Can't seem to get up and running
-
Hi everyone. I just installed PFsense on a mini computer with 2 LAN ports. My intention is to use it at home as a firewall, proxy server, etc., but I can't seem to get it working.
I have it hooked up like this:
Modem -> pfSense -> ASUS RT-AC68U -> Computer
…and...
Device - WAN IP / LAN IP
Modem - External Address / 192.168.0.1
pfSense - DHCP assigned by modem / 192.168.3.7
router - 192.168.3.1 / 192.168.2.1
computer 192.168.2.98From my computer, I can browse to my pfSense at 192.168.3.7 and I can also browse to my ASUS RT-AC68U. The pfSense is seeing the internet and I have the ability to use the web interface to execute pings, trace routes, etc.
The ASUS RT-AC68U indicates that it has an internet connection; however, this does not appear to be the case as (1) no internet connection works from the PC. (2) DNS Lookups, Pings, and Traceroutes from the RT-AC68U fail.
Any ideas on what I can look for to diagnose my connection issues? If I take the pfSense out of the picture and set my router back to get a DHCP from the moem for it's wan address, I am back up and running again.
Thanks.
-
So your modem is a router, pfsense is a router, and your asus is a router so you're attempting to triple NAT?
First, you can probably get that working by editing your pfSense WAN interface and unchecking Block private networks.
Second, here's what I would do:
Find out how to put your modem in bridge mode. This will make it transparent and your WAN port will be able to get the public IP address itself.
I'd do something like this withe the Asus:
https://forum.pfsense.org/index.php?topic=81014.msg442131#msg442131
-
Having 'Block private networks' checked will not prevent access to the internet from devices behind pfSense. It will prevent any port forwards etc working.
A common configuration mistake that will prevent access is having a gateway on the LAN interface. You should have only one gateway and it should be on WAN.
I agree though, tripple NAT is a really horrible setup and not necessary. Even if you can't do anything with your modem (because it's locked perhaps) you can run the Asus router as an access point only.
Steve
-
I suppose the reason I was shooting for a triple router system is because (1) we have a flaky internet and about once a month I have to call tech support to have them reset things on the Century Link side. They are much more difficult to work with and quick to blame other parts of the system if I can't login to the modem and answer their questions. If the modem is in bridge mode, it is not visible on the network and therefore makes it hard for me to call support. (2) To have better content protection, I am looking at switching my router back to an iBoss router. They work really well, and I don't believe they work in non-router mode.
I did get up and running by switching the ASUS Router to run in Access Point mode, but why won't it work in router mode. Sure, triple NAT may not be a perfect plan, but shouldn't it work? I really need to be able to see and login to my modem and router. If they are in bridge mode, I lose that ability.
Incidentally, I did turn 'Block Private Networks' off since my modem is not setup in bridge mode. Does this open me up to any additional hacking?
Thanks again.
-
Sure, triple NAT may not be a perfect plan, but shouldn't it work?
It should, theoretically. Some services have a hard time with multiple layers of NAT but most stuff works fine. The fact that yours didn't implies one of your devices was doing something wrong almost certainly the Asus since switching that to AP mode fixed it. Handing out the wrong gateway, incorrect subnet mask, bad route, it could be many things. Running it in access point mode is much better though.
I really need to be able to see and login to my modem and router. If they are in bridge mode, I lose that ability.
You can still access the Asus in access point mode. Often you can still access an upstream router in 'modem' or bridge mode by using an additional IP on the WAN. See:
https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewallIncidentally, I did turn 'Block Private Networks' off since my modem is not setup in bridge mode. Does this open me up to any additional hacking?
No. Everything from WAN is blocked by default anyway. That settings only serves as an additional block if you have a public IP on WAN. You should never see private IPs on the WAN in that situation so anything that arrives from a private address must be bogus and should be rejected even if you have port forwards set up.
Steve
