Help with new installation



  • Hello,

    I have been facing issues with my pfsense server for a while so I decided to do the big project and upgrade the hardware :(

    I got a new motherboard Gigabyte H61M-S2p R3 with an i3 processor, 8GB ram and 64GB SSD with a quad port intel nic

    I've installed pfsense without any problems, and setup everything using an attached monitor to the computer, then I connect my 4 VDSL (40 Mbps) lines to the pfsense server (which are all DHCP connections, i.e I connect on the modem with a username and password, and from the modem to pfsense through DHCP) and connect a lan to another computer to my home network to start the setup from the default 192.168.1.1 and it does not work just says unable to browse the setup page.

    what I noticed if I disconnect the 4 VDSL wan ports and keep just the lan I'm able to access the pfsense web configuration, and then re-connect the 4 wan ports everything works fine.

    if I restart my pfsense with the wan ports connected, same thing happens I have to disconnect the wan ports and to have the internet working on the lan

    This is driving me crazy and it does not make sense if I loose power or an update the requires reboot I have to do this every time, although this used to work fine in the past without any problems.

    PLEASE HELP


  • Netgate Administrator

    My first guess is that this is a subnet conflict. If your vdsl modems are not in bridge mode and are running as routers then what subnet are they using on their LAN side?

    Steve



  • Hello

    The modems are on the same subnet as my pfsense 255.255.255.0

    Since all my home network is on the same subnet the its easier to change the modems subnet only

    Is that what I need to do



  • And another thing do I need to put each modem of the four modems on a different subnet



  • Option 1 - put all your modems into bridge mode, so they pass through their connection and public IP to pfSense. Then setup each connection to the ISP on each pfSense interface.
    Option 2 - keep the modems in routing mode. Give each of them a different IP subnet on their LAN side (which the pfSense WAN side connects to). And make pfSense LAN(s) also in different subnets.

    If you are not offering any services accessible from the public internet, then option 2 has no real issue.
    If you want to offer a web site, access for remote VPN clients…. then with option 2 you need to also port forward on each modem/router device in to the corresponding pfSense WAN - so that incoming connections are actually received by pfSense (which can then deal with them itself, or again port forward them to internal web server or...).


  • Netgate Administrator

    Exactly. If you're load-balancing the 4 connections you might have an issue bridging the modems anyway. pfSense needs to see a different gateway IP on each WAN for that to work. Are you using the same ISP for all 4 connections?

    Steve



  • Hello,

    Thanks for the help Steve, your guess what right it is the subnet mask problem, and I can not put my modems in bridge mode and let the pfsense do the PPPOE connection :( as well I do load balance the 4 connections to get on torrents around 160 Mbps :)

    So here is what I did

    I changed the IP for each modem

    Modem 1
    192.168.1.2
    255.25.255.128

    Modem 2
    192.168.1.3
    255.255.255.192

    Modem 3
    192.168.1.4
    255.255.255.224

    Modem 4
    192.168.1.5
    255.255.255.240

    and this seems to solved the problem and things are working fine now

    but now I faced another problem and that is when I assign a static IP address from the DHCP leases for example I want to give my torrent downloading PC an internal static IP (192.168.1.100) so I can do port forwarding to it and private trackers are able to connect to me and when I do that I can not access pfsense anymore or brows the internet anymore :(

    Any ideas what this might be happening



  • The IP for each modem needs to be in a different subnet, the ones you made are all overlapping.
    I would use "/24" 255.255.255.0 subnet for each, because it is simple. e.g.:

    Modem 1 192.68.11.1/24 <-> pfSense WAN1 192.168.11.2/24
    Modem 2 192.68.12.1/24 <-> pfSense WAN1 192.168.12.2/24
    Modem 3 192.68.13.1/24 <-> pfSense WAN1 192.168.13.2/24
    Modem 4 192.68.14.1/24 <-> pfSense WAN1 192.168.14.2/24

    pfSense LAN 192.168.21.1/24 (or whatever subnet and mask size you need) with some DHCP pool like 192.168.21.129-254 or whatever.


  • Netgate Administrator

    Exactly, in fact I was just going to suggest those ranges before I saw Phil's post.  ::)
    Not sure how it worked for you before. I'd have to think carefully about those subnets. Why can't you bridge the modems?  What ISP are you using?

    Steve



  • the modems are from Orange they are ZTE Livebox 3

    they come pre-configured from Orange in Jordan



  • can I have the pfsense LAN assigned to 192.168.1.1 and DHCP pool to 192.168.1.200-254 as the network is already setup with these ranges and I have around 15 access points already setup with these ranges and I do not want to go and reassign them all over again :)


  • Netgate Administrator

    @afada:

    the modems are from Orange they are ZTE Livebox 3

    they come pre-configured from Orange in Jordan

    Fair enough I have no suggestions there then.  ;)

    You can leave the pfSense LAN configured as the 192.168.1.X subnet since it won't conflict with those suggested by Phil for the modems.

    Steve



  • three last questions

    1- when I give a machine on the network a static IP address from outside the pool (from the DHCP status page I assign a computer a static IP) this device will not be able to reach the internet see the network

    2- what is the easiest way to do a port forwarding (take into consideration I have 4 wans)

    3- how to enable firewall on the pfsense



  • 1 - you should be able to give LAN devices a static IP like 192.168.1.2 up to 199, set its gateway and DNS to 192.168.1.1 (pfSense LAN IP) and it will have internet. The default LAN to any rule will allow all LAN addresses out.

    2 - you need to port forward on each modem - since pfSense itself is a firewall, I usually just take the "port forward all" option on front-end devices. Often they cal it "DMZ" when actually it is just an internal private IP address to forward all traffic to. This way you do that on all 4 front-end devices 1  time only (no need to go back opening extra ports in future0. From a security point oof view it is nno different to bridging the front-end device through to pfSense. In both case all incoming connects (friendly or otherwise) arrive at pfSense.
    Then use pfSense as you normally would to port forward into your server/s.
    You will then want public DNS name/s that point to your public IP/s and have them point to a suitable list of your public IPs if you want outside users to be round-robin connected to your various public links…

    3 - the firewall is already enabled. By default clients on LAN can start outgoing connections to internet resources, and all incoming connection attempts are blocked. Put pass rules on wan1-4 to allow what you want.


Log in to reply