, i don't access to the routers, only the ISP has access on it
Well contact the isp(s) and have them change them so they are different networks 172.16.0.1, 172.16.1.1, 172.16.2.1 etc..
-
@GPane said in Help me with a simple pfSense config:
I don't want the three routers on the same port, as i have say the pfSense has 6 hardware port, so 1 port for every router, one port for the LAN we have 4 port used, i have another 2 in any case.
Ok, I was trying to understand this, and interpreted it as wanting to use the fewest possible ports... But then you just configure them one by one and simply add them to the Gateway Group as I mentioned.
Put every router on single WAN interface on pfSense firewall (until that, i can do it :D) so three router, three WAN
This part I didn't really understand...
Phone are on network 192.168.10.x, same as NAS and Servers. I can't change this IPs.
But if i set to the LAN 192.168.0.0/16, everything are on the same LAN no?You say you can't change the IP's but they WILL change with what you give them in the DHCP settings you choose. Unless of course they are set statically in respective client?
So if there is nothing strictly dictating that the NAS and Phone have to be in the 192.168.10.0/24 subnet, you can set it to whatever you want. Then you can use 192.168.1.0/24 and you are all set up.
-
@Gblenn
I have three router end every UTP cable will be connected to the pFsense firewall
WAN1 --> Port 1
WAN2 --> Port 2
WAN3 --> Port 3I can't change the NAS and Phone IP, they communicate only with the gateway on 192.168.10.1 so they wll be forced to the 192.168.10.x LAN
-
@GPane said in Help me with a simple pfSense config:
I can't change the NAS and Phone IP,
Why can these not be changed.. Makes no sense that you can not change NAS IP or an IP phone that almost always is dhcp.. And even if static you can still change them.
The only thing that normally is a problem for changing IPs is when applications use hard coded IPs vs dns, and the guy that wrote the application is no longer around and nobody else knows how to do it.. Hard coding any IP is always just a problem waiting to happen. if that is your problem its better to bite the bullet now and correct it so you can redo your ip scheme in the future if need be while you going through the whole process of network change anyway.
If you want device X to always use one of your gateways, this is a simple policy route.
But you currently have what amounts to a mess, you can not have the same network on different interfaces of router and expect it to route correctly.
If you want to leave all your devices in a 192.168.10 network - sure, but you should change your wan devices to use different IP ranges. And they should be in 3 different networks.. Not just all on the same network even if different than your lan side.
-
@GPane said in Help me with a simple pfSense config:
I can't change the NAS and Phone IP, they communicate only with the gateway on 192.168.10.1 so they wll be forced to the 192.168.10.x LAN
What do you mean communicates only with gateway on 192.168.10.1? Do you have some port forwarding set up on that router?
If that is the case, those rules need to be changed anyway, so that they point to pfsense instead. And then as the next step, you need new port forward rules in pfsense, pointing to the respective devices (NAS 1 and 2 plus the IP Phone).
In which case you are still free to change the IP on those devices to whatever you want.Preferably, those three routers should be put in what's called passthru or bridge mode. Which would give you the public IP's directly on pfsense. Then you have full control and don't have to mess with double NAT.
As a second best option, they should all be set up with pfsense as the DMZ device. Meaning all ports are open towards pfsense and you don't need to ask the ISP every time you need to forward a port or change something. -
@Gblenn said in Help me with a simple pfSense config:
Preferably, those three routers should be put in what's called passthru or bridge mode.
exactly.. They would then have 3 different networks and you can keep all your devices on the 10 network.. And even if you can't change the routing on the devices and they point to those specific current 192.168.10.1, 254, 253 address you could create vips on pfsense interface connected to the 10 network.
But it would be better to have them point to pfsense actual address on the 10 network and then policy route who you want to use which wan connection, etc.
-
If you really can't change any of those IPs then they would pretty much have to be on the same interface. Or, potentially you could bridge the three modem/router interfaces and have 3 gateways on them.
If you have to have the other devices also in that subnet then they would also need to be bridged.
You could then put the PCs on a completely different subnet (not 192.168.0.0/16 since that overlaps) and policy route that traffic.
But that's a horrible setup! You really want to change how those devices are numbered.
-
@stephenw10 said in Help me with a simple pfSense config:
If you really can't change any of those IPs
I just find that a non possibility on the wan routers to be honest, even the cheapest of cheap soho wifi routers allow you to change the lan IP. To be honest I bet the admin password on them is just whatever the default is.. Those clearly are not default IPs, so worse case scenario call the ISP.
-
@johnpoz said in Help me with a simple pfSense config:
I just find that a non possibility on the wan routers to be honest, even the cheapest of cheap soho wifi routers allow you to change the lan IP. To be honest I bet the admin password on them is just whatever the default is..
Precisely, probably written on the bottom of the device even.
@GPane, what make and model routers are they?
-
@Gblenn said in Help me with a simple pfSense config:
Precisely, probably written on the bottom of the device even.
And even if the Passwords are changed and he can't remember them, a factory reset and a new automatic WAN configuration based on TR-069 might be an option (if Router and ISP supports TR-069). After that he can config the LAN-IP of the routers to what ever IP's he prefer.
-
I can't access to the modem routers, they are provided by ISP. In theory i can ask to change the IPs, but i'll create a disservice to the company...
The Phone have as gateway the 192.168.10.1 since the phone connectivity is provided by that router (every router is an ISP)
-
@GPane said in Help me with a simple pfSense config:
but i'll create a disservice to the company...
In the short term you might have some outages. But in the long term it will be far superior.
Currently you have 3 routers all sharing the same internal subnet connected to an unmanaged switch. And clients on LAN are just statically configured to use one of them?
That's a crazy setup. -
@GPane said in Help me with a simple pfSense config:
The Phone have as gateway the 192.168.10.1 since the phone connectivity is provided by that router (every router is an ISP)
What do you mean exactly? The gateway that a device uses (any device including a Phone) is either set manually in the device, or by DHCP. Which is it?
And do you have any port forwarding done in that router 192.168.10.1, for the phone service?
-
@stephenw10 not sure I would call it a "setup".. Guess one of those first routers with .1 or .254 on it was first, and then they ran out of bandwidth so they added more and told the isp hey put 192.168.10.x on the lan side please. And then did that a third time, etc.
Schedule some time with the business, prob after hours or on the weekend for you to make the change over, etc.
You will have much better network for it, and now you would be able to leverage using all 3 connections, and if one goes down then those devices that currently using X of the wan routers would still have internet via pfsense routing their traffic over Y or Z wan connections, etc.
Taking it to the next level would be segmenting your current 192.168.10 into appropriate vlans or networks to allow control of traffic between different devices..
You could start to get fancy with QoS for your phones if they are having call quality issues, etc..
The possibilities are almost endless how much better you can run/monitor/control your network when its properly setup.
-
@GPane said in Help me with a simple pfSense config:
I can't access to the modem routers, they are provided by ISP. In theory i can ask to change the IPs, but i'll create a disservice to the company...
This won't really help you. But from my view it's really strange. I don't know where you are located, but in my country we have what is called Endgerätefreiheit. It means we can connect whatever devices we want to the Internet line of the ISP as end devices. Such as ONT (fiber), modem or router (DSL, TV-Cable). An ISP is not allowed to prevent this and must provide us all the information we need to connect and config our own devices to work properly on it's line, no maller its a fiber, DSL or Cable.
-
@eagle61 I think its strange no matter who you are or what region of the world your in ;)
There is no possible way those can not be changed.. If they don't know how to do it, or have no access to the router - I would check if the username/password is just default for the make and model for sure.
Then call the isp for help, those clearly not default.. So even if the isp set them up initially, not like they can not change them.. Its not like they said ok we can set this IP exactly once.. Once you set it your locked to that IP forever! ;)
But no there is going to be no way you can just slide pfsense into your original setup without some down time.. And you sure are not going to be able to route with the same networks on 2 legs of a router..
Lets say you could route even.. If some client on your 192.168.10 network wants to talk to 192.168.10.1 as its gateway.. How would that work.. He says oh need to send this to my gateway 192.168.10.1 - let me arp for that.. ooops no answer, = no access to anything off my network.
So you would have to change the gateway on the client to point to pfsense 192.168.10.x address on the lan side.. So you would have to touch every device on your 10 anyway.. And then still policy route if you wanted specific devices to use a specific gateway.. But you can not do that anyway..
So bite the bullet, schedule some down time with the business and set this up correctly.