Connecting two subnets

jor101091 · Dec 18, 2014, 7:33 PM

Hi all,

I will take a brief moment to introduce myself.

Im Jordy from the Netherlands, and 23 years of age.
Im recently became interested in home networking and security.

Today I have installed pfsense on a old desktop computer from dell. Originally this pc has a superfast 100Mb connection, but I need a superfast connection because my ISP connection is 180Mb/s.

After searching trough different boxes I found two PCI intel gigabit ethernet controllers, these are working fine and I have no speed loss, which is great.

Now because Im a bit unfamiliar whit pfsense and all its capabilities, I will explain my trouble and current situation.

My situation is as follow:

ISP Internet –-> ISP (wifi) modem (Smart TV, Humax-Recorder) ----> pfsense ----> switch1 (NAS, Printer, PC) -----> switch2 (PC, AppleTV)

Modem = 192.168.2.1/24
pfSense = 192.168.2.8 (DHCP) - WAN
pfSense = 192.168.1.1/24 - LAN

I have internet connection when using the PC behind switch2 and I have acces to my NAS (192.168.1.2) and fpsense server (192.168.2.8 ) and the configuration page of my modem (192.168.2.1).
When I connect to my wireless network provided by my modem, I have also Internet acces but I cannot connect to my pfsense server (192.168.2.8 ) or my NAS (192.168.1.2).

What can I do to get acces trough WiFi of my modem and reach my NAS, and still use the firewall to monitor the connection.

If anybody can help me with this I would appreciate it.

Regards Jordy

KOM · Dec 18, 2014, 8:14 PM

Interfaces - WAN - Private networks - Block private networks? Uncheck it and try again. With it's checked by default, pfSense WAN will ignore any communications from private address space (10.0.0.0, 192.168.0.0, 172.16.0.0 etc). For your NAS, pfSense will block anything not explicitly allowed by a firewall rule.

jor101091 · Dec 18, 2014, 8:56 PM

Hi I have unchecked this option, and as for now I'm unable to connect to my nas.
Can you think of any other setting that I can try.

Regards Jordy

Derelict · Dec 18, 2014, 9:22 PM

You have to have pass rules inbound on your pfSense WAN port. to get from your ISP modem into the LANs behind pfsense.

It would be a lot more straightforward if you:

Put your ISP modem in bridge mode, and let pfSense WAN get the public IP. Not sure if it's possible without losing services. See if your ISP has requirements for customer-provided routers.

or

Forget your ISP modem wi-fi exists and get an access point and put it behind pfSense.

jor101091 · Dec 18, 2014, 9:35 PM

Hi and thanks for your quick response,

It is required for me to use the ISP provided modem because internet connection is coming via COAX cable. The option to put the modem into bridge mode is greyed out so I need to call the ISP helpdesk to ask them to put the device in bridge mode. Its not likely that they are going to do that.

I have two routers/acces points laying around here but I don't want to use them, even do they are high spec devices the wireless speed is terrible, its not even an option to use them.

So I want to go with your first option and that is to set pass rules inbound for the WAN port.
Even do I have no idea how to that im giving that I try to figure out.
I will let you know if I require assistance.

Regards Jordy

Derelict · Dec 18, 2014, 10:00 PM

@jor101091:

Hi and thanks for your quick response,

It is required for me to use the ISP provided modem because internet connection is coming via COAX cable. The option to put the modem into bridge mode is greyed out so I need to call the ISP helpdesk to ask them to put the device in bridge mode. Its not likely that they are going to do that.

If the option is there I wouldn't be so sure. I'd talk to them about it. If they have instructions you could post them here and we can see if they make good sense.

I have two routers/acces points laying around here but I don't want to use them, even do they are high spec devices the wireless speed is terrible, its not even an option to use them.

Hmm. Maybe something was configured wrong.

So I want to go with your first option and that is to set pass rules inbound for the WAN port.
Even do I have no idea how to that im giving that I try to figure out.
I will let you know if I require assistance.

Search on "port forwarding." I don't think you're going to be able to disable NAT in pfSense unless you can put routes to your subnets in the ISP modem.

jor101091 · Dec 18, 2014, 11:08 PM

Ok guys,

I defenitly can use some help here,
My head is overflowing and I have trouble to understand what I'm doing.
I hope you can guide me trough setting up the pass inbound rules so I can connect via wifi to my NAS which is another network.

So basically I need to connect to and from 192.168.2.8(wan) to 192.168.1.1(lan).

Regards jordy

Derelict · Dec 19, 2014, 12:09 AM

If you insist on doing it the hard way, which you apparently do:

Create a VIP on WAN. This will be the address used to get to your NAS from outside of pfSense:

Firewall->Virtual IPs

Create one of type other for, say, 192.168.2.2.

Make a 1:1 NAT

Firewall->NAT->1:1

Interface: WAN
External Subnet IP: 192.168.2.2
Internal IP: 192.168.1.2
Destination: any

Make a firewall rule on WAN that passes traffic from outside pfSense to the LAN:

Pass IPv4 any source WAN net dest LAN net port any

I think that's all you need to do. Your NAS should be accessible from outside at 192.168.2.2

(Note that by "outside" I mean outside of pfSense. You are trusting your ISP router to filter traffic from the real internet.)

You wouldn't need the VIP or NAT if you could just tell your ISP router to route traffic for 192.168.1.0/24 to 192.168.2.8. Then you could just turn off NAT.

What is it you think pfSense is getting you? Why not just put everything on 192.168.2.0/24?

phil.davis · Dec 19, 2014, 8:28 AM

It is also possible to use the pfSense WAN-side "LAN" as effectively another LAN in your private network. The idea is to make pfSense WAN IP give out DHCP, and be the gateway for devices in that "WAN-side LAN". Something like this works:

Turn off DHCP on the ISP gateway device
Give pfSense WAN a static IP (like 192.168.2.2) and define its gateway to be the ISP gateway device (192.168.2.1)
Turn on DHCP on pfSense WAN - give it some pool of addresses in 192.168.2.0/24
Let pfSense WAN give itself as gateway and DNS server to WAN-side clients (that will be the default already when you enable DHCP).
Firewall->NAT, Outbound - for this 2.2-RC is easiest - enable Hybrid Outbound NAT, add a rule to NAT traffic with source WANnet to WANaddress - this makes WAN-side client traffic get NATed out to he internet in a similar way to LAN-side client traffic.
Firewall->Rules - add rule/s on WAN to allow source WANnet, destination all (or whatever you want to allow) so that traffic from WAN-side clients will be allowed.

Now your WAN-side clients act in a similar way to being another LAN on your pfSense. You can reach devices on the real LAN and also get internet.