PFSense C2758 Moved from Office (fixed IP) to Home office (behind FIOS Router)



  • First request for help.  I'm more of a developer than network engineer.

    Everything working fine at office prior to move.  I want to modify this router config slightly so it will function behind my home FIOS router in order to not cause any problems with other services that Verizon provides to my home now or add-on functions in the future.  To try and keep things simple I've configured static DMZ IP on FIOS router.  I've changed PFSense WAN inferface from one of static IP addresses at work to the static IP LAN address that I've assigned as a the DMZ NAT address.  I also changed the DNS servers from the old Cox Communications DNS IP address to the Verizon IP addresses.

    My problem is that I can't reach the internet; however I can:
      a)  I can Ping from computer on LAN PFSense interface to the LAN interface IP address.
      b)  I can Ping from from same computer on LAN interface to static IP address assigned to the PFSense WAN interface.
      c)  I can even ping the Verizon DNS servers.
      d)  I can't ping or hit any websites like www.google.com.    www.google.com ip address also doesn't resolve using NSLookup but using direct IP address I can't hit the google website.

    I have reviewed a large number of entries in this Forum and suspect I'm not the only guy that has run into this problem but….after hours of attempts I need some help.  I'd greatly appreciate thoughts here.  My hope was to just change the static IP address and configure my Verizon router and done.  I really do not want to put PFSense in front of Verizon FIOS router given what I've read about that situation.



  • On the general setting page do you have any DNS entered there?



  • Yes, DNS entered on general page.  two of the verizon DNS IP addresses are listed.  Also for each interface I have unchecked block private networks



  • Long shot - but if its behind a Verizon FIOS router, either release the MAC address through default modem or duplicate the MAC address of the previously installed modem into the WAN interface.



  • @redeyedeveloper:

    First request for help.  I'm more of a developer than network engineer.

    Everything working fine at office prior to move.  I want to modify this router config slightly so it will function behind my home FIOS router in order to not cause any problems with other services that Verizon provides to my home now or add-on functions in the future.  To try and keep things simple I've configured static DMZ IP on FIOS router.  I've changed PFSense WAN inferface from one of static IP addresses at work to the static IP LAN address that I've assigned as a the DMZ NAT address.  I also changed the DNS servers from the old Cox Communications DNS IP address to the Verizon IP addresses.

    My problem is that I can't reach the internet; however I can:
      a)  I can Ping from computer on LAN PFSense interface to the LAN interface IP address.
      b)  I can Ping from from same computer on LAN interface to static IP address assigned to the PFSense WAN interface.
      c)  I can even ping the Verizon DNS servers.
      d)  I can't ping or hit any websites like www.google.com.    www.google.com ip address also doesn't resolve using NSLookup but using direct IP address I can't hit the google website.

    I have reviewed a large number of entries in this Forum and suspect I'm not the only guy that has run into this problem but….after hours of attempts I need some help.  I'd greatly appreciate thoughts here.  My hope was to just change the static IP address and configure my Verizon router and done.  I really do not want to put PFSense in front of Verizon FIOS router given what I've read about that situation.

    Are you using you FIOS router as an upstream gateway? What do you have under Services > DNS Forwarder and Services > DNS Resolver? Are you able to upload screen prints for us to take a look…



  • I didn't read your OP fully, sorry. I'd be curious to understand issues with putting pfsense in front of the FIOS modem.
    I have mine setup that way with cat5 from ONT rather than coax. I lan off my modem and only open a few ports that allows TV on demand and premium PPV channels to work (they bridge some coax & cat5 services). If you think its worthwhile I can put together a brief guide this weekend from my notes.



  • Sorry for the delay but it took me a day to prepare exact tests and take snapshots that I think are needed to resolve the question.  I also want to thank those in this thread for you help.

    Attached is a text file that shows me:

    a)  from laptop on DHCP configured LAN port pinging the LAN port (192.168.10.1)
      b)  from same laptop on same interface, pinging the WAN port (192.168.1.1).
      c)  from same laptop on same LAN interface pinging the DMZ port on the verizon router (192.168.1.6)
      d)  from same laptop on same LAN interface pinging the Verizon DNS servers successfully (i.e. shows end-to-en laptop on LAN across pfSense router and Verizon modem to Verizon DNS servers.

    Same problem exists….I can't ping any other internet address nor get any website to render on my laptop.,

    ![Gateway configuration.JPG](/public/imported_attachments/1/Gateway configuration.JPG)
    ![Gateway configuration.JPG_thumb](/public/imported_attachments/1/Gateway configuration.JPG_thumb)
    ![LAN Interface configuration.JPG](/public/imported_attachments/1/LAN Interface configuration.JPG)
    ![LAN Interface configuration.JPG_thumb](/public/imported_attachments/1/LAN Interface configuration.JPG_thumb)
    ![2nd half of pfSense Resolver screen.JPG](/public/imported_attachments/1/2nd half of pfSense Resolver screen.JPG)
    ![2nd half of pfSense Resolver screen.JPG_thumb](/public/imported_attachments/1/2nd half of pfSense Resolver screen.JPG_thumb)
    ![DNS Resolver screen1.JPG](/public/imported_attachments/1/DNS Resolver screen1.JPG)
    ![DNS Resolver screen1.JPG_thumb](/public/imported_attachments/1/DNS Resolver screen1.JPG_thumb)
    ![DNS settings that allow ping to hit Verizon DNS servers.JPG](/public/imported_attachments/1/DNS settings that allow ping to hit Verizon DNS servers.JPG)
    ![DNS settings that allow ping to hit Verizon DNS servers.JPG_thumb](/public/imported_attachments/1/DNS settings that allow ping to hit Verizon DNS servers.JPG_thumb)
    ![ping text to be posted.JPG](/public/imported_attachments/1/ping text to be posted.JPG)
    ![ping text to be posted.JPG_thumb](/public/imported_attachments/1/ping text to be posted.JPG_thumb)
    ![WAN interface screen.JPG](/public/imported_attachments/1/WAN interface screen.JPG)
    ![WAN interface screen.JPG_thumb](/public/imported_attachments/1/WAN interface screen.JPG_thumb)



  • You shouldn't put a gateway for LAN.  Only WAN gets a gateway.  Set it to None.



  • Gateway changed to none on the LAN.  Agreed.  However no change… all prior capability works (i.e. I can ping out to the Verizon DNS servers but can't ping anything else like google DNS , etc.)



  • Under General Setup, you should not be specifying a LAN address as your gateway for your DNS servers.  Set it to none.



  • I have made the suggested change however I have two observations:

    1)  It has not resolved the original issue of providing access from the LAN port (192.168.10.x) to the Internet (i.e. I can still ping the DMZ IP on the Verizon router.
    2)  I now can't ping the two Verizon DNS servers…timeout error.

    Thank you for the suggestions and I sense the configuration is maturing.    I did change the DNS configuration when I brought the pfSense appliance home because I have Verizon FIOS and the office where it was connected had Cox Communications fiber.

    I have attached an updated general setup / DNS snapshot to make sure there is an updated pic of the configuration in case I have not implemented instructions properly.




  • This would be a  lot easier if you could flip the FIOS router to bridged mode and let pfSense have the public IP address.  You wouldn't have to worry about NAT.

    Instead of trying to modify the existing config, it might be best for you to reset pfSense back to factory defaults, reassign & configure your interfaces and start fresh.  For instance, your Resolver config seems to have a ton of funky interfaces and VLANs, and your Gateway config shows a Gateway2 which makes me wonder if there is a Gateway1 and what it might be.  A factory reset would clear out all of that.

    Are you sure that your DMZ IP address isn't the same as the FIOS router LAN address?  It's pretty common for LAN address to be 192.168.1.1, and I wonder if you have FIOS LAN and DMZ set to the same thing.



  • As suggested I am in the process of doing a factory reset given all the extra interfaces, configurations and too high a probability that something at the office just won't apply here.

    I do feel a need to put the WAN from pfSense to the FIOS router DMZ.  192.168.1.6 is the DMZ address.  There is no doubt.

    I'll be back after the factory reset, changing passwords, doing a standard config to get the WAN working and let you all know how it goes.  I have saved teh config before starting



  • Working….but more work ahead.  Here is what I did:

    First, taken sound advice, I saved the current configuration and then did a factory reset. 
    From VGA port with USB keyboard I configure LAN interface
    Then I logged onto the GUI via laptop connected to LAN and finally noticed that the WAN was up and also noticed there was a firmware update.
    After reading about update, and not seeing any major problems reported, I applied the firmware update.  No sense not doing it now.
    I used a general setup process to get bring up the LAN but using a different private subnet that is clearly different than 192.168.x.y.  (Note this was suggested and implemented)
    At this point the WAN is clearly binded to the DMZ on the back of the Verizon router.
    dynamic DNS service setup to allow easy access and notification when something goes down.
    Family will be ok with TV and other things since pfSense is behind all that stuff.
    Now to work on VPN to limit access (note:  nothing connecting at moment...this is all in a lab.)

    Thanks for the help.  Bottom line:  keep it simple.



  • Awesome!  I was wondering if gremlins were the issue.  A reset cleared them up.  Good luck!



  • After much reading and trial I have reset my configuration to the date/time of the previous posting here so that I'm starting from the correct point.  My ultimate goal is to be able to use OPENVPN from anywhere to access an ESXi server inside the house while on travel while at the same time ensuring that the family has easy access and easy reset to the family house internet devices (i.e. TV, etc.) hence the reason for the pfSense hardware device behind the Verizon router.  The next step in this trail, to ensure proper port forwarding from the Verizon router…I thought...would be the simple step of accessing the login GUI screen for the pfSense by taking a laptop, connecting to a MIFI and then going thru the DMZ to proper IP addy of the pfSense WAN front end.  I was expecting to see the logon/password screen for the pfSense router.    I'm able to access this screen via the LAN environment via port 9443 (note:  will obviously change ports and IP addresses later and more security but after initial functionality achieved).    So my questions, after much work is:

    1)  Should I be able to access and login to the pfSense login screen VIA the Internet --> pfSense WAN --> port 443 connection?  (Note:  pfSense is absolute on DMZ IP address).  I'm just wondering if there is a built-in security protection rule that limits login to the pfSense hardware device local connections.  If this is something that can be done what am I doing wrong because once I have this setup then I know I've been able to route from the internet, thru the Verizon router to the pfSense box.  I suspect this maybe useful for others.

    2)  After I have #1 above done and limited to VPN connections only.  Then I need to make one more hop from the WAN connection to a static LAN connection which is my ESXi server.

    I have attached some snapshots to help resolve the issue quickly.

    ![Internet to Admin Page_WAN Firewall Rules.JPG](/public/imported_attachments/1/Internet to Admin Page_WAN Firewall Rules.JPG)
    ![Internet to Admin Page_WAN Firewall Rules.JPG_thumb](/public/imported_attachments/1/Internet to Admin Page_WAN Firewall Rules.JPG_thumb)
    ![Internet to Admin Page_WAN Interface page.JPG](/public/imported_attachments/1/Internet to Admin Page_WAN Interface page.JPG)
    ![Internet to Admin Page_WAN Interface page.JPG_thumb](/public/imported_attachments/1/Internet to Admin Page_WAN Interface page.JPG_thumb)
    ![Status Screen prior to VPN Creation.JPG](/public/imported_attachments/1/Status Screen prior to VPN Creation.JPG)
    ![Status Screen prior to VPN Creation.JPG_thumb](/public/imported_attachments/1/Status Screen prior to VPN Creation.JPG_thumb)



  • There's some handy guides about openvpn access and configuring Verizon's router at https://nguvu.org/guides/ which might help debug your issue.



  • actually, right now, without the VPN I'm trying to hit the PFsense router from outside in 'experiment' mode (i.e. empty esxi old computer that is running, etc.).  I figure I should 'thread the needle' first from outside internet, thru WAN interface to the LAN with the esxi server.    I can reach the internet from the LAN passing thru the WAN and Router.  DMZ is set properly.

    I will read the OPENVPN reference and I have watch several video's but this is a uniuqe setup given it is behind the Verizon router and is not serving as the main router coming into the house.



  • The guide just mentioned is something I had not seen before and I'm reviewing.  Very high quality and thank you for the reference.  …just wanted to note but if other ideas come to mind that could help please post.



  • I am following the guide recommended in the previous post which stated:

    "There's some handy guides about openvpn access and configuring Verizon's router at https://nguvu.org/guides/ which might help debug your issue."

    I noticed that the guide states that a non-null IP address should show up in green if the dynamic DNS service was configured correctly.
    I also noticed that my cache IP came up in red digits as 0.0.0.0.    This indicates that this first step didn't work.   
    I've researched what red IP digits might mean in this section and need some help understanding what this means.

    Please note that I can hit the internet, and resolve DNS names, via a laptop connected to the LAN interface.

    I've attached a pic of the dynamic DNS service screen that is in the guide.
    My pfSense router is connected to the DMZ static IP on my router.

    Please forgive, I'm more of a developer than a network engineer but I'm good at following a guide, I understand the DNS process.  I'd like to move on with the guide but highly suspect the VPN tunnel that I'm setting up from the internet, thru the Verizon DMZ, to the WAN interface on the pfSense device and directly to the LAN interface with my esxi Server will needed this dynamic DNS service.  Red IP address of 0.0.0.0 seems like something is wrong in my setup.

    ![Dynamic DNS with IP 0.0.0.0.secure.jpg](/public/imported_attachments/1/Dynamic DNS with IP 0.0.0.0.secure.jpg)
    ![Dynamic DNS with IP 0.0.0.0.secure.jpg_thumb](/public/imported_attachments/1/Dynamic DNS with IP 0.0.0.0.secure.jpg_thumb)



  • Is the Verizon DMZ causing double-NAT issues which is preventing it obtaining a valid WAN address? What's in the Dynamic DNS logs - any clues?



  • I'm not seeing anything unusual in the logs.
    dyndns.org is working like a champ and hitting the outer router, which in this case, is the Verizon router.    I'm wondering if this guide doesn't quite apply to my case given the pfSense box is behind the Verizon router and maybe there is a way further in the guide for the VPN tunnel to get to and thru the Verizon router?  Even a double tunnel would be ok but slow.    Any thoughts?

    So I'm trying to configure a VPN to get from a dyndns valid URL, tunnel thru the verizon router to the pfSense which is static IP to the WAN and is assigned to the DMZ, and move from WAN to LAN1 or OPT2 on my pfSense box.



  • Solved:
    After much reading I came to the conclusion that it is best to put the most powerful router, the pfSense router, outfront and put the Verizon FIOS router running behind the pfsense on a LAN connection.    I didn't want to do this because if I'm out of town and the pfSense router hangs then I'd have a heck of a time explaining to family how to reboot, etc.    This is the best technical solution, I just had to open my mind while reading the many entries on this site.

    So in less than an hour I released the WAN IP on the Verizon router, swapped the connection to the WAN connection on pfSense router and Verizon didn't have an issue.  Everything came right up.  Advice of course is to preconfigure the device then do the switch.

    Thank you all.  More work ahead but all appears to be falling into place fairly easy.



  • I think thats probably the best solution - TBH I haven't had any issues with pfSense stability and I actually found it more stable than some of the off the shelf routers form some ISPs which had limited RAM etc and would lock up randomly requiring a reboot.


Log in to reply