Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall behind firewall?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    21 Posts 3 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Shudnawz
      last edited by

      So, I'm about to setup my first pfSense-install, and both LiveUSB and HDD-installs have worked fine, in its own little box of happiness. I plugged in a PC on the LAN-NIC to test the webConfigurator, and it works nicely. However, since it's quite an operation to bridge my ISP-provided gateway to "stupid modem-mode" I'd like to be sure that my config works before I do that.

      So I connected the WAN-NIC of the pfSense to a switch in my network, thinking that it would treat it like the internet.

      However, I can't seem to get the setup functional, in the sense that the computer attached to the LAN-NIC of my pfSense won't get internet access, or access to my normal LAN either. My pfSense gets a DHCP-delivered IPv4-adress from my gateway, just like it would from my ISP som I'm thinking that that part works. But the PC still won't get outside.

      I'm thinking that somwhere, a gateway config or something is broken.

      The general setup is as follows:

      Internet -> Modem/Gateway/DHCP-server (192.168.1.1, DHCP-server 192.168.1.x) -> Switches and AP's -> pfSense WAN (192.168.1.78, DHCP-provided) -> pfSense LAN (192.168.2.1, DHCP-server 192.168.2.x) -> PC (192.168.2.10)

      I'm getting confused about what DNS-servers I should use in pfSense, and what gateway to use when setting them up. I've tried both the Modem/gateway IP, Googles DNS-servers and a few other things, but it still won't let the internal PC get any access outside the pf Sense-box. Help?

      Slow is smooth, smooth is fast

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        That will all work fine with the default pfSense install. I am behind a test box of mine right now that is sitting with its WAN on my real LAN. Let the client on pfSense LAN get DHCP from pfSense, and thus get pfSense LAN as its default gateway and DNS server. pfSense will NAT the traffic out onto pfSense WAN, which is actually your main LAN, and send it to your ISP device. The ISP device will see all the traffic from pfSense as coming from the single pfSense WAN IP, and think that the whole pfSense is just 1 client on your real LAN.
        On pfSense you can let the DHCP on WAN learn the upstream DNS server, or you can point specifically at your ISP device or your favourit public DNS server (8.8.8.8 etc). Both should work for pfSense to get out to the public Internet.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • S
          Shudnawz
          last edited by

          @phil.davis:

          Yes, it should. But it doesn't. I found another thread stating that there is an option that is enabled by default that makes pfSense ignore WAN-calls from certain address ranges that are normally associated with LANs. I'm guessing that this might be the problem, unless I've missed something obvious.

          Slow is smooth, smooth is fast

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            There is an option you will find in Interfaces: WAN: "Block private networks". This sets a default firewall rule to block incoming traffic from rfc1918 addresses, such as your upstream routers address. You should uncheck that since it might cause confusion during testing of WAN side firewall rules but it won't be stopping your clients behind the pfSense box getting internet access.

            Something that seems to commonly trip up users when they have to change the LAN subnet is setting a gateway on LAN. You should not have gateway on the pfSense LAN address. If you did add one, remove it and then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

            Steve

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              On Interfaces->WAN try unchecking "Block private networks" - but actually that should not make any difference to initiating outbound traffic from LAN onto WAN.
              It should work with:

              1. Default allow all on LAN rule
              2. Automatic Outbound NAT (the default in Firewall->NAT, Outbound)
              3. WAN DHCP getting an IP address from the ISP device
              4. System->General Setup - "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked - so pfSense will use whatever DNS server the ISP device tells it.
              5. LAN clients getting DHCP from pfSense, or at least setting their default gateway and DNS server to pfSense LAN IP.

              Hopefully something in the above list is not right on your system. Post more details of your WAN, LAN, DHCP… settings if you can't spot the problem.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • S
                Shudnawz
                last edited by

                @stephenw10:

                There is an option you will find in Interfaces: WAN: "Block private networks". This sets a default firewall rule to block incoming traffic from rfc1918 addresses, such as your upstream routers address. You should uncheck that since it might cause confusion during testing of WAN side firewall rules but it won't be stopping your clients behind the pfSense box getting internet access.

                Something that seems to commonly trip up users when they have to change the LAN subnet is setting a gateway on LAN. You should not have gateway on the pfSense LAN address. If you did add one, remove it and then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

                Steve

                Sounds like this might be the thing that gets it going! I put 192.168.2.1 as gateway for the LAN-NIC in pf Sense when I did the basic setup. So <enter for="" none="">is my friend? Or should I simply do this from the webConfig?

                The thing is, that when I do a reinstall, I'll get conflicts between WAN and LAN since the DHPC-adress on WAN will be on the same subnet as the preconfed LAN-address range. Can't remember if I can skip setting a gateway on LAN when i manually assign the IP's..</enter>

                Slow is smooth, smooth is fast

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  Yes, both those things definitely:
                  a) WAN and LAN must end up being different subnets.
                  b) Do not set a gateway on LAN (lots of people seem to be doing that recently)

                  You can change the gateway setting on Interfaces->LAN from whatever you put back to "none" and then also change the LAN subnet to be different to WAN and all should be fine.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    You can remove the gateway from the webgui. No need to reset the interface from the console.

                    @phil.davis:

                    lots of people seem to be doing that recently

                    Yes, interesting that. Has the wording changed somewhere to something confusing?

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • S
                      Shudnawz
                      last edited by

                      There is definately something fishy going on here. I've configured pfSense as you instructed, no gateway on LAN and letting the ISP-device assign DNSes. And the DNS resolve seems to work, I can ping www.google.com from my internal PC. But I get "Reply from 192.168.2.1: TTL Expired in transit." It can resolve the host google.com, but can't reach it. Seriously strange. Could there be something I need to do on the ISP-device? I tried turning the firewall off, but no difference.

                      I can reach hosts on my normal 192.168.1.x-network, but not by hostname, only by IP (perhaps an effect of being on different subnets?).

                      But still no internet connection to speak of.

                      Slow is smooth, smooth is fast

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        You should allow pfSense to hand out itself (LAN IP address) as the DNS server to clients behind it. That would be the usual configuration. TTL expired is interesting.
                        Try pinging Google from the pfSense console both by url and at, say, 8.8.8.8. What is the actual response?

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • S
                          Shudnawz
                          last edited by

                          If I ping google.com or 8.8.8.8 from WAN interface as source adress (192.168.1.78) it works fine. But if I try from default, LAN or localhost as source, I get this:

                          PING google.com (173.194.40.232) from 192.168.2.1: 56 data bytes
                          36 bytes from localhost (127.0.0.1): Time to live exceeded
                          Vr HL TOS  Len    ID    FLG    off  TTL  PRO  cks      Src                Dst
                          4  5    00 5400  a326    0 0000  01  01  0000 192.168.2.1  173.194.40.232

                          x3, just different ID's from the pings. I'm gessing the pfSense isn't letting stuff through?

                          Interesting result from a traceroute to 8.8.8.8.

                          If I do it from the WAN-adress, it all works fine. If I do it from LAN-source, I get 18 hops of 127.0.0.1 with sub-ms times. Only 127.0.0.1.

                          Whaaaat..?

                          Slow is smooth, smooth is fast

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Ok if you're doing that via the webgui you specify which interface to send the ping from. Obviously only WAN is the correct inerface but that implies that 'default' is sending from the wrong interface which is bad.
                            Did you do this:

                            @stephenw10:

                            …then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • S
                              Shudnawz
                              last edited by

                              @stephenw10:

                              Ok if you're doing that via the webgui you specify which interface to send the ping from. Obviously only WAN is the correct inerface but that implies that 'default' is sending from the wrong interface which is bad.
                              Did you do this:

                              @stephenw10:

                              …then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

                              Steve

                              Totally missed that step. Works fine now, thanks a bunch, guys!

                              EDIT:
                              The modem is now in stupid-mode, so the pfSense is my only firewall and DHCP-server. Works like a charm! :D

                              Just gotta find out how to shut it the hell up…sounds like a vacuumcleaner. =P

                              Slow is smooth, smooth is fast

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                Nice.  ;D
                                What hardware are you running? Have you investigated powerd?

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Shudnawz
                                  last edited by

                                  The cheapest crap I could get my hands on! :D

                                  AMD Athlon 64 X2 5600+ on a ASUS M2N32-SLI Deluxe Wifi-edition w/ 2 onboard NICs, working just fine.
                                  Got it stationed in a SilverStone LC17 HTPC chassis, so it looks real good too. ;)

                                  The preinstalled chassis fans were cheap LED-lighted basterds, so I ripped them out and made sure that the CPU cooler is unobstructed. That cut the noise down radically, and will get some more silent fans soon to keep the case a bit cooler. With only the CPU cooler fan running in the whole system (not counting PSU) the CPU runs at about 45-48C, acceptable if not optimal.

                                  Next step is to get familiar with the Traffic Shaper to setup bandwidth throttling/limiting to specific LAN DHCP clients. Need to be able to make sure certain units on the network doesn't eat up all the available bandwidth.

                                  Slow is smooth, smooth is fast

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    Well that CPU has power saving features in the form of 'cool'n'quiet' and powerd should be able to control that via the powernow_k8 driver. Probably save you some Watts at idle and hence fan noise (if your fans are thermal control).

                                    It should show up in the boot log if it's working. For example:

                                    CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ (2705.78-MHz K8-class CPU)
                                    FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
                                     cpu0 (BSP): APIC ID:  0
                                     cpu1 (AP): APIC ID:  1
                                    cpu0: <acpi cpu=""> on acpi0
                                    cpu1: <acpi cpu=""> on acpi0
                                    powernow0: <powernow! k8=""> on cpu0
                                    powernow1: <powernow! k8=""> on cpu1</powernow!></powernow!></acpi></acpi>
                                    

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Shudnawz
                                      last edited by

                                      Well, the CPU fan noise is not an issue, I got a replacement for the loud Zalman previously installed (it was also too large for the new chassis). The problem was the chassis fans, and those were not PWM, so I could not control their RPMs properly. So I yanked them out, and now the box is mostly silent.

                                      Will look into powerd tho, guessing it is installed as some kind of addon?

                                      Slow is smooth, smooth is fast

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        It's included by default but not enabled. Try enabling it under System: Advanced: Miscellaneous: You may have to tweak it or load some further modules. You might find it throws errors for various reasons. Check the system logs.

                                        Steve

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Shudnawz
                                          last edited by

                                          Coolio. However, does the cool'n'quiet-mode need to be enabled in BIOS beforehand? 'Cuz I ripped out the Graphics card as well to decrease noise, so to enable it is a bit more work than just rebooting the system.. ^^

                                          Slow is smooth, smooth is fast

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            I have no experience with cool'n'quiet but I would expect it needs to be enabled in the BIOS. It might be enabled already.

                                            Steve

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.