Setup pfSense Behind isp adsl router



  • Hi All,

    first time poster in this forum. Switching from Untangle to pfSense as my own little networks firewall but having some issues setting it up correctly.

    I have create a visio diagram on how i want my firewall to be setup, you can view it here

    I want the firewall to be only for the computers connected to the switch behind it, any other devices will connect directly to the wireless adsl router (such as my dads and brothers wireless devices) So due to this, i want my isp adsl router to handle everything as it always has and i want that to be the GW, and i just want to have the pfsense as an extra firewall to get to my PC's. I have googled for guides but only seem to find old guides or i get no results, could someone guide me in the right direction please.

    Thanks,



  • @grievsa93:

    I have googled for guides but only seem to find old guides or i get no results, could someone guide me in the right direction please.

    You want guides for: downloading the correct software? installing the software? configuring the box after installing the software? …

    On the pfSense documentation home page: http://doc.pfsense.org there are links to a wide variety of guides.

    As far as basic configuration goes, you need the pfSense WAN interface and LAN interface to be in different IP subnets. At this stage I don't know what IP subnet the ISP router uses. It might conflict with the default pfSense LAN IP address of 192.168.1.1/24. Do you know the IP subnet used by the ISP router?



  • @wallabybob:

    You want guides for: downloading the correct software? installing the software? configuring the box after installing the software? …

    On the pfSense documentation home page: http://doc.pfsense.org there are links to a wide variety of guides.

    As far as basic configuration goes, you need the pfSense WAN interface and LAN interface to be in different IP subnets. At this stage I don't know what IP subnet the ISP router uses. It might conflict with the default pfSense LAN IP address of 192.168.1.1/24. Do you know the IP subnet used by the ISP router?

    I have downloaded and installed the software, its more configuring the software (sorry if this is in the wrong category.)

    The adsl router's IP is currently at 192.168.0.1 on a subnet mask of 255.255.255.0



  • @grievsa93:

    The adsl router's IP is currently at 192.168.0.1 on a subnet mask of 255.255.255.0

    OK, connect your pfSense WAN interface to your ISP router. The pfSense WAN interface should get an IP address in the 192.168.0.0/25 subnet.

    Connect a PC to the pfSense LAN interface. The PC should be configured to get an IP address by DHCP. The PC should be allocated (by DHCP on pfSense) an IP address in the 192.168.1.0/24 subnet. Then you point a web browser on the PC to http://192.168.0.1 (or https://192.168.1.1 I forget which) and login as user admin, password pfsense to complete configuration through the web GUI but you shouldn't need any additional configuration to allow other systems connected to the pfSense LAN interface to access the internet.

    You can invoke the system setup wizard through the web GUI at System -> Setup Wizard

    If you do nothing else else, you should change the password for the admin user.



  • Hi wallabybob,

    Thanks for the advice, i will try that tonight when i get home from work.

    It will probably be the correct way, but how come it is more complicated compared to Untangle? when i setup untangle, i just clicked transparent bridge mode, plugged the WAN into the ADSL router and the lan into my LAN and it work, and all PC's were on the same subnet? but anyway, i will have an attempt at this when i get home.

    Thanks,



  • @grievsa93:

    It will probably be the correct way, but how come it is more complicated compared to Untangle?

    Which it? My previous reply? Or are you referring to some guide you read on setting up transparent mode in pfSense?



  • @wallabybob:

    Which it? My previous reply? Or are you referring to some guide you read on setting up transparent mode in pfSense?

    Meaning to have the internal and external on different subnets seems to be alot more work compared to other firewall products such as Untangle. Just stating i setup untangle as transparent bridge in the wizard and it work fine without needing any teaks and all traffic was passed from my PC -> Switch -> Lan port -> Wan port -> ADSL router -> Internet.

    My final plan is to have OpenVPN on pfsense so anything behind the firewall goes through pfsense and openvpn and connects to a anonymous VPN provider and anyone else like my brother, they just connect directly to the adsl router and use the internet as anyone else would.

    Thanks,



  • @grievsa93:

    Just stating i setup untangle as transparent bridge in the wizard and it work fine

    If you set Untangle as a bridge you loose firewall capabilities. Is this the same scenario are you willing to obtain from pfsense?



  • @panz:

    @grievsa93:

    Just stating i setup untangle as transparent bridge in the wizard and it work fine

    If you set Untangle as a bridge you loose firewall capabilities. Is this the same scenario are you willing to obtain from pfsense?

    Ahhh i didnt know that… well to be honest, i mostly want pfSense to be acting as a VPN tunnel gateway (allow me to be contasntly connected to my private VPN provider) and if a there was a firewall extra then yipee. Main useage i want is the VPN - My adsl router if setup correctly, could be just as good as a firewall.

    Thanks,



  • OK, connect your pfSense WAN interface to your ISP router. The pfSense WAN interface should get an IP address in the 192.168.0.0/25 subnet.

    Small correction: 192.168.0.0/24
    and yes, on the LAN side you connect to 192.168.1.1
    The basic setup of LAN 192.168.1.1/24 and WAN DHCP (with the upstream WAN DHCP server being NOT in 192.168.1.0/24) works out of the box. Actually you don't even need to use the wizard, you should get a working firewall with internet access from the LAN side immediately it boots.
    Having the pfSense as firewall protects you from other users/devices between the ADSL and pfSense, so that is useful, if you care about it.
    The OpenVPN client going out, as you plan, should also work fine.



  • @phil.davis:

    OK, connect your pfSense WAN interface to your ISP router. The pfSense WAN interface should get an IP address in the 192.168.0.0/25 subnet.

    Small correction: 192.168.0.0/24
    and yes, on the LAN side you connect to 192.168.1.1
    The basic setup of LAN 192.168.1.1/24 and WAN DHCP (with the upstream WAN DHCP server being NOT in 192.168.1.0/24) works out of the box. Actually you don't even need to use the wizard, you should get a working firewall with internet access from the LAN side immediately it boots.
    Having the pfSense as firewall protects you from other users/devices between the ADSL and pfSense, so that is useful, if you care about it.
    The OpenVPN client going out, as you plan, should also work fine.

    Ok,
    Thanks for all the information, i will give it another go tonight once i am home from work. really appreciate it

    Cheers,


  • Netgate Administrator

    @panz:

    If you set Untangle as a bridge you loose firewall capabilities.

    I'm not sure that's true.  :-
    It may be true that if you choose bridge mode you get no firewall rules by default or only 'pass all' rules but there is still an internal and external interface and traffic between them is filtered. I'd be surprised if it wasn't possible to add firewall rules if you wanted them.
    That said I only ran Untangle once experimentally years ago so I could be talking rubbish!  ;)

    Steve



  • I had this thought, but, at the same time, I'm not too good with routing etc!

    Will test it and get back to you!

    Thanks,



  • When I look at your diagram at the very top, the first thing that comes to mind is that you should only use your DSL modem/router as a modem to get your public IP.  Not a router.

    You can use a system with 3 NIC cards, WAN, LAN1 and LAN2.  Call LAN1 your protected LAN.  Simple firewall rules can do this.

    You can also use a single NIC system + VLAN switch to do same thing.

    Its better to accomplish all your routing / firewalling on pfsense



  • grievsa93,

    Did you ever get this to work?  I'm trying to do the same thing.  I have attached a rough sketch.

    ![rOUGHT sKETCH pFSENSE.JPG](/public/imported_attachments/1/rOUGHT sKETCH pFSENSE.JPG)
    ![rOUGHT sKETCH pFSENSE.JPG_thumb](/public/imported_attachments/1/rOUGHT sKETCH pFSENSE.JPG_thumb)


  • Netgate Administrator

    Your diagram appears to show a different configuration.

    What exactly are you trying to do?

    Steve



  • Trying to setup pFense firewall behind  ARRIS NVG599.  The ARRIS NVG599 already provides one network, I would like to set up a separate network for a lab and still have access to the outside world.

    Blake


  • Netgate Administrator

    Ah, OK so the two networks will be isolated in VMWare?

    That should be possible. You will be double NATing though pfSense I imagine unless you have multiple public IPs from your provider.

    What is not working?

    Steve