Static ip on wan interface
-
This is my first time attempting to set up pfSense so apologies for such a basic question.
I have installed to hard disk and have console access.
I am hoping to set up pfSense behind my router/modem and use a second network card to have other pcs on a different subnet connecting via pfSense to the router and on to the net.
I am assuming that the wan card can connect to the router and that the lan card + switch will be used by the other pcs to access the web (perhaps via a captive portal). Is this correct and possible?The default install sets up the wan card to get its ip from the dhcp server on the router. This works and I can connect to the web interface with there given ip address. This is obviously inconvenient as the web interface could be on a different ip on each boot up. I want to set it to static.
I have tried this numerous times in both the web interface and at the console. On each occasion the new static ip (I am using 192.168.1.90 for example. and that is correct subnet and no other device is on that ip) is not pingable and obviously the web interface does not load either. I am sure that the interface is assigned to the wan.
If I set wan interface bask from static to dhcp it is visible and working once again.
I am obviously missing something, and despite reading the docs and googeling for that last few hours the solution is evading me.Basicly if IP address is assigned to psSense by my router it works, but when I change it to static, the interface is un-contactable.
I would appreciate any guidance as to how I might solve.
Rgds Jodel -
I am assuming that the wan card can connect to the router and that the lan card + switch will be used by the other pcs to access the web (perhaps via a captive portal). Is this correct and possible?
That will work - generally the recommendation is to avoid stacking multiple routers like that, but it'll work just fine (I ran mine like that for many years).
The default install sets up the wan card to get its ip from the dhcp server on the router. This works and I can connect to the web interface with there given ip address. This is obviously inconvenient as the web interface could be on a different ip on each boot up. I want to set it to static.
I have tried this numerous times in both the web interface and at the console. On each occasion the new static ip (I am using 192.168.1.90 for example. and that is correct subnet and no other device is on that ip) is not pingable and obviously the web interface does not load either. I am sure that the interface is assigned to the wan.
If I set wan interface bask from static to dhcp it is visible and working once again.You're setting a WAN IP from the WAN subnet, which is not the same as the LAN subnet? You've set the correct netmask and default gateway?
If you're not forwarding traffic from the WAN interface to the LAN you don't need a static WAN IP.
-
Thanks for responding to my problem.
I have discovered one unusual problem. The mac address of my desktop machine and the mac address of one of the cards in the pfSense box were identical!! I did not think it was possible. In any event I now have set up mac address spoofing on my desktop so that it reports a different mac address. That has improved things somewhat in that the pfSense machine can ping the router and the other machines on the network and indeed on the net by ip address - so some progress. However The two computers I have on the same router cannot ping or connect to the pfSense box.As a newbie I may be misunderstanding LAN and WAN
On the console there is no option but to set up one network card as the WAN. I am setting up the card connected to my broadband router as the WAN interface. Is that correct?
My Broadband router is 192.168.1.1 and I am giving a static ip of 192.168.1.90 to the WAN interface connected to this router.
I am assuming the second card in the pfSense box is a LAN interface to which I will connect the machines that I want to go through the captive portal. (If ever I get there!) This interface I have given 192.168.2.1 to. In both cases I set netmask to 24.The pfSense box pings all the machines on the 192.168.1.1/24 network, but non of them can ping it.
Any suggestions?
Thanks Jodel -
I am making progress. I connected the LAN interface to the router and that enabled me to get up the web interface. I have renamed the WAN interface and am setting it up to handle the internal subnet.
I will report how that works.Jodel
-
On the console there is no option but to set up one network card as the WAN. I am setting up the card connected to my broadband router as the WAN interface. Is that correct?
Yes
My Broadband router is 192.168.1.1 and I am giving a static ip of 192.168.1.90 to the WAN interface connected to this router.
With a netmask of 255.255.255.0 (or /24) and a default gateway of 192.168.1.1 I assume?
I am assuming the second card in the pfSense box is a LAN interface to which I will connect the machines that I want to go through the captive portal. (If ever I get there!) This interface I have given 192.168.2.1 to. In both cases I set netmask to 24.
The pfSense box pings all the machines on the 192.168.1.1/24 network, but non of them can ping it.
That's perfectly normal - remember by default the WAN interface connects to the Internet and you don't want it to be pingable. Unless you've added rules to the WAN interface the pfSense host won't be visible from the WAN interface side and nothing on the pfSense LAN side will be accessible from the WAN side.
Now, are the hosts you want to go through the captive portal less trusted than those you're connecting directly to your router? The way you're setting it up you're potentially allowing them access to your original LAN. I'd suggest instead you add another network card to the pfSense host and use it to separate the trusted and untrusted LAN.
-
Thanks a million. I am getting a better understanding of how it fits into the network.
Am I correct in assuming that to use the web configuration option I need to use a machine that is on the LAN interface rather than a machine that is on the WAN side, which in my case is still internal to the broadband router/modem?
I am running it at home but I see the wisdom in your advise to have 3 cards if deploying it in a work setting.Thanks,
Jodel -
Yes, you manage pfSense from the LAN interface by default. You can of course change that.