Pfsense behind an IPCop firewall
I'm trying to set up a pfsense firewall in advance so that I can put it into production with very little downtime (this is an operating business where clients and customers access our servers 24/7 and whine when they "can't get in"). So while I am setting it up, I can't connect pfsense WAN interface directly to our ISP's router, because our current firewall (IPCop 2.x) is connected there (connecting both would cause an IP address conflict). So I am trying to set up pfsense temporarily BEHIND IPCop, where the pfsense WAN address is in the IPCop LAN subnet.
But I have spent two days trying to get this configuration to work, and I cannot get the pfsense LAN (or Opt1 or Opt2 for that matter) to access the Internet. The pfsense box itself can see the internet though the IPCop LAN, but not so any of the other subnets.
Followed at least a dozen tutorials meticulously, setting up NATs and Rules exactly as specified, end result is that nothing has worked. (Specifically, the LAN machines still cannot see the Internet.) Before I bust my butt even longer, is this configuration even possible? Or should I just give up and set up my NAT's and Rules "in the blind" and hope for the best when I make the switch?
FWIW, while I am not a total newbie to firewalls (I have set up a dozen or so different ones), my experience lies in software development rather that IT deployment, so it is quite possible I am just missing something obvious. Any guidance?
Your just setting up pfsense behind a nat is all - does not matter if some home router, ipcop, smoothwall, cisco asa, whatever is in front of it.
So what is the current ipcop lan that your putting the pfsense wan into?
192.168.?.?, 10.?.?.?, 172.16-31.?.?
And then what are you setting up for the pfsense lan segment? It can not be the same as what your putting the wan on.
Also since your pfsense is wan is going to be connected to a private network, you need to make sure to disable the block private address on the pfsense wan interface.
Yeah, I didn't think it should matter what was in front of it either… That's what had me stumped.
The current IPCop LAN is 192.168.3.1/24, and I assinged the pfsense WAN to a static 192.168.3.85. First had it as /32, that prevented it from seeing the rest of the IPCop LAN, so I switched it to /24.
To avoid conflict then, I set the pfsense LAN to 192.168.4.1/24. At first I set a Gateway at 192.168.4.1 for the pfsense LAN because that's the way IPCop wants it, then I read that pfsense doesn't want a gateway specified for the LAN.
Even though the other subnets are not really pertinent to this discussion, I set them up differntly from IPCop too... IPCop DMZ is ...8.1/24, pfsense DMZ is ...9.1/24, etc.
Thanks for the tip on unchecking Block Private Network, but I did think of that and I have it unchecked.
As far as my (albeit limited) firewall experience tells me, that should do it. But while the pfsense box itself has Internet access (demonstrating that the WAN is successfully set up connected to the IPCop LAN), the pfsense LAN (and the DMZ and the Wifi subnets as well) can't see it.
what do you mean they can not see it? Do they not resolve - what are they using for dns, you don't have a gateway on the lan of pfsense still? That would never work. I have run ipcop in the past - you never set a gateway on the lan! So not sure what your thinking.
Do a traceroute from client what happens? It hits pfsense lan and then nothing?
by "can not see it" I mean they have no access to the Internet at all. For the purposes of testing, I assigned external (ISP) DNS servers, but they cannot be accessed, so no, they don't resolve… But it is not a DNS issue per se, because a PC on the pfsense LAN can't see an IP address entered directly either. No ping, no browser access, nothing.
I tried it both with and without a gateway specified on the pfsense LAN, neither configuration provided LAN internet access. I found a number of posts that said a gateway should be specified for the WAN only, and that's why I removed that selection from the LAN config. But I tried if first with a gateway.
I have to disagree with you about IPCop when you say you never set a gateway on the LAN... been using IPCop for years, installed several instances of different versions in different environments, and you always have to specify a gateway specific to that subnet to enable that subnet to see the Internet.
A traceroute sounds like a good next step but instead I am going to scrap this entire temporary setup thing, why waste time on a configuration that will not be used anyway? I am right now reconfiguring pfsense in the blind to the production configuration, and early tomorrow morning I will turn off IPCop and see if my pfsense works. Seems like it will save time, and worst case I have to turn IPCop back on again.
"and you always have to specify a gateway specific to that subnet to enable that subnet to see the Internet"
Yes you set a gateway on the clients to IPcops lan interface IP - but you don't set a gateway on that interface to itself. This was my point. Yes devices on that segment that wants to get OFF that segment need a gateway which would be the lan ip of either pfsense or ipcop. But the interface itself on ipcop nor pfsense do not point to itself as the gateway.
edit: I just booted ipcop on virtual machine, and NOwhere did it ask me to setup the GATEWAY on my GREEN (lan) network
Do you mean what you put in the RED (wan) interface for a gateway if set to static?
Where would you ever get the idea that you would set an interface to use itself as the gateway? You can not talk to yourself to get OFF the network. Yes it would use itself to talk to the network its on, which could be seen as gateway for that network. But NO sorry you don't set in IPcop or pfsense to use a LAN gateway –-> unless you were going to have routes off that interface to some other network inside yours.