Pfsense behind linksys router



  • Hi folks, I have been testing pfsense before implimenting it at work but it seems i can't get it to work behind a linksys dsl router. using a windows xp box connected to LAN interface of pfsense in 192.168.2.0/24 and a WAN interface connected to a linksys wireless router in 192.168.1.0/24 can't get me nowhere. pfsense log  shows packets pass but i can't even ping any internet address. any help would be appreciated, thank you in advance.





  • Thank you for your prompt reply GruensFroeschli but I have read that post and dont know what i am missing.



  • @http://forum.pfsense.org/index.php/topic:

    If you have a private subnet on your WAN: uncheck the "Block private networks" checkbox on your WAN-config page.



  • I have already done that but still can't ping the internal interface of the dsl router. the pfsense box can ping LAN, WAN interfaces and the internet but windows xp can only ping the LAN interface of the pfsense box and nothing else. when i try to tracert the internal interface of the dsl router, i get destination unreachable from the LAN interface of pfsense.



  • so to summarize:

    ping pfSense –> LAN-Interface of pfSense: OK
    ping pfSense --> WAN-Interface of pfSense: OK
    ping pfSense --> LAN-Interface of Linksys: OK
    ping pfSense --> WAN-Interface of Linksys: OK
    ping pfSense --> Internet: OK

    ping XP-client on pfSense-LAN --> LAN-Interface of pfSense: OK
    ping XP-client on pfSense-LAN --> WAN-Interface of pfSense: NOT OK
    ping XP-client on pfSense-LAN --> LAN-Interface of Linksys: NOT OK
    ping XP-client on pfSense-LAN --> WAN-Interface of Linksys: NOT OK
    ping XP-client on pfSense-LAN --> Internet: NOT OK

    First you need to be able to get a ping to the WAN-Interface of pfSense
    Thinks to check:

    • Is the Gateway on the XP machine set to the pfSense.
    • Do you have a rule on the LAN interface that allows 192.168.2.0/24 to any
    • Are the subnets in the pfSense config correct? (no /16 by accident)
    • Does the Linksys allow pings on it's LAN interface


  • your summary is exactly the sitiuation. I also can ping the WAN interface of pfsense and get dns resolution from the dsl router with DNS forwarding.

    • XP gateway is the pfsense by DHCP
    • The rule is there by default
    • subnet ok
    • Linksys allows ping since i can ping from the pfsense

    Thank you



  • Prolly not much help, but i've just bought a wag200g where i changed the ip to 10.0.1.1 with dhcp server on and added the dns server manually.

    put a switch between pfsense and xp.

    boot the pfSense live cd and assign lan and wan and nothing else.

    just my 2cent.



  • although I started to believe it is the linksys trying to be smart by blocking traffic from pfsense LAN interface but i'll try to add a switch and let you know. thank you, Perry



  • If it helps, I have a Linksys router that my pfSense host is behind and it all works just fine.  I've left the pfSense host on defaults, except for unticking the option to block RFC1918 addresses on the WAN port.  NAT is still on automatic.



  • Just out of curiosity, why would one want to put pfSense behind a Linksys router?
    I understand that selim did it in his test environment, but you, Cry Havok?



  • I have such a setup running at home too. (ok i have a Zyxel-ADSL-Modem-Router).

    Mostly because i "try" stuff behind the pfSense and the rest of the family get's angry if the internet is down because i borked something.



  • @jahonix:

    Just out of curiosity, why would one want to put pfSense behind a Linksys router?
    I understand that selim did it in his test environment, but you, Cry Havok?

    To create a DMZ.

    My home setup involves a Linksys box (about to be replaced by a Buffalo running DD-WRT) on the outside with a DMZ hosting a mail and web server and pfSense on the inside protecting my core network.  I know that in theory I can achieve this with a single host, but if security on that host fails then everything is exposed.  This way I get defence in depth, and the chance to play with more toys ;)  It also gives me a network I can allow guests to connect to for Internet access without having to give them access to my core network.



  • Excellent choice using buffalo+ddwrt.
    If your linksys is the right version, you can run dd-wrt on it as well.



  • Well, I have it the other way round.
    pfSense in front and a Linksys WRT54GL with DD-WRT acting as AP and doing some stuff in a DMZ.
    This way I can allow guests access to the INet and not touching …  ;-)

    pfSense talks directly to the DSL modem and acts as PPPoE client. This way I have all the benefits from having pfSense's WAN public.

    FWIW.


Log in to reply