New installation



  • Newbie question :

    I have a static public ip address  aaa.aaa.aa.3

    My router Ip is xxx.xx.x.86  255.255.255.252 (connected through wimax)
    My Gateway is xxx.xx.x.85

    I do not get internet connection at all , and wan side shows connected with good dns address.

    My ISP says problem come from natting.

    Can anyone help how to setup pfsense correctly to make it work

    Thanks



  • What exactly is your problem?
    is aaa.aaa.aa the same as xxx.xx.xx ?
    Are you trying to route a public subnet behind pfSense?
    Or do you have just a single private IP?

    (you could generally provide a bit more information –> http://forum.pfsense.org/index.php/topic,7001.0.html )



  • hi GruensFroeschli

    is aaa.aaa.aa the same as xxx.xx.xx ?

    no its not same, aaa.aaa.aa is my static public ip address and xxx.xx.x.86 is the ISP winmax ip address with

    Are you trying to route a public subnet behind pfSense?
    yes i think that is the  idea .



  • Can you publish the real IPs?



  • yes

    I have a static public ip address  196.192.8x.x

    My router Ip is 172.30.x.86  255.255.255.252 (connected through wimax)
    My Gateway is 172.30.x.85

    My dns resolve corectly as per Isp details viewed status >  interface

    and i can ping my gateway 172.30.x.85 with 0 loss



  • um….
    Those are private IP's and NOT public IP's.
    (the 172.30 IP's)

    So your WAN lies in a private subnet.
    Try to disable the "Block RFC1918" checkbox on the WAN page.

    I assume your provider just forwards the traffic for the public 196.192.8x.x IP to your private 172.30.x.86 IP.



  • tried already to disable the "Block RFC1918" checkbox on the WAN page

    but still no internet connection



  • What provider is that?
    Could you find out if they just forward the traffic from the public IP you have to your private IP on your WAN?
    What subnet do you have behind pfSense?
    You dont per chance have 196.192.8x.x as your subnet behind pfSense, do you? (which should not work)



  • the subnet is 255.255.255.252

    they just installed a cisco 851 router and it is working, but tomorrow i will get the config then i will paste it here

    but i wish to use pfsense as i will have 2 ISP, one of them is working good with pfsense, only the Wimax one is getting this problem

    thanks



  • 255.255.255.252 is the netmask not the subnet. –> .252 is a /30 subnet, meaning that only the router and a single IP can be in the subnet.
    Are you really sure that you have only 1 IP behind pfSense? (i kind of doubt that)

    Let me rephrase the question: do you have public IP's behind pfSense or private IP's?

    (private IP's are
    192.168.x.x
    172.16.x.x up to 172.31.x.x
    10.x.x.x )

    Since you already have a private IP on the WAN you have to make sure that the IP's behind the pfSense are in another range.



  • here is cisco conig that working :

    sh run
    Building configuration…

    Current configuration : 4275 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname customer
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 $1$relN$eKIdQirzqbPjL0yjJpomp.
    !
    no aaa new-model
    !
    !
    !
    crypto pki trustpoint TP-self-signed-3915657441
    enrollment selfsigned
    --More--          subject-name cn=IOS-Self-Signed-Certificate-3915657441
    revocation-check none
    rsakeypair TP-self-signed-3915657441
    !
    !
    crypto pki certificate chain TP-self-signed-3915657441
    certificate self-signed 01
      3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 33393135 36353734 3431301E 170D3032 30333031 30303036
      35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39313536
      35373434 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100ADF2 7273D23F 73853322 842D19AC F7BAD0D5 E7D7917B 17214391 5333D79B
      DBFE8908 F06012EF 52A185AE C458194C 2A62B2CE A85B7991 1105BD55 E45BB3FD
      53CE8385 4260727A 52DF8209 49869179 E32AD543 E4D42EE7 6298CB86 3B2DAF51
      194957B5 C4E663F6 9D7F140B 7FA5EE92 C6205BDA E9BA9C22 4145FA84 17E002D2
      35C30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
      551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
      301F0603 551D2304 18301680 14C31AF1 2CF4AAA3 947AA24F CFC72BD7 BF70319F
      EF301D06 03551D0E 04160414 C31AF12C F4AAA394 7AA24FCF C72BD7BF 70319FEF
      300D0609 2A864886 F70D0101 04050003 81810071 3B9C1735 070ABBCC 3C3CE8C5
      D636CBA6 A9AA9E0F DB01515D B47E39C4 5973617D 55CBF4C1 405347D0 A84A86E1
    --More--           AF9340B7 9726F4C0 238BCACD 180A7D91 B2E1F05C 979D0A26 3EF0B7C3 50BD13BC
      C1C48F21 B2977B0D 8D26BF55 9C7A7864 03937AD0 B0320AB0 A3ACB6E8 E9889577
      EA210769 B22C24AC F61553E8 268E059D 3F8D53
      quit
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1
    !
    ip dhcp pool sdm-pool
      import all
      network 192.168.1.0 255.255.255.0
      default-router 192.168.1.1
      lease 0 2
    !
    !
    ip cef
    no ip domain lookup
    ip domain name yourdomain.com
    !
    !
    !
    username customer privilege 15 password 7 045E76457348871C5A4D
    archive
    log config
    --More--           hidekeys
    !
    !
    !
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    ip address 172.30.x.86 255.255.255.252
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    --More--          ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip route 0.0.0.0 0.0.0.0 172.30.x.85
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat pool customer 196.192.8x.x 196.192.8x.x netmask 255.255.255.252
    ip nat inside source list 102 pool customer overload
    ip nat inside source static tcp 192.168.1.5 3389 196.192.8x.x 3389 extendable
    ip nat inside source static tcp 192.168.1.5 5079 196.192.8x.x 5079 extendable
    !
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    no cdp run
    !
    control-plane
    !
    banner login ^C
    --More--         -----------------------------------------------------------------------
    Cisco Router and Security Device Manager (SDM) is installed on this device.
    This feature requires the one-time use of the username "cisco"
    with the password "cisco". The default username and password have a privilege level of 15.

    Please change these publicly known initial credentials using SDM or the IOS CLI.
    Here are the Cisco IOS commands.

    username <myuser>  privilege 15 secret 0 <mypassword>no username cisco

    Replace <myuser>and <mypassword>with the username and password you want to use.

    For more information about SDM please follow the instructions in the QUICK START
    GUIDE for your router or go to http://www.cisco.com/go/sdm

    ^C
    !
    line con 0
    --More--          login local
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end

    AnswerPlus#</mypassword></myuser></mypassword></myuser>

    hope this can help out



  • From my reading of that you have:

    ISP –-- (172.30.x.86/30) Cisco/pfSense (192.168.1.1) --- Internal LAN ---<somewhere>--- 196.192.8x.x

    Would that be correct?</somewhere>



  • Its more like this right now :

    INTERNET      –-> ISP                              ---> WiMax              --->    CISCO ---> INTERNAL LAN
    FIXED IP                PRIVATE STATIC IP          Wireless Connection                            DHCP 192.168.1.1
    196.192.8x.x          172.30.x.86
                              gateway 172.30.x.85

    but i would like to remove the cisco completely and insert Pfsense instead .



  • Ok, so 196.192 is a red herring - it isn't actually allocated to any of your devices?

    What device handles the Wireless connection?



  • finally now it is working .  with this config :

    • <pfsense><version>3.0</version>
        <lastchange><theme>nervecenter</theme>
    • <system><optimization>normal</optimization>
        <hostname>pfSense</hostname>
        <domain>local</domain>
        <dnsallowoverride><username>admin</username>
        <password>$1$GCmX2tUH$tublAsTINLcuehl9l6AJ9.</password>
        <timezone>Etc/UTC</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>0.pfsense.pool.ntp.org</timeservers>
    • <webgui><protocol>http</protocol></webgui>
        <disablenatreflection>yes</disablenatreflection>
        <dnsserver>196.192.x.x</dnsserver>
        <dnsserver>213.200.xx.xx</dnsserver></dnsallowoverride></system>
    • <interfaces>- <lan><if>rl0</if>
        <ipaddr>192.168.1.1</ipaddr>
        <subnet>24</subnet>
        <media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
    • <wan><if>vr1</if>
        <mtu><media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype>
        <spoofmac>00:1d:60:25:30:72</spoofmac>
        <disableftpproxy><ipaddr>172.30.x.86</ipaddr>
        <subnet>30</subnet>
        <gateway>172.30.x.85</gateway>
        <blockpriv>on</blockpriv>
        <dhcphostname></dhcphostname></disableftpproxy></mediaopt></media></mtu></wan>
    • <opt1><if>vr0</if>
        <descr>OPT1</descr></opt1></interfaces>
        <staticroutes>- <pppoe><username><password></password></username></pppoe>
    • <pptp><username><password><local></local></password></username></pptp>
    • <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond>
    • <dyndns><type>dyndns</type>
        <username><password></password></username></dyndns>
    • <dhcpd>- <lan><enable>- <range><from>192.168.1.10</from>
        <to>192.168.1.245</to></range></enable></lan></dhcpd>
    • <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
        <ovpn>- <dnsmasq><enable></enable></dnsmasq>
    • <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
    • <diag>- <ipv6nat><ipaddr></ipaddr></ipv6nat></diag>
        <bridge><syslog>- <nat><ipsecpassthru>- <advancedoutbound>- <rule>- <source>
        <network>any</network>
       
        <sourceport><descr><target>196.192.xx.x</target>
        <interface>lan</interface>
    • <destination><any></any></destination>
        <natport></natport></descr></sourceport></rule>
    • <rule>- <source>
        <network>any</network>
       
        <sourceport><descr><target>196.192.xx.x</target>
        <interface>wan</interface>
    • <destination><any></any></destination>
        <natport></natport></descr></sourceport></rule>
    • <rule>- <source>
        <network>192.168.1.0/24</network>
       
        <sourceport><descr>Auto created rule for LAN</descr>
        <target><interface>wan</interface>
    • <destination><any></any></destination>
        <natport></natport></target></sourceport></rule>
        <enable></enable></advancedoutbound></ipsecpassthru></nat>
    • <filter>- <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
    • <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    • <rule><type>pass</type>
        <descr>Default LAN -> any</descr>
        <interface>lan</interface>
    • <source>
        <network>lan</network>
    • <destination><any></any></destination></rule>
    • <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
    • <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule></filter>
        <shaper>- <ipsec><preferredoldsa></preferredoldsa></ipsec>
        <aliases><proxyarp>- <cron>- <minute>0</minute>
        <hour></hour>
        <mday>
      </mday>
        <month></month>
        <wday>
      </wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 newsyslog
    • <minute>1,31</minute>
        <hour>0-5</hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 adjkerntz -a
    • <minute>1</minute>
        <hour>3</hour>
        <mday>1</mday>
        <month></month>
        <wday>
      </wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
    • <minute>/60</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
    • <minute>1</minute>
        <hour>1</hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
    • <minute>/60</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
    • <minute>/60</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
    • <minute>/5</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/local/bin/checkreload.sh
    • <minute>/5</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/etc/ping_hosts.sh
    • <minute>/140</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/local/sbin/reset_slbd.sh</cron>
        <wol><installedpackages>- <revision><description>/firewall_nat_out.php made unknown change</description>
        <time>1207288229</time></revision>
    • <rrd><enable></enable></rrd>
    • <virtualip>- <vip><mode>proxyarp</mode>
        <interface>wan</interface>
        <descr><type>single</type>
        <subnet_bits>32</subnet_bits>
        <subnet>196.192.xx.x</subnet></descr></vip></virtualip></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense>

    tried a lot on NAT outbound + virtual ip then worked .  thanks for helping .


Locked