WAN address showing an internal ip

  • Hello,

    Please brace yourself for a total nube question.

    My pfsense box sits behind a modem/router supplied by my isp. I can't put the modem into bridge mode because the TV and phone lines for the house also go through it and putting it in bridge mode would make those services not work correctly. Currently the WAN interface on my pfsense box is set as DHCP. This causes its WAN ip to be an internal network ip ( I'm trying to run an openvpn server and the pfsense box thinking its internal ip is is messing up the port forwarding from my modem/router.


  • Short answer is just to change your LAN subnet from 192.168.1.x to something else, like 192.168.20.x, so there's no conflict between the WAN and LAN subnets.

    Slightly longer answer - what part of the world are you in?  I've set up many clients with Bridged mode routers running their TV and internet so that pfSense handles all the internet side of things and the modem handles TV and the rest.  Just interested in whose service you're using.

  • IMHO the cleanest solution would be to put everything behind pfSense and configure the modem as a bridge. pfSense will issue IPs to the phone and TV instead. The upside is only one device is running NAT instead of two. This is really really the best way to go.

    If that's truly not an option, the second best solution would be to see if the modem has a DMZ or bypass mode so that pfSense can get a public IP address or at the very least 1:1 NAT through the modem. Most modems aren't that sophisticated, so if that isn't possible, that leaves you the following options:

    Configure for either transparent mode, or separate the LANs, or router/firewall only mode (not gateway, i.e. no NAT), or super careful configuration of separate networks (i.e. 192.168.1.x and 192.168.2.x). Choosing which approach is most dictated by your goals. If you simply want an openVPN endpoint only, and nothing else, I'd do the following:
    1. Configure pfSense with a static IP address in the 192.168.1.x subnet and configure the Modem to port forward the OpenVPN port (1194?) to pfSense
    1. Disable NAT and Firewall https://doc.pfsense.org/index.php/Outbound_NAT#Disable_NAT_and_Firewall
    2. Connect only one single port to pfSense, then configure OpenVPN

    Here's how that would layout:

    Workstations –----
    pfSense --------> switch/hub <--> Modem <--> Internet
    TV/phone/etc. -----

    In this configuration all your security is at the Modem. pfSense is just an encryption box.
    I have no idea if OpenVPN will work well, or at all, through your Modem's NAT. It should, however I've never tried it.

  • How would I configure pfsense to issue IPS to the phone and TV? Alternatively would there be a way to configure pfsense to just pass that traffic along to the modem and let it handle the TVs and phones?


  • @crossroads1112:

    How would I configure pfsense to issue IPS to the phone and TV?

    By default pfSense issues IP addresses dynamically from its internal DHCP server. Most consumer devices (TVs and phones) are also configured to receive IP addresses dynamically from a DCHP server. So no additional configuration is necessary in most cases. This configuration should simply just work:
    Devices  <–> switch/hub <--> [LAN pfSense WAN] <–> [LAN modem WAN] <–> internet

    This is the simplest configuration and the one that pfSense is specifically preconfigured for. You can actually test it without making any changes to the modem and it should still work anyway although there will be a double NAT performed (once by pfSense and once by the modem).  Steps to test:
    1. Plug in everything according to above diagram
    2. Configure pfSense with all defaults except change the LAN IP address to be different from the one the modem is using. ( as divsys suggested)
    3. Reboot everything in this order so that all the devices get issued new IP's: modem, pfsense, devices

    This setup should simply work. If it does, then you can remove the double NAT from the design by reconfiguring the modem for bridging only, then reboot the modem and pfsense and pfSense should pick up a public IP and everything should continue to "just work".


    Alternatively would there be a way to configure pfsense to just pass that traffic along to the modem and let it handle the TVs and phones?

    Yes, although it's a bit more involved and shouldn't be necessary in most scenarios. You could place an additional switch between pfSense and the modem for those devices, or create a DMZ, or use 1:1 NAT, or bridging, etc.  I would try the test setup above first to see if it works. If it turns out that the TV and phone have to connect to the modem, then things get a bit more complicated. You'll want to review the ISP's requirements to determine the best configuration at that point.

Log in to reply