Cannot Ping/Connect to LAN Devices from ISP Wireless Router
-
I'm running Pfsense 2.2.6 64 bit on a box in a SOHO environment with 1 LAN (192.168.0.x) and 1 WAN (192.168.100.x)
I Connect the ISP modem/router to the Pfsense box, DCHP is enabled on the ISP Router it has built in wireless, I also have a Windows Sever 2012 on the same network doing DHCP/DNS and AD File sharing for my computers/servers and they are able to connect to the internet with no issues.
On the same ISP modem/Router (192.168.100.1) i have built in wireless on it so I used my phone, laptop and tablet to connect to the built in Wireless on the ISP router side and when I connect to the wireless I get 192.168.100.x addresses and i am able to browse the internet but i am unable to ping any computer/servers on the LAN side with 192.168.0.x addresses.
What am i doing wrong, How can i get the devices on the ISP Wireless router with 192.168.100.x addresses to communicate with devices on the LAN network with 192.168.100.x addresses ? ?
Any Help Appreciated, Thank you.
-
What you're essentially doing is what is discussed on this How To:
https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
Since you have part of your network between pFsense and your ISP's router and another section behind pfSense, you will need to setup rules to allow traffic to pass to and from your ISPs router's LAN side. The how to above should help you with that.
This setup is kind of strange and it means that only the devices behind pFsense will be taking advantage of pFsense's firewall. It also means you will be running a double NAT (Internet <-> ISP Router <-> pFsense) which could cause some programs to not work correctly. You would also need to forward ports twice (once inside your ISPs router and again in pFsense) if you want any Internet sourced traffic to reach your server behind pfSense. If you have the funds, I would strongly suggest putting an access point behind pFsense, putting the router/modem in transparent bridging mode and have pFsense handle all of the routing, NAT'ing and firewalling. You would then only have 1 DHCP scope to worry about. Good luck.
Carlos
-
If you have the funds, I would strongly suggest putting an access point behind pFsense, putting the router/modem in transparent bridging mode and have pFsense handle all of the routing, NAT'ing and firewalling. You would then only have 1 DHCP scope to worry about. Good luck.
Carlos
Hey thanks for the reply, My set-up is kinda strange indeed I can agree with you on that. Everything was kinda done short notice in a rush so i was not given the time to properly plan what i was doing i just put something together with what I had onsite at the moment. Funds is low but I had plans of putting a Wireless Access Point behind pfsense firewall because it would make things less complicated.
On the subject of "transparent bridging mode" i need some advice . . I notice in the settings on the ISP router it has 3 modes: Bridging, NAT with routing and NAT without Routing. I am currently using NAT with routing is that the correct mode for my setup? Which would be best?
-
"but i am unable to ping any computer/servers on the LAN side with 192.168.0.x addresses."
Well yeah, why would you think you would be able to – since that 192.168.100 network is on the wan side of pfsense and would be hostile just like a public IP.. So unless you setup a port forward its blocked by default. Also there is default rule to block all rfc1918 addresses even if you setup a port forward.
If you want to use pfsense, You should really bring your wireless behind pfsense. Get another wifi router and use it as AP, and disable wifi on your isp device. Or get a real AP and again disable wifi on your isp device.
I would also suggest changing your isp device to bridge or just modem mode so that pfsense gets your public IP right on your wan..
-
"but i am unable to ping any computer/servers on the LAN side with 192.168.0.x addresses."
Well yeah, why would you think you would be able to – since that 192.168.100 network is on the wan side of pfsense and would be hostile just like a public IP.. So unless you setup a port forward its blocked by default. Also there is default rule to block all rfc1918 addresses even if you setup a port forward.
If you want to use pfsense, You should really bring your wireless behind pfsense. Get another wifi router and use it as AP, and disable wifi on your isp device. Or get a real AP and again disable wifi on your isp device.
I would also suggest changing your isp device to bridge or just modem mode so that pfsense gets your public IP right on your wan..
Thanks for the feedback, I did some reading and now I fully understand what is required.
I will now act on your input/feedback and my reading.Thanks Again.