Firewall behind firewall?



  • So, I'm about to setup my first pfSense-install, and both LiveUSB and HDD-installs have worked fine, in its own little box of happiness. I plugged in a PC on the LAN-NIC to test the webConfigurator, and it works nicely. However, since it's quite an operation to bridge my ISP-provided gateway to "stupid modem-mode" I'd like to be sure that my config works before I do that.

    So I connected the WAN-NIC of the pfSense to a switch in my network, thinking that it would treat it like the internet.

    However, I can't seem to get the setup functional, in the sense that the computer attached to the LAN-NIC of my pfSense won't get internet access, or access to my normal LAN either. My pfSense gets a DHCP-delivered IPv4-adress from my gateway, just like it would from my ISP som I'm thinking that that part works. But the PC still won't get outside.

    I'm thinking that somwhere, a gateway config or something is broken.

    The general setup is as follows:

    Internet -> Modem/Gateway/DHCP-server (192.168.1.1, DHCP-server 192.168.1.x) -> Switches and AP's -> pfSense WAN (192.168.1.78, DHCP-provided) -> pfSense LAN (192.168.2.1, DHCP-server 192.168.2.x) -> PC (192.168.2.10)

    I'm getting confused about what DNS-servers I should use in pfSense, and what gateway to use when setting them up. I've tried both the Modem/gateway IP, Googles DNS-servers and a few other things, but it still won't let the internal PC get any access outside the pf Sense-box. Help?



  • That will all work fine with the default pfSense install. I am behind a test box of mine right now that is sitting with its WAN on my real LAN. Let the client on pfSense LAN get DHCP from pfSense, and thus get pfSense LAN as its default gateway and DNS server. pfSense will NAT the traffic out onto pfSense WAN, which is actually your main LAN, and send it to your ISP device. The ISP device will see all the traffic from pfSense as coming from the single pfSense WAN IP, and think that the whole pfSense is just 1 client on your real LAN.
    On pfSense you can let the DHCP on WAN learn the upstream DNS server, or you can point specifically at your ISP device or your favourit public DNS server (8.8.8.8 etc). Both should work for pfSense to get out to the public Internet.



  • @phil.davis:

    Yes, it should. But it doesn't. I found another thread stating that there is an option that is enabled by default that makes pfSense ignore WAN-calls from certain address ranges that are normally associated with LANs. I'm guessing that this might be the problem, unless I've missed something obvious.


  • Netgate Administrator

    There is an option you will find in Interfaces: WAN: "Block private networks". This sets a default firewall rule to block incoming traffic from rfc1918 addresses, such as your upstream routers address. You should uncheck that since it might cause confusion during testing of WAN side firewall rules but it won't be stopping your clients behind the pfSense box getting internet access.

    Something that seems to commonly trip up users when they have to change the LAN subnet is setting a gateway on LAN. You should not have gateway on the pfSense LAN address. If you did add one, remove it and then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

    Steve



  • On Interfaces->WAN try unchecking "Block private networks" - but actually that should not make any difference to initiating outbound traffic from LAN onto WAN.
    It should work with:

    1. Default allow all on LAN rule
    2. Automatic Outbound NAT (the default in Firewall->NAT, Outbound)
    3. WAN DHCP getting an IP address from the ISP device
    4. System->General Setup - "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked - so pfSense will use whatever DNS server the ISP device tells it.
    5. LAN clients getting DHCP from pfSense, or at least setting their default gateway and DNS server to pfSense LAN IP.

    Hopefully something in the above list is not right on your system. Post more details of your WAN, LAN, DHCP… settings if you can't spot the problem.



  • @stephenw10:

    There is an option you will find in Interfaces: WAN: "Block private networks". This sets a default firewall rule to block incoming traffic from rfc1918 addresses, such as your upstream routers address. You should uncheck that since it might cause confusion during testing of WAN side firewall rules but it won't be stopping your clients behind the pfSense box getting internet access.

    Something that seems to commonly trip up users when they have to change the LAN subnet is setting a gateway on LAN. You should not have gateway on the pfSense LAN address. If you did add one, remove it and then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

    Steve

    Sounds like this might be the thing that gets it going! I put 192.168.2.1 as gateway for the LAN-NIC in pf Sense when I did the basic setup. So <enter for="" none="">is my friend? Or should I simply do this from the webConfig?

    The thing is, that when I do a reinstall, I'll get conflicts between WAN and LAN since the DHPC-adress on WAN will be on the same subnet as the preconfed LAN-address range. Can't remember if I can skip setting a gateway on LAN when i manually assign the IP's..</enter>



  • Yes, both those things definitely:
    a) WAN and LAN must end up being different subnets.
    b) Do not set a gateway on LAN (lots of people seem to be doing that recently)

    You can change the gateway setting on Interfaces->LAN from whatever you put back to "none" and then also change the LAN subnet to be different to WAN and all should be fine.


  • Netgate Administrator

    You can remove the gateway from the webgui. No need to reset the interface from the console.

    @phil.davis:

    lots of people seem to be doing that recently

    Yes, interesting that. Has the wording changed somewhere to something confusing?

    Steve



  • There is definately something fishy going on here. I've configured pfSense as you instructed, no gateway on LAN and letting the ISP-device assign DNSes. And the DNS resolve seems to work, I can ping www.google.com from my internal PC. But I get "Reply from 192.168.2.1: TTL Expired in transit." It can resolve the host google.com, but can't reach it. Seriously strange. Could there be something I need to do on the ISP-device? I tried turning the firewall off, but no difference.

    I can reach hosts on my normal 192.168.1.x-network, but not by hostname, only by IP (perhaps an effect of being on different subnets?).

    But still no internet connection to speak of.


  • Netgate Administrator

    You should allow pfSense to hand out itself (LAN IP address) as the DNS server to clients behind it. That would be the usual configuration. TTL expired is interesting.
    Try pinging Google from the pfSense console both by url and at, say, 8.8.8.8. What is the actual response?

    Steve



  • If I ping google.com or 8.8.8.8 from WAN interface as source adress (192.168.1.78) it works fine. But if I try from default, LAN or localhost as source, I get this:

    PING google.com (173.194.40.232) from 192.168.2.1: 56 data bytes
    36 bytes from localhost (127.0.0.1): Time to live exceeded
    Vr HL TOS  Len    ID    FLG    off  TTL  PRO  cks      Src                Dst
    4  5    00 5400  a326    0 0000  01  01  0000 192.168.2.1  173.194.40.232

    x3, just different ID's from the pings. I'm gessing the pfSense isn't letting stuff through?

    Interesting result from a traceroute to 8.8.8.8.

    If I do it from the WAN-adress, it all works fine. If I do it from LAN-source, I get 18 hops of 127.0.0.1 with sub-ms times. Only 127.0.0.1.

    Whaaaat..?


  • Netgate Administrator

    Ok if you're doing that via the webgui you specify which interface to send the ping from. Obviously only WAN is the correct inerface but that implies that 'default' is sending from the wrong interface which is bad.
    Did you do this:

    @stephenw10:

    …then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

    Steve



  • @stephenw10:

    Ok if you're doing that via the webgui you specify which interface to send the ping from. Obviously only WAN is the correct inerface but that implies that 'default' is sending from the wrong interface which is bad.
    Did you do this:

    @stephenw10:

    …then go to System: Routing: and make sure it's removed from there too and that the WAN gateway is now default.

    Steve

    Totally missed that step. Works fine now, thanks a bunch, guys!

    EDIT:
    The modem is now in stupid-mode, so the pfSense is my only firewall and DHCP-server. Works like a charm! :D

    Just gotta find out how to shut it the hell up…sounds like a vacuumcleaner. =P


  • Netgate Administrator

    Nice.  ;D
    What hardware are you running? Have you investigated powerd?

    Steve



  • The cheapest crap I could get my hands on! :D

    AMD Athlon 64 X2 5600+ on a ASUS M2N32-SLI Deluxe Wifi-edition w/ 2 onboard NICs, working just fine.
    Got it stationed in a SilverStone LC17 HTPC chassis, so it looks real good too. ;)

    The preinstalled chassis fans were cheap LED-lighted basterds, so I ripped them out and made sure that the CPU cooler is unobstructed. That cut the noise down radically, and will get some more silent fans soon to keep the case a bit cooler. With only the CPU cooler fan running in the whole system (not counting PSU) the CPU runs at about 45-48C, acceptable if not optimal.

    Next step is to get familiar with the Traffic Shaper to setup bandwidth throttling/limiting to specific LAN DHCP clients. Need to be able to make sure certain units on the network doesn't eat up all the available bandwidth.


  • Netgate Administrator

    Well that CPU has power saving features in the form of 'cool'n'quiet' and powerd should be able to control that via the powernow_k8 driver. Probably save you some Watts at idle and hence fan noise (if your fans are thermal control).

    It should show up in the boot log if it's working. For example:

    CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ (2705.78-MHz K8-class CPU)
    FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
     cpu0 (BSP): APIC ID:  0
     cpu1 (AP): APIC ID:  1
    cpu0: <acpi cpu=""> on acpi0
    cpu1: <acpi cpu=""> on acpi0
    powernow0: <powernow! k8=""> on cpu0
    powernow1: <powernow! k8=""> on cpu1</powernow!></powernow!></acpi></acpi>
    

    Steve



  • Well, the CPU fan noise is not an issue, I got a replacement for the loud Zalman previously installed (it was also too large for the new chassis). The problem was the chassis fans, and those were not PWM, so I could not control their RPMs properly. So I yanked them out, and now the box is mostly silent.

    Will look into powerd tho, guessing it is installed as some kind of addon?


  • Netgate Administrator

    It's included by default but not enabled. Try enabling it under System: Advanced: Miscellaneous: You may have to tweak it or load some further modules. You might find it throws errors for various reasons. Check the system logs.

    Steve



  • Coolio. However, does the cool'n'quiet-mode need to be enabled in BIOS beforehand? 'Cuz I ripped out the Graphics card as well to decrease noise, so to enable it is a bit more work than just rebooting the system.. ^^


  • Netgate Administrator

    I have no experience with cool'n'quiet but I would expect it needs to be enabled in the BIOS. It might be enabled already.

    Steve



  • Ok. At any appropriate moment I will tear down the firewall and install the GPU again. =)


Log in to reply