New installation

kryp

Newbie question :

I have a static public ip address  aaa.aaa.aa.3

My router Ip is xxx.xx.x.86  255.255.255.252 (connected through wimax)
My Gateway is xxx.xx.x.85

I do not get internet connection at all , and wan side shows connected with good dns address.

My ISP says problem come from natting.

Can anyone help how to setup pfsense correctly to make it work

Thanks

GruensFroeschli

What exactly is your problem?
is aaa.aaa.aa the same as xxx.xx.xx ?
Are you trying to route a public subnet behind pfSense?
Or do you have just a single private IP?

(you could generally provide a bit more information –> http://forum.pfsense.org/index.php/topic,7001.0.html )

kryp

hi GruensFroeschli

is aaa.aaa.aa the same as xxx.xx.xx ?

no its not same, aaa.aaa.aa is my static public ip address and xxx.xx.x.86 is the ISP winmax ip address with

Are you trying to route a public subnet behind pfSense?
yes i think that is the  idea .

Cry Havok

Can you publish the real IPs?

kryp

yes

I have a static public ip address  196.192.8x.x

My router Ip is 172.30.x.86  255.255.255.252 (connected through wimax)
My Gateway is 172.30.x.85

My dns resolve corectly as per Isp details viewed status >  interface

and i can ping my gateway 172.30.x.85 with 0 loss

GruensFroeschli

um….
Those are private IP's and NOT public IP's.
(the 172.30 IP's)

So your WAN lies in a private subnet.
Try to disable the "Block RFC1918" checkbox on the WAN page.

I assume your provider just forwards the traffic for the public 196.192.8x.x IP to your private 172.30.x.86 IP.

kryp

tried already to disable the "Block RFC1918" checkbox on the WAN page

but still no internet connection

GruensFroeschli

What provider is that?
Could you find out if they just forward the traffic from the public IP you have to your private IP on your WAN?
What subnet do you have behind pfSense?
You dont per chance have 196.192.8x.x as your subnet behind pfSense, do you? (which should not work)

kryp

the subnet is 255.255.255.252

they just installed a cisco 851 router and it is working, but tomorrow i will get the config then i will paste it here

but i wish to use pfsense as i will have 2 ISP, one of them is working good with pfsense, only the Wimax one is getting this problem

thanks

GruensFroeschli

255.255.255.252 is the netmask not the subnet. –> .252 is a /30 subnet, meaning that only the router and a single IP can be in the subnet.
Are you really sure that you have only 1 IP behind pfSense? (i kind of doubt that)

Let me rephrase the question: do you have public IP's behind pfSense or private IP's?

(private IP's are
192.168.x.x
172.16.x.x up to 172.31.x.x
10.x.x.x )

Since you already have a private IP on the WAN you have to make sure that the IP's behind the pfSense are in another range.

kryp

here is cisco conig that working :

sh run
Building configuration…

Current configuration : 4275 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname customer
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$relN$eKIdQirzqbPjL0yjJpomp.
!
no aaa new-model
!
!
!
crypto pki trustpoint TP-self-signed-3915657441
enrollment selfsigned
--More--          subject-name cn=IOS-Self-Signed-Certificate-3915657441
revocation-check none
rsakeypair TP-self-signed-3915657441
!
!
crypto pki certificate chain TP-self-signed-3915657441
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33393135 36353734 3431301E 170D3032 30333031 30303036
  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39313536
  35373434 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100ADF2 7273D23F 73853322 842D19AC F7BAD0D5 E7D7917B 17214391 5333D79B
  DBFE8908 F06012EF 52A185AE C458194C 2A62B2CE A85B7991 1105BD55 E45BB3FD
  53CE8385 4260727A 52DF8209 49869179 E32AD543 E4D42EE7 6298CB86 3B2DAF51
  194957B5 C4E663F6 9D7F140B 7FA5EE92 C6205BDA E9BA9C22 4145FA84 17E002D2
  35C30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14C31AF1 2CF4AAA3 947AA24F CFC72BD7 BF70319F
  EF301D06 03551D0E 04160414 C31AF12C F4AAA394 7AA24FCF C72BD7BF 70319FEF
  300D0609 2A864886 F70D0101 04050003 81810071 3B9C1735 070ABBCC 3C3CE8C5
  D636CBA6 A9AA9E0F DB01515D B47E39C4 5973617D 55CBF4C1 405347D0 A84A86E1
--More--           AF9340B7 9726F4C0 238BCACD 180A7D91 B2E1F05C 979D0A26 3EF0B7C3 50BD13BC
  C1C48F21 B2977B0D 8D26BF55 9C7A7864 03937AD0 B0320AB0 A3ACB6E8 E9889577
  EA210769 B22C24AC F61553E8 268E059D 3F8D53
  quit
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool
  import all
  network 192.168.1.0 255.255.255.0
  default-router 192.168.1.1
  lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
!
username customer privilege 15 password 7 045E76457348871C5A4D
archive
log config
--More--           hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 172.30.x.86 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
--More--          ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 172.30.x.85
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool customer 196.192.8x.x 196.192.8x.x netmask 255.255.255.252
ip nat inside source list 102 pool customer overload
ip nat inside source static tcp 192.168.1.5 3389 196.192.8x.x 3389 extendable
ip nat inside source static tcp 192.168.1.5 5079 196.192.8x.x 5079 extendable
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
control-plane
!
banner login ^C
--More--         -----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>no username cisco

Replace <myuser>and <mypassword>with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm

^C
!
line con 0
--More--          login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

AnswerPlus#</mypassword></myuser></mypassword></myuser>

hope this can help out

Cry Havok

From my reading of that you have:

ISP –-- (172.30.x.86/30) Cisco/pfSense (192.168.1.1) --- Internal LAN ---<somewhere>--- 196.192.8x.x

Would that be correct?</somewhere>

kryp

Its more like this right now :

INTERNET      –-> ISP                              ---> WiMax              --->    CISCO ---> INTERNAL LAN
FIXED IP                PRIVATE STATIC IP          Wireless Connection                            DHCP 192.168.1.1
196.192.8x.x          172.30.x.86
                          gateway 172.30.x.85

but i would like to remove the cisco completely and insert Pfsense instead .

Cry Havok

Ok, so 196.192 is a red herring - it isn't actually allocated to any of your devices?

What device handles the Wireless connection?

kryp

finally now it is working .  with this config :

• <pfsense><version>3.0</version>
    <lastchange><theme>nervecenter</theme>
• <system><optimization>normal</optimization>
    <hostname>pfSense</hostname>
    <domain>local</domain>
    <dnsallowoverride><username>admin</username>
    <password>$1$GCmX2tUH$tublAsTINLcuehl9l6AJ9.</password>
    <timezone>Etc/UTC</timezone>
    <time-update-interval>300</time-update-interval>
    <timeservers>0.pfsense.pool.ntp.org</timeservers>
• <webgui><protocol>http</protocol></webgui>
    <disablenatreflection>yes</disablenatreflection>
    <dnsserver>196.192.x.x</dnsserver>
    <dnsserver>213.200.xx.xx</dnsserver></dnsallowoverride></system>
• <interfaces>- <lan><if>rl0</if>
    <ipaddr>192.168.1.1</ipaddr>
    <subnet>24</subnet>
    <media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
• <wan><if>vr1</if>
    <mtu><media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype>
    <spoofmac>00:1d:60:25:30:72</spoofmac>
    <disableftpproxy><ipaddr>172.30.x.86</ipaddr>
    <subnet>30</subnet>
    <gateway>172.30.x.85</gateway>
    <blockpriv>on</blockpriv>
    <dhcphostname></dhcphostname></disableftpproxy></mediaopt></media></mtu></wan>
• <opt1><if>vr0</if>
    <descr>OPT1</descr></opt1></interfaces>
    <staticroutes>- <pppoe><username><password></password></username></pppoe>
• <pptp><username><password><local></local></password></username></pptp>
• <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond>
• <dyndns><type>dyndns</type>
    <username><password></password></username></dyndns>
• <dhcpd>- <lan><enable>- <range><from>192.168.1.10</from>
    <to>192.168.1.245</to></range></enable></lan></dhcpd>
• <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
    <ovpn>- <dnsmasq><enable></enable></dnsmasq>
• <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
• <diag>- <ipv6nat><ipaddr></ipaddr></ipv6nat></diag>
    <bridge><syslog>- <nat><ipsecpassthru>- <advancedoutbound>- <rule>- <source>
    <network>any</network>
   
    <sourceport><descr><target>196.192.xx.x</target>
    <interface>lan</interface>
• <destination><any></any></destination>
    <natport></natport></descr></sourceport></rule>
• <rule>- <source>
    <network>any</network>
   
    <sourceport><descr><target>196.192.xx.x</target>
    <interface>wan</interface>
• <destination><any></any></destination>
    <natport></natport></descr></sourceport></rule>
• <rule>- <source>
    <network>192.168.1.0/24</network>
   
    <sourceport><descr>Auto created rule for LAN</descr>
    <target><interface>wan</interface>
• <destination><any></any></destination>
    <natport></natport></target></sourceport></rule>
    <enable></enable></advancedoutbound></ipsecpassthru></nat>
• <filter>- <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
• <source>
    <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
• <rule><type>pass</type>
    <descr>Default LAN -> any</descr>
    <interface>lan</interface>
• <source>
    <network>lan</network>
• <destination><any></any></destination></rule>
• <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
• <source>
    <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule></filter>
    <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec>
    <aliases><proxyarp>- <cron>- <minute>0</minute>
    <hour></hour>
    <mday></mday>
    <month></month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 newsyslog
• <minute>1,31</minute>
    <hour>0-5</hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 adjkerntz -a
• <minute>1</minute>
    <hour>3</hour>
    <mday>1</mday>
    <month></month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
• <minute>/60</minute>
    <hour></hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
• <minute>1</minute>
    <hour>1</hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
• <minute>/60</minute>
    <hour></hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
• <minute>/60</minute>
    <hour></hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
• <minute>/5</minute>
    <hour></hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/local/bin/checkreload.sh
• <minute>/5</minute>
    <hour></hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/etc/ping_hosts.sh
• <minute>/140</minute>
    <hour></hour>
    <mday></mday>
    <month></month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/local/sbin/reset_slbd.sh</cron>
    <wol><installedpackages>- <revision><description>/firewall_nat_out.php made unknown change</description>
    <time>1207288229</time></revision>
• <rrd><enable></enable></rrd>
• <virtualip>- <vip><mode>proxyarp</mode>
    <interface>wan</interface>
    <descr><type>single</type>
    <subnet_bits>32</subnet_bits>
    <subnet>196.192.xx.x</subnet></descr></vip></virtualip></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense>

tried a lot on NAT outbound + virtual ip then worked .  thanks for helping .