PFsense behind dd-wrt question/setup - MERRY CHRISTMAS!



  • Hello everyone!

    Hope all of you are having a wonderful Christmas break (if applicable).

    I have a quick question, I hope, about open ports using pfsense and a router handling dhcp

    The last 7 years I lived in communist China, using a pfsense box, and it was a wonderful experience because… well, China + firewall = necessary especially if you work in media, like I did.

    I returned to the States, immediately dropped the firewall because I was too busy to build a box, and had a computer legitimately hacked and money was illegally transfer using a computer on my network - apparently(IE, FBI called, etc). All was well, but dammit all... it's time for pfsense again because calls from government agencies is the opposite of fun.

    So, here's my setup.  Using a Netgear AC 1900 router in front of my psense setup. WAN -> PFSEnse -> ROUTER.

    Pfsense LAN setup                            - > 10.10.10.1
    ROUTER DHCP POOL                        - > 11.11.11.1 - 254

    Pfsense box is built on :
    Intel(R) Pentium(R) 4 CPU 3.00GHz
    2 CPUs: 1 package(s) x 1 core(s) x 2 HTT

    General Settings:
    passing all xbox live ports to the main LAN address on the router
    passing all xbox live ports to the main LAN address of the xbox
    Using pfblocker
    Using Snort, but it's not working at the moment

    xbox 1 is set up on a static ip of 11.11.11.19

    I'm having my router handle DHCP because we have a central media server that we'll ripped all our DVD's onto in HD (Plex server) and the router is great about moving that kind of traffic over it, especially since the host and the client are wired connections.

    Nonetheless, I'm having Xbox 1 NAT issues, that are caused by pfsense (removed the pfsense box, the router passes through ports correctly and NAT is open under that setup).

    So, here are my questions:

    1. All my NAT rules for passing correct Xbox Live Ports are not working
    2. Should I have pfsense handle DHCP, I'd prefer for LAN traffic to JUST pass over the router in order to maximize speed + reduce firewall load? Is this correct thinking?  I assume that if I starting using the pfsense box for dhcp, then all LAN data would then pass over it and my router.
    3. I've read through every xbox live post available on the internet, and it seems to still be an issue

    Anyways, feel free to treat me like a dummy because I'm not entirely sure if my logic is sound on this (though be nice!)

    Cheers!
    Brian

    ![Screen Shot 2014-12-24 at 12.47.15 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.47.15 PM.png_thumb)
    ![Screen Shot 2014-12-24 at 12.47.15 PM.png](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.47.15 PM.png)
    ![Screen Shot 2014-12-24 at 12.47.08 PM.png](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.47.08 PM.png)
    ![Screen Shot 2014-12-24 at 12.47.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.47.08 PM.png_thumb)
    ![Screen Shot 2014-12-24 at 12.47.00 PM.png](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.47.00 PM.png)
    ![Screen Shot 2014-12-24 at 12.47.00 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.47.00 PM.png_thumb)
    ![Screen Shot 2014-12-24 at 12.46.12 PM.png](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.46.12 PM.png)
    ![Screen Shot 2014-12-24 at 12.46.12 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.46.12 PM.png_thumb)
    ![Screen Shot 2014-12-24 at 12.46.06 PM.png](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.46.06 PM.png)
    ![Screen Shot 2014-12-24 at 12.46.06 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-12-24 at 12.46.06 PM.png_thumb)



  • Happy break and xmas to you too :)

    First of all I am no network expert, this is a hobby for me.

    Are you saying that pfSense gives your router a 10.10.10.x address and that your Nighthawk supplies clients with a 11.11.11.x address?

    Your assumption at point 2 seems invalid to me. All traffic always passes through both the firewall and the router. The question is where the processing happens. Currently the firewall-process happens @ pfSense and DHCP happens at the Nighthawk. You could indeed try to let pfSense take care of the DHCP too when you can't figure out this problem. When you do that I'd try to test networking speeds as your pfSense-box is ageing ;) Maybe I am saying something really stupid now but I'd give it a quick test.



  • Hi JT!

    Merry Christmas!

    The great thing about Christmas, is that my wife apparently still wants the internet to work today. Pssh…

    This has actually turned into the "question behind the question" kind of problem for me, which, is par for the course with me an pfsense.  Hobbyist here, obviously!

    Is there a way to make all the LAN traffic stay on the router? That's basically what I'm trying to accomplish.  The reason is that those two NICs on the pfs box are getting pegged if Im using it for all our processes (remote into work transfering a file, kids streaming videos from local media server, wife streaming NetFlix). The files we've ripped are quiet large streaming to a PLEX server, so it's possible that a 10 gig video file would be transferring from the media server to a client and I would be VPN'd into work, working with huge files.

    I have changed a few things since the last mentioned setup.

    1.  The pfs box is 10.10.10.1
    2.  Installed dd-wrt on the Nighthawk r7000
    3.  Set the router as a DHCP forwarder
    4.  Set the router to 10.10.10.2

    The pfsense box is now controlling dhcp leases, but I'd like to set it up so that LAN -> LAN traffic stays on the router.

    I might be making a lot of really bad assumption here, so disagreeing w/ even the most basic part of my setup is fine and welcome.  I've got a 100mbit WAN connection that I pet almost all the time.

    Thanks,
    Brian



  • Ok, so the setup is:

    [pfSense WAN IP <-> pfSense internal IP (10.0.0.1) ] –---- [ R7000 WAN port (10.0.0.2) <-> R7000 internal IP + DHCP leases (11.11.11.xxx ] –---- [ Xbox fixed IP, 11.11.11.19 ]

    What I'd try:

    • pfSense no LAN DHCP, static IP 10.0.0.1
    • R7000 static WAN IP, 10.0.0.2
    • R7000 LAN DHCP
    • R7000 static LAN IP for Xbox, 11.11.11.19

    Ports for Xbox Live: http://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live

    • Configure pfSense firewall to allow incoming traffic for ports and protocol as described

    • Configure pfSense NAT to send all incoming traffic that can pass the firewall to 10.0.0.2

    • Disable R7000 firewall

    • Configure R7000 to forward all traffic for ports as described to 11.11.11.19

    I would think that would do the trick.


  • Netgate Administrator

    @Arisian:

    The great thing about Christmas, is that my wife apparently still wants the internet to work today. Pssh…

    Ha! I feel your pain.  ;D

    What _JT has described above should work but it's not how I would do it or many other people here on the forum.

    Having your R7000 NATing between the 10.0.0.0 and 11.11.11.0 subnets is a bad idea. You're just making far more work for yourself, increasing the possibility of errors by many times. You should have one internal subnet and allow all the devices on it to be handed and IP by the pfSense DHCP server. You can probably turn of routing and NAT of the R7000 using DD-WRT (it's been a while since I used it) in which case you can use all 5 ports and you'll see no reduction in throughput.

    You shouldn't be using 11.11.11.0 at all because that is not a private subnet! If you ever need to access a server at 11.X it won't work.

    Steve


  • Banned

    Are you sitting at DoD with your Xbox? If not, then stop stealing their IPs…  :o

    
    etRange:       11.0.0.0 - 11.255.255.255
    CIDR:           11.0.0.0/8
    NetName:        DODIIS
    NetHandle:      NET-11-0-0-0-1
    Parent:          ()
    NetType:        Direct Allocation
    OriginAS:       
    Organization:   DoD Network Information Center (DNIC)
    RegDate:        1984-01-19
    Updated:        2007-08-22
    Ref:            http://whois.arin.net/rest/net/NET-11-0-0-0-1
    
    

  • Netgate Administrator

    Ha! Well that introduces some intriguing possibilities.  :P



  • @stephenw10:

    @Arisian:

    The great thing about Christmas, is that my wife apparently still wants the internet to work today. Pssh…

    Ha! I feel your pain.  ;D

    What _JT has described above should work but it's not how I would do it or many other people here on the forum.

    Having your R7000 NATing between the 10.0.0.0 and 11.11.11.0 subnets is a bad idea. You're just making far more work for yourself, increasing the possibility of errors by many times. You should have one internal subnet and allow all the devices on it to be handed and IP by the pfSense DHCP server. You can probably turn of routing and NAT of the R7000 using DD-WRT (it's been a while since I used it) in which case you can use all 5 ports and you'll see no reduction in throughput.

    You shouldn't be using 11.11.11.0 at all because that is not a private subnet! If you ever need to access a server at 11.X it won't work.

    Steve

    I understand what you mean…if the server of the TS is not sufficient to handle both firewalling, NATting and traffic then it might be best to buy a new router. Just built one myself with an Athlon 5350, works great :)


Log in to reply