No internet access through pfSense



  • Hi, i'm new to pfSense but have been wanting to play around with it for a while.
    So when i found a cheap Alix2d.13 I thought I would go for it.

    My setup is like this: Modem's wan port > Alix2d.13 (pfSense) lan port > soho router > servers/clients
    I've tried pinging out from the pfSense box (and plugging clients directly into lan side) but no internet access from there either.
    I'm using DHCP on wan site, and it seems to get an IP, and default gateway etc as it should.

    I've watched a few guides afterwards, and I really can't see any configuration which should be wrong, so i'm kinda lost in troubleshooting this.

    I really hope some of you guys can help me, I don't really know what information you need, so to avoid making this post twice as long, just let me know what you need :)
    oh and beforehand I would like to say thanks a lot to anyone taking their time to try and help me with this


  • LAYER 8 Global Moderator

    This should just work out of the box..  What IP does your pfsense get on its wan?  Is it a public IP or a private one, what do you have for a "modem" is it really a gateway and does nat?  If your "modem" is giving the same network that you have on your lan of pfsense its not going to work.

    What IPs do your clients connected to pfsense get.. And you have another router behind pfsense.  Are you just using its switch ports or is it also doing nat?  It looks to me like you could have a triple nat going on.

    What is that soho router your using, are you trying to use it just as AP and switch?  Turn off its dhcp server connect it to your pfsense via lan port on that router.  Give that router an IP on the network you have setup for pfsense lan.

    So for example if pfsense wan is public 24.x.x.x for example, or even say private 192.168.1.2 and your modem is 192.168.1.1, then pfsense lan shoud be say 192.168.0.0/24 with say IP of 192.168.0.1, your clients should get 192.168.0.0/24 addresses from pfsense dhcp.

    Connect client direct to pfsense lan or just use switch and not soho router - does it work then?

    Really this is click click working out of the box unless you say setup a gateway on the pfsense lan which seems to be a common mistake or you have overlapping networks on pfsense wan and lan, or you have nat behind pfsense like your soho router.



  • Ye i was thinking this would be an easy setup aswell, and it was… - it just ain't working  ;D
    It's a Docsis 3.0 modem(Netgear CG3000) so yeah it's a router aswell, but it's in brigde mode with nat turned off.
    Modem ip is: 10.14.24.6
    pfSense ip is: 10.14.255.45 (I see that the default gateway is 10.14.255.1, but that's just because it targets the interface, correct?)
    D-link router: 192.168.1.100
    Client connected to pfSense get: 192.168.1.101

    I have a D-link DIR-868L behind my pfSense box, the idea was to use the pfSense as a perimeter firewall and only have WAN traffic going through, then use my D-link as lan router and default gateway for clients, aswell as providing dhcp, wifi and switchports.
    I'm 95% sure nat is turned off, and I tried connecting clients directly to pfSense with same result, so I believe the problem lies somewhere else.


  • LAYER 8 Global Moderator

    "Modem ip is: 10.14.24.6
    pfSense ip is: 10.14.255.45 (I see that the default gateway is 10.14.255.1,"

    How and the hell do you think that is bridge mode??  That is rfc1918 address, 10.x.x.x – and pfsense isn't even talking to the "modems" ip for its gateway?  Huh?

    That is never going to work.  So you want to route with your dlink - did you setup a route on pfsense to whatever segment your going to put behind the dlink?  Or you going to nat that?  To be honest that is bad idea.

    Can pfsense even ping its gateway of 10.24.255.1??  BTW again that is not "bridge mode" in bridge mode you would get a public IP from your isp..  Not a rfc1918 address, if its rfc1918 then its natted to be able to get to the internet that is for sure.



  • Ye you're right about that, the pfSense box is getting a private IP address, but the modem is set to bridge mode with nat turned off, and the pfSense wan site gets addresses from DHCP. That's the way i'm supposed to get my ip address from my ISP, and it works through the D-link router, shouldn't it work with pfSense aswell?
    Also I can ping the gateway, for whatever that's worth.

    And I only have one network segment right now, and I don't want to nat between if I do make more than one segment, The reason I wanna use the netgear is I just want the pfSense box to be a firewall since it's really weak, i basically bought it to try out pfSense to see if I'm gonna build a more high end machine dedicated for it, in which case I'm gonna get rid of the D-link router.


  • LAYER 8 Global Moderator

    Did you reboot your device "modem" when you switched devices on it?  If the device is in bridge mode then pfsense should get a public IP.  If pfsense can ping that 10 address..  Where did it get that, can pfsense ping to the internet, say 4.2.2.2 or 8.8.8.8?  I doubt it.

    I would reboot your isp device, then once it is up and running all its light showing it has internet connection.  Then connect pfsense.  Does it get public IP then?  If so you should be golden.  If not should still work just with double nat.  You don't have switch between your isp "modem" and pfsense do you - this isp device does it have more than 1 lan port?  Are other devices connected that could be handing out dhcp?

    If you have only 1 segment, no you wouldn't be natting.  I am fairly sure whatever you are running pfsense on now can handle your network.. If your netgear could handle it before anything that pfsense could boot on would be fine.  I see no use of the netgear at all, not sure what you think its going to be saving the pfsense from doing exactly even if on the oldest of hardware??

    If you want your netgear AP great, if you want to leverage it just for switch ports fine.  But either of those scenarios normally mean you turn off the netgear dhcp server, give its lan IP on your network lan segment and connect it to your lan via one of its lan ports.  Now you can setup its wifi and or plug in a device on one of the other lan ports and be on our 1 lan segment via dhcp from pfsense and pfsense would be the gateway off the network.

    Your setup is no different than any other typical home setup.  Pfsense has wan (internet) and connection into lan = done.  To be honest setting up pfsense should take all of 5 minutes.. Depending on how fast you can install it or even boot live mode, etc.



  • @Pagger: are we talking about CGNAT here ? What is it with private addressing like 10.14../ ?

    When you had No pfSense in between, what was then the public IP number from ISP on Netgear-WAN and what was the private IP on Netgear-LAN ?



  • @johnpoz:

    Did you reboot your device "modem" when you switched devices on it?  If the device is in bridge mode then pfsense should get a public IP.  If pfsense can ping that 10 address..  Where did it get that, can pfsense ping to the internet, say 4.2.2.2 or 8.8.8.8?  I doubt it.

    I would reboot your isp device, then once it is up and running all its light showing it has internet connection.  Then connect pfsense.  Does it get public IP then?  If so you should be golden.  If not should still work just with double nat.  You don't have switch between your isp "modem" and pfsense do you - this isp device does it have more than 1 lan port?  Are other devices connected that could be handing out dhcp?

    If you have only 1 segment, no you wouldn't be natting.  I am fairly sure whatever you are running pfsense on now can handle your network.. If your netgear could handle it before anything that pfsense could boot on would be fine.  I see no use of the netgear at all, not sure what you think its going to be saving the pfsense from doing exactly even if on the oldest of hardware??

    If you want your netgear AP great, if you want to leverage it just for switch ports fine.  But either of those scenarios normally mean you turn off the netgear dhcp server, give its lan IP on your network lan segment and connect it to your lan via one of its lan ports.  Now you can setup its wifi and or plug in a device on one of the other lan ports and be on our 1 lan segment via dhcp from pfsense and pfsense would be the gateway off the network.

    Your setup is no different than any other typical home setup.  Pfsense has wan (internet) and connection into lan = done.  To be honest setting up pfsense should take all of 5 minutes.. Depending on how fast you can install it or even boot live mode, etc.

    I've already tried rebooting the modem several times with no difference.
    And no i can't ping out from the pfSense box, and I don't have a switch between my modem.
    The alix2d.13 barely meets the minimum requirments for pfSense and I do have some servers with some traffic going sometimes and might wanna use vpn or something at the same time, so that's why I was thinking to use the D-link. But you're right it probably won't make much of a difference, and it's probably an unusual setup, but I don't see how it would be a negative thing to use the D-link as gateway on the lan site, if I have missed something, please do enligthen me :)
    I'm gonna try and turn off the modem for 48 hours and hopefully it will get a public ip afterwards, but if it does not, do you have any idea what else could be wrong, since it dosn't get a public ip address?
    @hda:

    @Pagger: are we talking about CGNAT here ? What is it with private addressing like 10.14../ ?

    When you had No pfSense in between, what was then the public IP number from ISP on Netgear-WAN and what was the private IP on Neatgear-LAN ?

    No it isn't CGNAT, and what adresses are you talking about, you mean my D-link ? because the neatgear is only used as modem, so I don't know what private ip lan it should have?



  • @Pagger:


    No it isn't CGNAT, and what adresses are you talking about, you mean my D-link ? because the neatgear is only used as modem, so I don't know what private ip lan it should have?

    OK. Netgear MoDem only (bridge/pass-tru). So what was the D-Link-WAN public IP and the D-link private LAN IP  then at that point ?


  • LAYER 8 Global Moderator

    "because the neatgear is only used as modem"

    Oh my bad, I said netgear when I mean your D-link DIR-868L..

    Again what do you think your dlink would be doing that would save pfsense any cpu cycles?  Yes by all means use it as a switch.  But it not going to save any cycles on pfsense using it as a downstream router.  You do understand pfsense doesn't require much.. I run my in a VM on older N40L HP microserver with only 512MB of ram and have not issues with it at all.

    All traffic that would be going to the internet would be going through pfsense, be it coming from what looks like 1 IP since your dlink is natting or its from different IPs doesn't matter.  Traffic between machines on the same segment don't even talk to pfsense.  They go through switch ports.

    There is NO use of that dlink other than switch/wifi - using it in route mode or nat mode only complicates your setup for no reason at all.

    Does not matter what you put behind pfsense, if pfsense can not talk to the internet - then nothing behind it would be able to get to the internet.  So a quick google on the cg3000 and bridge mode points to turn off wifo on it, then going to 192.168.0.1/RgNatControl.asp and turning off NAT.  Then rebooting it and plugging a device in to PORT1 of the lan ports.

    What port is pfsense plugged into on it?  How did you turn it into bridge?

    I would plug a computer in to port 1, does it get public IP or some rfc1918 address?  If your getting rfc1918 then its not in bridge mode that is for sure.



  • @hda:

    @Pagger:


    No it isn't CGNAT, and what adresses are you talking about, you mean my D-link ? because the neatgear is only used as modem, so I don't know what private ip lan it should have?

    OK. Netgear MoDem only (bridge/pass-tru). So what was the D-Link-WAN public IP and the D-link private LAN IP  then at that point ?

    I didn't really note them down as I expected them to work, but if I don't find a solution I will set it up as it was before, and then I will return with them.

    @johnpoz:

    "because the neatgear is only used as modem"

    Oh my bad, I said netgear when I mean your D-link DIR-868L..

    Again what do you think your dlink would be doing that would save pfsense any cpu cycles?  Yes by all means use it as a switch.  But it not going to save any cycles on pfsense using it as a downstream router.  You do understand pfsense doesn't require much.. I run my in a VM on older N40L HP microserver with only 512MB of ram and have not issues with it at all.

    All traffic that would be going to the internet would be going through pfsense, be it coming from what looks like 1 IP since your dlink is natting or its from different IPs doesn't matter.  Traffic between machines on the same segment don't even talk to pfsense.  They go through switch ports.

    There is NO use of that dlink other than switch/wifi - using it in route mode or nat mode only complicates your setup for no reason at all.

    Does not matter what you put behind pfsense, if pfsense can not talk to the internet - then nothing behind it would be able to get to the internet.  So a quick google on the cg3000 and bridge mode points to turn off wifo on it, then going to 192.168.0.1/RgNatControl.asp and turning off NAT.  Then rebooting it and plugging a device in to PORT1 of the lan ports.

    What port is pfsense plugged into on it?  How did you turn it into bridge?

    I would plug a computer in to port 1, does it get public IP or some rfc1918 address?  If your getting rfc1918 then its not in bridge mode that is for sure.

    Well, I'm pretty sure that it dosn't nat just because I use it as the default gateway on the lan side.
    Also the Alix2d.13 has 128 MB of ram minus what the system uses to run the embedded image.
    I was thinking that when I create more network segments it might offload it a little bit, as i said, probably a strange use, but I can't really see where where the harm is.
    And yes that exacly how I did, and I plugged it into the right port (which my D-link used before and worked fine), when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access



  • @Pagger:


    It's a Docsis 3.0 modem(Netgear CG3000) so yeah it's a router as well, but it's in bridge mode with NAT turned off.
    Modem ip is: 10.14.24.6
    pfSense ip is: 10.14.255.45
    ...

    Explain to us why this Netgear MoDem in bridge/pass-tru has & gives a private address… What's the point ?

    Who has given the pfSense (-WAN ?) a 10.14.255.45 ? Why this choice?



  • @Pagger:


    and I plugged it into the right port (which my D-link used before and worked fine), when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access

    Not MoDem only then… So, what is your public IP on the WAN side of the Netgear ? That public IP should go, MoDem transparant, onto the pfSense-WAN in case of MoDem-only bridge/pass-tru.

    But...
    If your Netgear is needed as MoDem-router and connected with pfSense-WAN, then give the pfSense-LAN f.i. 192.168.1.1/24
    Next a client can get a number like 192.168.1.101


  • LAYER 8 Global Moderator

    "when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access"

    And that is NOT bridge mode.. 10.x.x.x is a rfc1918 address and is not routable on the internet.  Plain and simple it just is not going to work with such an address if you have nat turned off on the device because you want it to be in bridge mode..  You sure you have internet access at all?

    So your saying you plug in a device and you get internet with that 10.x address?  Or it works?  Sounds liek you have no internet unless you do what?  How are you posting this if you have no internet?

    If so then post up a ipconfig /all from that machine plugged into your modem that is in bridge mode and do a trace route to say 8.8.8.8

    example in the attached I have a private address 192.168, when I try and go to internet I hit my pfsense private lan address at 192.168.1.253, it nats that connection and sends it to my ISP on public IP, in my case 24.13.x.x, that 24.13.x.1 is my ISP gateway, next hops are in the internet be it the isp network or others, etc.

    You having 10.x address on something plugged into your modem tells me you have to be doing NAT, either at that device your plugged into or your ISP Is doing it on global scale for all their customers.  10.x is not a public address..  If you were bridging you would see public, unless your isp is doing NAT in their network or your modem is not in bridge, etc.

    So lets see your internet connection work with a client plugged in to your modem.  Also if pfsense is on private network on its wan, you prob want to turn off block rfc1918 address in the interface setting for your wan interface.

    As to using another router down stream.. Dude again you can use it as a switch or AP, etc..  But if your going to have it NAT your just going to cause yourself even more grief..




  • @hda:

    @Pagger:


    It's a Docsis 3.0 modem(Netgear CG3000) so yeah it's a router as well, but it's in bridge mode with NAT turned off.
    Modem ip is: 10.14.24.6
    pfSense ip is: 10.14.255.45
    ...

    Explain to us why this Netgear MoDem in bridge/pass-tru has & gives a private address… What's the point ?

    Who has given the pfSense (-WAN ?) a 10.14.255.45 ? Why this choice?

    I get my Internet from my ISP by DHCP and not static, when i plug in the D-link instead of pfSense it is working, and the modem is definetly set to nat turned off aka bridge mode, so I can't really explain why, that's what I'm trying to find out.
    @hda:

    @Pagger:


    and I plugged it into the right port (which my D-link used before and worked fine), when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access

    Not MoDem only then… So, what is your public IP on the WAN side of the Netgear ? That public IP should go, MoDem transparant, onto the pfSense-WAN in case of MoDem-only bridge/pass-tru.

    But...
    If your Netgear is needed as MoDem-router and connected with pfSense-WAN, then give the pfSense-LAN f.i. 192.168.1.1/24
    Next a client can get a number like 192.168.1.101

    The only IP I can see in the web interface when it's in brigde mode, is cable modem IP address which is 10.14.24.6
    And the physical setup is like you mention, modem port 1 goes to pfSense wan, and the lan site is setup like that.
    The thing is, when i plug in the D-link instead of pfSense, the D-links wan port get's my public IP address as it should, pfSense just dosn't
    @johnpoz:

    "when i plug in a client into the modem in bridge mode it get's 10.14.255.61 and no internet access"

    And that is NOT bridge mode.. 10.x.x.x is a rfc1918 address and is not routable on the internet.  Plain and simple it just is not going to work with such an address if you have nat turned off on the device because you want it to be in bridge mode..  You sure you have internet access at all?

    So your saying you plug in a device and you get internet with that 10.x address?  Or it works?  Sounds liek you have no internet unless you do what?  How are you posting this if you have no internet?

    If so then post up a ipconfig /all from that machine plugged into your modem that is in bridge mode and do a trace route to say 8.8.8.8

    example in the attached I have a private address 192.168, when I try and go to internet I hit my pfsense private lan address at 192.168.1.253, it nats that connection and sends it to my ISP on public IP, in my case 24.13.x.x, that 24.13.x.1 is my ISP gateway, next hops are in the internet be it the isp network or others, etc.

    You having 10.x address on something plugged into your modem tells me you have to be doing NAT, either at that device your plugged into or your ISP Is doing it on global scale for all their customers.  10.x is not a public address..  If you were bridging you would see public, unless your isp is doing NAT in their network or your modem is not in bridge, etc.

    So lets see your internet connection work with a client plugged in to your modem.  Also if pfsense is on private network on its wan, you prob want to turn off block rfc1918 address in the interface setting for your wan interface.

    As to using another router down stream.. Dude again you can use it as a switch or AP, etc..  But if your going to have it NAT your just going to cause yourself even more grief..

    No I never said that i've got internet with a 10.x address, I'm using 4G to post this, I don't get internet with modem in bridge mode and clients connected directly(they get that 10.x address as I posted), or through pfSense (pfSense get that 10.x address), through the D-link yes I do get internet, but I see the that the WAN interface on the D-link gets my public IP, If I turn bridge mode off and connect clients directly to the modem it works aswell (again, not with a 10.x address)
    The problem is when I connect the pfSense, it keeps getting that 10.x address, whereas with the D-link it works just fine, and it get's my public IP.

    Also I don't believe the ISP is doing NAT, in the 2 scenarious I do have internet access, either my Netgear or my D-link is doing NAT.
    You wanna see a tracert for a working conection? or is it because you thought I said I had internet access with a 10.x address directly connected to the modem?
    And i'm already blocking RFC1818 on WAN interface, and as I tried to explain, the D-link isn't doing nat, I'm just using it as a lan router and then trying to setup pfSense as a perimeter firewall.



  • @Pagger:


    I get my Internet from my ISP by DHCP and not static, when i plug in the D-link instead of pfSense it is working, and the modem is definetly set to nat turned off aka bridge mode, so I can't really explain why, that's what I'm trying to find out.
    ...

    Well, if you cannot find out or understand your Netgear & D-Link stuff, forget about the pfSense. It is a brainer. :D



  • Just a wild guess, but try spoofing the MAC address of your D-Link on the WAN interface of pfsense…




  • @hda:

    @Pagger:


    I get my Internet from my ISP by DHCP and not static, when i plug in the D-link instead of pfSense it is working, and the modem is definetly set to nat turned off aka bridge mode, so I can't really explain why, that's what I'm trying to find out.
    ...

    Well, if you cannot find out or understand your Netgear & D-Link stuff, forget about the pfSense. It is a brainer. :D

    But I do understand my "Netgear & D-Link stuff" :P and I have setup Linux distros like ClearOS before which worked like a charm, from what I can tell pfSense should be able to do the same, and it should be setup correctly, so what I can't understand is why it ain't working as it should:P

    @surrural:

    Just a wild guess, but try spoofing the MAC address of your D-Link on the WAN interface of pfsense…

    Thanks i'm gonna try that, if that don't work I'm gonna try and turn off the modem for 48 hours which should give me a new public ip, and then hope that it helps

    Edit: Better late than never, but i figured I would update this, spoofing the mac address worked, the second I changed it back (since I want my D-link on the network aswell) it stopped working though, but after a call to the ISP, i got them to reset it so it wasn't locked to the mac address of my D-link.
    I thank all of you for the help


  • LAYER 8 Global Moderator

    So when you connect your dlink and it gets public IP.  Disconnect it and reboot your modem (if it has battery backup on modem pull the battery) then connect pfsense or a client.  Does it work then?

    Quite often when you change a device connected to a modem you have to reboot it to clear the mac cache on the modem.  And I do believe from what I read on that device you have to be connected to port 1 to get the public.

    You can use pfsense in double nat, if you can not get bridge mode to work.  But if works with dlink then it should work with anything.  Unless for some reason your isp has it locked to that mac of the dlink - if that is the case you can try cloning the mac of the dlink



Log in to reply