Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    New installation

    General pfSense Questions
    3
    15
    3459
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kryp last edited by

      Newbie question :

      I have a static public ip address  aaa.aaa.aa.3

      My router Ip is xxx.xx.x.86  255.255.255.252 (connected through wimax)
      My Gateway is xxx.xx.x.85

      I do not get internet connection at all , and wan side shows connected with good dns address.

      My ISP says problem come from natting.

      Can anyone help how to setup pfsense correctly to make it work

      Thanks

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        What exactly is your problem?
        is aaa.aaa.aa the same as xxx.xx.xx ?
        Are you trying to route a public subnet behind pfSense?
        Or do you have just a single private IP?

        (you could generally provide a bit more information –> http://forum.pfsense.org/index.php/topic,7001.0.html )

        1 Reply Last reply Reply Quote 0
        • K
          kryp last edited by

          hi GruensFroeschli

          is aaa.aaa.aa the same as xxx.xx.xx ?

          no its not same, aaa.aaa.aa is my static public ip address and xxx.xx.x.86 is the ISP winmax ip address with

          Are you trying to route a public subnet behind pfSense?
          yes i think that is the  idea .

          1 Reply Last reply Reply Quote 0
          • Cry Havok
            Cry Havok last edited by

            Can you publish the real IPs?

            1 Reply Last reply Reply Quote 0
            • K
              kryp last edited by

              yes

              I have a static public ip address  196.192.8x.x

              My router Ip is 172.30.x.86  255.255.255.252 (connected through wimax)
              My Gateway is 172.30.x.85

              My dns resolve corectly as per Isp details viewed status >  interface

              and i can ping my gateway 172.30.x.85 with 0 loss

              1 Reply Last reply Reply Quote 0
              • GruensFroeschli
                GruensFroeschli last edited by

                um….
                Those are private IP's and NOT public IP's.
                (the 172.30 IP's)

                So your WAN lies in a private subnet.
                Try to disable the "Block RFC1918" checkbox on the WAN page.

                I assume your provider just forwards the traffic for the public 196.192.8x.x IP to your private 172.30.x.86 IP.

                1 Reply Last reply Reply Quote 0
                • K
                  kryp last edited by

                  tried already to disable the "Block RFC1918" checkbox on the WAN page

                  but still no internet connection

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschli
                    GruensFroeschli last edited by

                    What provider is that?
                    Could you find out if they just forward the traffic from the public IP you have to your private IP on your WAN?
                    What subnet do you have behind pfSense?
                    You dont per chance have 196.192.8x.x as your subnet behind pfSense, do you? (which should not work)

                    1 Reply Last reply Reply Quote 0
                    • K
                      kryp last edited by

                      the subnet is 255.255.255.252

                      they just installed a cisco 851 router and it is working, but tomorrow i will get the config then i will paste it here

                      but i wish to use pfsense as i will have 2 ISP, one of them is working good with pfsense, only the Wimax one is getting this problem

                      thanks

                      1 Reply Last reply Reply Quote 0
                      • GruensFroeschli
                        GruensFroeschli last edited by

                        255.255.255.252 is the netmask not the subnet. –> .252 is a /30 subnet, meaning that only the router and a single IP can be in the subnet.
                        Are you really sure that you have only 1 IP behind pfSense? (i kind of doubt that)

                        Let me rephrase the question: do you have public IP's behind pfSense or private IP's?

                        (private IP's are
                        192.168.x.x
                        172.16.x.x up to 172.31.x.x
                        10.x.x.x )

                        Since you already have a private IP on the WAN you have to make sure that the IP's behind the pfSense are in another range.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kryp last edited by

                          here is cisco conig that working :

                          sh run
                          Building configuration…

                          Current configuration : 4275 bytes
                          !
                          version 12.4
                          no service pad
                          service timestamps debug datetime msec
                          service timestamps log datetime msec
                          service password-encryption
                          !
                          hostname customer
                          !
                          boot-start-marker
                          boot-end-marker
                          !
                          logging buffered 51200 warnings
                          enable secret 5 $1$relN$eKIdQirzqbPjL0yjJpomp.
                          !
                          no aaa new-model
                          !
                          !
                          !
                          crypto pki trustpoint TP-self-signed-3915657441
                          enrollment selfsigned
                          --More--          subject-name cn=IOS-Self-Signed-Certificate-3915657441
                          revocation-check none
                          rsakeypair TP-self-signed-3915657441
                          !
                          !
                          crypto pki certificate chain TP-self-signed-3915657441
                          certificate self-signed 01
                            3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
                            31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
                            69666963 6174652D 33393135 36353734 3431301E 170D3032 30333031 30303036
                            35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
                            4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39313536
                            35373434 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
                            8100ADF2 7273D23F 73853322 842D19AC F7BAD0D5 E7D7917B 17214391 5333D79B
                            DBFE8908 F06012EF 52A185AE C458194C 2A62B2CE A85B7991 1105BD55 E45BB3FD
                            53CE8385 4260727A 52DF8209 49869179 E32AD543 E4D42EE7 6298CB86 3B2DAF51
                            194957B5 C4E663F6 9D7F140B 7FA5EE92 C6205BDA E9BA9C22 4145FA84 17E002D2
                            35C30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
                            551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
                            301F0603 551D2304 18301680 14C31AF1 2CF4AAA3 947AA24F CFC72BD7 BF70319F
                            EF301D06 03551D0E 04160414 C31AF12C F4AAA394 7AA24FCF C72BD7BF 70319FEF
                            300D0609 2A864886 F70D0101 04050003 81810071 3B9C1735 070ABBCC 3C3CE8C5
                            D636CBA6 A9AA9E0F DB01515D B47E39C4 5973617D 55CBF4C1 405347D0 A84A86E1
                          --More--           AF9340B7 9726F4C0 238BCACD 180A7D91 B2E1F05C 979D0A26 3EF0B7C3 50BD13BC
                            C1C48F21 B2977B0D 8D26BF55 9C7A7864 03937AD0 B0320AB0 A3ACB6E8 E9889577
                            EA210769 B22C24AC F61553E8 268E059D 3F8D53
                            quit
                          no ip dhcp use vrf connected
                          ip dhcp excluded-address 192.168.1.1
                          !
                          ip dhcp pool sdm-pool
                            import all
                            network 192.168.1.0 255.255.255.0
                            default-router 192.168.1.1
                            lease 0 2
                          !
                          !
                          ip cef
                          no ip domain lookup
                          ip domain name yourdomain.com
                          !
                          !
                          !
                          username customer privilege 15 password 7 045E76457348871C5A4D
                          archive
                          log config
                          --More--           hidekeys
                          !
                          !
                          !
                          !
                          !
                          interface FastEthernet0
                          !
                          interface FastEthernet1
                          !
                          interface FastEthernet2
                          !
                          interface FastEthernet3
                          !
                          interface FastEthernet4
                          ip address 172.30.x.86 255.255.255.252
                          ip nat outside
                          ip virtual-reassembly
                          duplex auto
                          speed auto
                          !
                          interface Vlan1
                          description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
                          --More--          ip address 192.168.1.1 255.255.255.0
                          ip nat inside
                          ip virtual-reassembly
                          ip tcp adjust-mss 1452
                          !
                          ip route 0.0.0.0 0.0.0.0 172.30.x.85
                          !
                          ip http server
                          ip http access-class 23
                          ip http authentication local
                          ip http secure-server
                          ip http timeout-policy idle 60 life 86400 requests 10000
                          ip nat pool customer 196.192.8x.x 196.192.8x.x netmask 255.255.255.252
                          ip nat inside source list 102 pool customer overload
                          ip nat inside source static tcp 192.168.1.5 3389 196.192.8x.x 3389 extendable
                          ip nat inside source static tcp 192.168.1.5 5079 196.192.8x.x 5079 extendable
                          !
                          access-list 102 permit ip 192.168.1.0 0.0.0.255 any
                          no cdp run
                          !
                          control-plane
                          !
                          banner login ^C
                          --More--         -----------------------------------------------------------------------
                          Cisco Router and Security Device Manager (SDM) is installed on this device.
                          This feature requires the one-time use of the username "cisco"
                          with the password "cisco". The default username and password have a privilege level of 15.

                          Please change these publicly known initial credentials using SDM or the IOS CLI.
                          Here are the Cisco IOS commands.

                          username <myuser>  privilege 15 secret 0 <mypassword>no username cisco

                          Replace <myuser>and <mypassword>with the username and password you want to use.

                          For more information about SDM please follow the instructions in the QUICK START
                          GUIDE for your router or go to http://www.cisco.com/go/sdm

                          ^C
                          !
                          line con 0
                          --More--          login local
                          no modem enable
                          line aux 0
                          line vty 0 4
                          privilege level 15
                          login local
                          transport input telnet ssh
                          !
                          scheduler max-task-time 5000
                          end

                          AnswerPlus#</mypassword></myuser></mypassword></myuser>

                          hope this can help out

                          1 Reply Last reply Reply Quote 0
                          • Cry Havok
                            Cry Havok last edited by

                            From my reading of that you have:

                            ISP –-- (172.30.x.86/30) Cisco/pfSense (192.168.1.1) --- Internal LAN ---<somewhere>--- 196.192.8x.x

                            Would that be correct?</somewhere>

                            1 Reply Last reply Reply Quote 0
                            • K
                              kryp last edited by

                              Its more like this right now :

                              INTERNET      –-> ISP                              ---> WiMax              --->    CISCO ---> INTERNAL LAN
                              FIXED IP                PRIVATE STATIC IP          Wireless Connection                            DHCP 192.168.1.1
                              196.192.8x.x          172.30.x.86
                                                        gateway 172.30.x.85

                              but i would like to remove the cisco completely and insert Pfsense instead .

                              1 Reply Last reply Reply Quote 0
                              • Cry Havok
                                Cry Havok last edited by

                                Ok, so 196.192 is a red herring - it isn't actually allocated to any of your devices?

                                What device handles the Wireless connection?

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kryp last edited by

                                  finally now it is working .  with this config :

                                  • <pfsense><version>3.0</version>
                                      <lastchange><theme>nervecenter</theme>
                                  • <system><optimization>normal</optimization>
                                      <hostname>pfSense</hostname>
                                      <domain>local</domain>
                                      <dnsallowoverride><username>admin</username>
                                      <password>$1$GCmX2tUH$tublAsTINLcuehl9l6AJ9.</password>
                                      <timezone>Etc/UTC</timezone>
                                      <time-update-interval>300</time-update-interval>
                                      <timeservers>0.pfsense.pool.ntp.org</timeservers>
                                  • <webgui><protocol>http</protocol></webgui>
                                      <disablenatreflection>yes</disablenatreflection>
                                      <dnsserver>196.192.x.x</dnsserver>
                                      <dnsserver>213.200.xx.xx</dnsserver></dnsallowoverride></system>
                                  • <interfaces>- <lan><if>rl0</if>
                                      <ipaddr>192.168.1.1</ipaddr>
                                      <subnet>24</subnet>
                                      <media><mediaopt><bandwidth>100</bandwidth>
                                      <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
                                  • <wan><if>vr1</if>
                                      <mtu><media><mediaopt><bandwidth>100</bandwidth>
                                      <bandwidthtype>Mb</bandwidthtype>
                                      <spoofmac>00:1d:60:25:30:72</spoofmac>
                                      <disableftpproxy><ipaddr>172.30.x.86</ipaddr>
                                      <subnet>30</subnet>
                                      <gateway>172.30.x.85</gateway>
                                      <blockpriv>on</blockpriv>
                                      <dhcphostname></dhcphostname></disableftpproxy></mediaopt></media></mtu></wan>
                                  • <opt1><if>vr0</if>
                                      <descr>OPT1</descr></opt1></interfaces>
                                      <staticroutes>- <pppoe><username><password></password></username></pppoe>
                                  • <pptp><username><password><local></local></password></username></pptp>
                                  • <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond>
                                  • <dyndns><type>dyndns</type>
                                      <username><password></password></username></dyndns>
                                  • <dhcpd>- <lan><enable>- <range><from>192.168.1.10</from>
                                      <to>192.168.1.245</to></range></enable></lan></dhcpd>
                                  • <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
                                      <ovpn>- <dnsmasq><enable></enable></dnsmasq>
                                  • <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
                                  • <diag>- <ipv6nat><ipaddr></ipaddr></ipv6nat></diag>
                                      <bridge><syslog>- <nat><ipsecpassthru>- <advancedoutbound>- <rule>- <source>
                                      <network>any</network>
                                     
                                      <sourceport><descr><target>196.192.xx.x</target>
                                      <interface>lan</interface>
                                  • <destination><any></any></destination>
                                      <natport></natport></descr></sourceport></rule>
                                  • <rule>- <source>
                                      <network>any</network>
                                     
                                      <sourceport><descr><target>196.192.xx.x</target>
                                      <interface>wan</interface>
                                  • <destination><any></any></destination>
                                      <natport></natport></descr></sourceport></rule>
                                  • <rule>- <source>
                                      <network>192.168.1.0/24</network>
                                     
                                      <sourceport><descr>Auto created rule for LAN</descr>
                                      <target><interface>wan</interface>
                                  • <destination><any></any></destination>
                                      <natport></natport></target></sourceport></rule>
                                      <enable></enable></advancedoutbound></ipsecpassthru></nat>
                                  • <filter>- <rule><type>pass</type>
                                      <interface>wan</interface>
                                      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                      <os><protocol>tcp</protocol>
                                  • <source>
                                      <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
                                  • <rule><type>pass</type>
                                      <descr>Default LAN -> any</descr>
                                      <interface>lan</interface>
                                  • <source>
                                      <network>lan</network>
                                  • <destination><any></any></destination></rule>
                                  • <rule><type>pass</type>
                                      <interface>lan</interface>
                                      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                      <os><protocol>tcp</protocol>
                                  • <source>
                                      <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule></filter>
                                      <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec>
                                      <aliases><proxyarp>- <cron>- <minute>0</minute>
                                      <hour></hour>
                                      <mday>
                                    </mday>
                                      <month></month>
                                      <wday>
                                    </wday>
                                      <who>root</who>
                                      <command></command>/usr/bin/nice -n20 newsyslog
                                  • <minute>1,31</minute>
                                      <hour>0-5</hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/usr/bin/nice -n20 adjkerntz -a
                                  • <minute>1</minute>
                                      <hour>3</hour>
                                      <mday>1</mday>
                                      <month></month>
                                      <wday>
                                    </wday>
                                      <who>root</who>
                                      <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
                                  • <minute>/60</minute>
                                      <hour>
                                    </hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
                                  • <minute>1</minute>
                                      <hour>1</hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
                                  • <minute>/60</minute>
                                      <hour>
                                    </hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
                                  • <minute>/60</minute>
                                      <hour>
                                    </hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
                                  • <minute>/5</minute>
                                      <hour>
                                    </hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/usr/local/bin/checkreload.sh
                                  • <minute>/5</minute>
                                      <hour>
                                    </hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/etc/ping_hosts.sh
                                  • <minute>/140</minute>
                                      <hour>
                                    </hour>
                                      <mday></mday>
                                      <month>
                                    </month>
                                      <wday>*</wday>
                                      <who>root</who>
                                      <command></command>/usr/local/sbin/reset_slbd.sh</cron>
                                      <wol><installedpackages>- <revision><description>/firewall_nat_out.php made unknown change</description>
                                      <time>1207288229</time></revision>
                                  • <rrd><enable></enable></rrd>
                                  • <virtualip>- <vip><mode>proxyarp</mode>
                                      <interface>wan</interface>
                                      <descr><type>single</type>
                                      <subnet_bits>32</subnet_bits>
                                      <subnet>196.192.xx.x</subnet></descr></vip></virtualip></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense>

                                  tried a lot on NAT outbound + virtual ip then worked .  thanks for helping .

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post

                                  Products

                                  • Platform Overview
                                  • TNSR
                                  • pfSense
                                  • Appliances

                                  Services

                                  • Training
                                  • Professional Services

                                  Support

                                  • Subscription Plans
                                  • Contact Support
                                  • Product Lifecycle
                                  • Documentation

                                  News

                                  • Media Coverage
                                  • Press
                                  • Events

                                  Resources

                                  • Blog
                                  • FAQ
                                  • Find a Partner
                                  • Resource Library
                                  • Security Information

                                  Company

                                  • About Us
                                  • Careers
                                  • Partners
                                  • Contact Us
                                  • Legal
                                  Our Mission

                                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                  Subscribe to our Newsletter

                                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                  © 2021 Rubicon Communications, LLC | Privacy Policy