Trying to get Pfsense to work behing a router



  • Hey,

    I have been running Pf sense for over a year now and love it. I have come across a problem, All of a sudden I getting very low speeds (0.04Mbps upload) and I put this down to using PPPoE as if I connect just a router to PPPoE its slow also  (no Pfsense) but if connected to PPPoA its normal. I am pretty sure this is a line fault but ISP prob wont get it fixed till new year now.

    So I have to connect using the router they supplied and it wont let me bridge it also if I could it would be using the PPPoE on Pfsense anyway. Anyway back to the issue I am facing now.

    I am trying to get the Pfsense box to work behind the router (sagemcom 3864) Its been locked down by the ISP but they are pretty bad at security as if you go to the admin page and view the source code it tells you the password in the source code lol. So I can modify some things.

    So on the sagemcom 3864 I have done this:

    • Disable DHCP Server (doubt this is needed)
    • Added the WAN Static IP I put in Pfsense into DMZ Host IP (192.168.0.10)
    • Added a rule for ports 1-65534 for the Pfsense WAN static IP (192.168.0.10)
    • Turned off WIFI as I will use a AP

    On Pfsense box this is what I have done.

    • Added a static WAN address (192.168.0.10)
    • Added the gateway underneath it to the sagemcom 3864 router (192.168.0.1)
    • Set LAN on a different subnet (10.0.0.1/24)
    • Added a rule in NAT outbound based on the rule for 127.0.0.0/8 (192.0.0.0/8) - (this could be wrong just thinking of it, maybe it should be 192.168.0.0/24?)

    Now I can Ping the WAN static IP on the Pfsense box (192.168.0.10) from my PC. but I cannot ping the sagemcom 3864 router IP (192.168.0.1) from the PC or from the Pfsense box.
    Of coarse I cannot connect to the net as the sagemcom router cannot be communicated with. I am not sure where the problem is if its on Pfsense side (maybe the NAT outbound rule or another rule?) Or if its on the sagemcom router.

    I hope some one can help, I know its not the ideal thing to do but I am getting FTTP soon and wont be able to bridge the modem then either as the phone is built in and read that if you do bridge it that the phone stops working and they wont give you the details to use your own device so stuck with the ISP modem/router if you want to use the phone.

    Thanks


  • Banned

    Do you have the "block private networks" enabled on the WAN interface? Just a wild guess… :-)



  • You should not need any special outbound NAT stuff. The default automatic outbound NAT will NAT anything from a LAN IP address out WAN. So stuff originating from 10.0.0.0/24 will be NATd to 192.168.0.10. And thus the upstream 192.168.0.1 will just see a ping from 192.168.0.10 and can easily reply to it.

    Also, no need for any rules on WAN for that to work - rules on WAN will only be needed when you want allow stuff originating from upstream of WAN.

    The fact that you cannot even ping 192.168.0.1 from pfSense itself is a problem.
    Is the cable from pfSense WAN to upstream box good?
    Does it need to be a crossover (unusual these days)?
    Can you connect an ordinary computer to the upstream device and ping 192.168.0.1?



  • Do you have the "block private networks" enabled on the WAN interface?

    Blocked networks is disabled I disabled bogon ones just encase also.

    Is the cable from pfSense WAN to upstream box good?

    All cables are good I have checked them on the router its self with no Pfsense box.

    Does it need to be a crossover (unusual these days)?

    I am not sure if it needs a crossover, I could make one as have some cat6 laying around just unsure if I got the plugs I think they are somewhere I will look later.

    Can you connect an ordinary computer to the upstream device and ping 192.168.0.1?

    Yes I can ping 192.168.0.1 on my pc when its connected direct, So it can accept pings

    I however found out that if I connected my PC to the router direct and use the IP I gave for Pfsense (one with the DMZ host added) I get no internet, Is this normal?



  • Ok I disabled the DMZ host and put it back in. The net now works on that IP.

    What should I be setting the IPv4 Configuration Type as?

    I had it on Static IPv4 and it does not work, If I set it to DHCP it does work, If I set it to PPPoE with logins it also works (done that by accident, Forgot to change it back lol)

    Edit: Ok Maybe one of my network plugs is faulty on the PFsense box as the speed drops back down to 0.06Mbps upload when connected to the PFsense box. I have swapped cables around and all so its not the cables.

    Is there a way to test threwput on the network adapters? as they are both onboard ones and I got more here but they are PCIe and this board takes PCI



  • You should not need any "DMZ Host" stuff on the upstream device (sagemcom) to get outgoing internet working. That is only to tell the sagemcom what to do with incoming connection requests from the big bad internet - effectively a "port forward all" to the specified internal IP address.

    What should I be setting the IPv4 Configuration Type as?

    On pfSense WAN you can choose a static IPv4 in the upstream router (sagemcom) LAN-side subnet, like you have done, or use DHCP and then sagemcom should hand an address to pfSense WAN. Both should work.

    Maybe there is some speed mismatch somehow between pfSense box WAN NIC and the upstream sagemcom? One thing to try is to put a switch in the middle - then the switch can auto-negotiate the speed… of each device independently.



  • Ok my issues are now fixed. I thought it was the network card/s but ISP fixed phone line as it was playing up and now works again. I just find it strange that when connected to the modem direct I got normal speed but as soon as I added the Pfsense box in the speed dropped I dunno what the go is with that but its all good again.

    Thanks for the help.


Log in to reply