Please help ; please

  • Hello. :) Recently I had the idea to use a dusty kind-of-old laptop as my firewall superhero with pfSense. The machine comes with an integrated Intel PRO/100 Ethernet and a custom installed Atheros 5424 chip using modded BIOS. My ISP supplied me with a WiMAX Telrad router, integrated with everything needed in order to have a simple typical home network possible.

    Anyway, my idea was to have the laptop with pfSense residing between the router and the stations which they would connect to its WiFi interface… doesn't sound too bad as an idea but; I'm neither sure if everything is well configured or there is space for better configuration.

    As for now, I have a WAN interface(configured to point to the router's gateway IP) and a LAN one(NAT'ed to WAN, used to allow WiFi connection). Everything seems to work fine regarding basic web surfing, checking emails, etc. But NAT imposes a limit to inbound traffic. Well maybe not a real limit(because forwarding), but anyhow probably bridging the two interfaces(or something similar) may prove in better performance and stability when using intensive applications(and probably a more simple firewall, routing config etc). Thing is I'm not sure so I'm asking you guys for better ideas... 8)

    If you would like to know further information I would be glad to know...

    Thanks for reading and best regards.

  • It sounds like you have pfSense behind another router, the one you got from your ISP. While this will work it makes for a needlessly complex set up.

    Ideally you want the ISP provided box in bridge mode so you get a public IP on the WAN interface of pfSense. This gets rid of the double nat cludgery and makes it so you can manage your firewall rules and port forwarding settings in one place. However this means that you will need to use something else as your wifi access point. Either pfSense itself with a supported wifi card, a consumer wifi router in AP mode, or a dedicated AP of some sort.

    You might need the ISP to walk you through switching their box to bridge mode, if it even supports it. Personally I avoid ISPs that give out routers or modems with routers built in as they just complicate things for power users like me. However these devices are wonderful for the average person as they make connecting up basic internet service very easy.

  • Thanks for the reply. I attached a screenshot in there so you can see. Thing is, even if the WiMAX would still act as a router, shouldn't be of too much trouble if I somehow setup right WAN/LAN (bridged or something similar).

    And by the way , there is a handy option which allows ARP spoofing to the interface. What would happen in the case of WiMAX's MAC spoofing on WAN? Wouldn't it work somehow to avoid all this mess?

  • I don't think MAC address spoofing applies to the situation here. It is usually used to get around the restriction created when an ISP decides to be stupid and bind a modem's LAN interface to the MAC address of the first thing that is plugged into it, it allows you install a router without having to call the ISP and have them release the lock.

    It looks like one of the bridge modes listed in the drop down is what you want. However I have no idea what the difference is between the two, you may need to check the router's manual or ask your ISP to explain the bridge settings.

  • Hmp; Contacted my ISP yesterday, they told me only Router mode is supported. Could you suggest then some kind of bridged setup to avoid the internal NAT from happening? Is there any way for this?


  • I guess you could try each bridge mode and see if either of them works. My only concern is that one or both of them may remove or change the router's LAN IP and prevent you from accessing the web interface to change it back. Is there some kind of reset button somewhere on the router somewhere to restore the default settings if needed?

    I would try the ETHCS bride mode first as the name makes me think it might be referring to an ethernet bridge, which should be what you want.

  • ISP explicitly told to not reset the modem , maybe that's because of some internal certificates used for auth that would otherwise be removed…

    The basic idea was to bridge the WAN If (Ethernet cable connected to the modem at one end , the other end to laptop pc) and LAN If (which is the laptop's WiFi interface that would serve as AP for the local stations).  So, lets assume I create a bridged WAN/LAN interface on OPT1.

    Then how do I forward frames to this interface? On which end (MAC) should they be in the first place?

  • If you can get the router into bridge mode then pfSense will get an IP on its WAN interface via DHCP. On the LAN interface pfSense will have a static IP and act as a DHCP server. pfSense itself will not be a bridge, just a wifi router. However I have no experience with wifi on pfSense so I will defer to someone else on that.

  • Yes thank you for all the help so far.

Log in to reply