Configuring Home Lab Network
-
So I recently installed PfSense on a Watchdog X1000 and I want the firewall to be behind the main ASUS router so that I don't have to mess with putting it infront of the ASUS one. However I can't seem to get the right configuration down. I have both the WAN and LAN (Which I can access the Web interface) and the others are OPT1, 2, 3 etc with the other ports. Thanks.
-
What is it you can't get right? Configure your WAN interface, uncheck "Block bogon networks", configure your LAN, and you're pretty much done.
You'll have to tell us what we're missing here.
-
Uncheck Block private networks on the WAN interface. Bogons might help but it's something else.
-
The block private doesn't even have to be removed unless your going to have inbound traffic traffic from that segment between your asus and your pfsense wan. Or you don't want to see noise that might be generated from that segment. You can always turn off logging that rule. Or just as stated disable it - it serves no real purpose since anything that is not allowed per a rule from the wan is blocked anyway.
Its like when you turn on bogon on a lan interface - its just going to generate noise in the log, etc.
There is nothing that has to be done really to be behind a nat on your wan, other than having to put any forwards into the asus that you want to get to stuff behind your pfsense. Or putting your pfsense wan IP into the dmz of your asus.
As to your other opt interfaces - you will have to create the rules you want on those, unlike the first lan you create that gets a default any any rule when you enable OPT interfaces the firewall rules will be blank and deny all traffic. Anything that you want to pas thru opt interfaces you have to create a rule - might be any any to start with. But something has to be put there or nothing is going to work from those segments attached to your opts.
-
What is it you can't get right? Configure your WAN interface, uncheck "Block bogon networks", configure your LAN, and you're pretty much done.
You'll have to tell us what we're missing here.
Uncheck Block private networks on the WAN interface. Bogons might help but it's something else.
I've already uncheck it. I'll have to look over the config again.
The block private doesn't even have to be removed unless your going to have inbound traffic traffic from that segment between your asus and your pfsense wan. Or you don't want to see noise that might be generated from that segment. You can always turn off logging that rule. Or just as stated disable it - it serves no real purpose since anything that is not allowed per a rule from the wan is blocked anyway.
Its like when you turn on bogon on a lan interface - its just going to generate noise in the log, etc.
There is nothing that has to be done really to be behind a nat on your wan, other than having to put any forwards into the asus that you want to get to stuff behind your pfsense. Or putting your pfsense wan IP into the dmz of your asus.
As to your other opt interfaces - you will have to create the rules you want on those, unlike the first lan you create that gets a default any any rule when you enable OPT interfaces the firewall rules will be blank and deny all traffic. Anything that you want to pas thru opt interfaces you have to create a rule - might be any any to start with. But something has to be put there or nothing is going to work from those segments attached to your opts.
Got it, I'll see what I can do. Maybe I skipped something in my config.
-
What is the actual problem that you are experiencing? I don't see it anywhere in your post. No Internet access on LAN? No access to LAN from OPT1?….
-
The most important thing when setting up pfSense behind another NATing device is to ensure the WAN and LAN interfaces are using different subnets. The pfSense LAN interface uses 192.168.1.1/24 by default and that is a subnet commonly used by SOHO routers. If your ASUS router is using that you must change the pfSense LAN subnet to use something else like, for example: 192.168.100.1/24. Likewise the additional interfaces OPT1-4 must also use separate unique subnets.
Steve
-
Alright think I got it. So I was able to ping Google from WAN so what I did was just bridged WAN to OPT1 - OPT4 leaving LAN as a Management Interface. This works out just find so that I can focus on one interface for the firewall rules….
-
Were you originally aiming for a bridged setup? (transparent firewall).
Steve
