Attempting to Install pfSense on P6T Deluxe V2
I have been trying to figure out how to make pfSense work with some older hardware, which is overkill for a firewall/router, but I am having some issues experimenting. My network already has a router so I think I am getting confused while trying to configure everything. I basically just want a decent custom firewall; I'm unsure that what I am attempting is even possible.
Installation of pfSense on the system goes really well… and my dual gigabit ports and NIC (Marvell) are all detected and working. My problem is I can't seem to get the web interface loaded up. I have the WAN port set as my PCI NIC card and connected to my modem. One of the LAN ports is connected to a switch which in turn is connected to a bunch of computers and a pair of access points. I think I am having trouble understanding what is what...
My router/modem IP is 192.168.1.1 and my computers are all between 192.168.1.100 and 192.168.1.120 or so. When I add the pfSense to the network (after the modem and before the switch) I can't get online or get the web configuration started up. I am not really sure how the ports are supposed to be configured I guess. I assign my IP addresses and I still can't logon to the device.
I've been pouring over documentations and tutorials online but I am kind of stuck. Any help would be appreciated. I feel like I am close to having it work, but the correct setup escapes me.
The first issue you'll have to solve is that your LAN interface on pfSense is likely 192.168.1.0/24 which looks like the same subnet your WAN interface is getting (probably via DHCP).
This will not work.
I would suggest:
Move the LAN subnet to something else 192.168.10.0/24, 10.10.10.0/24, etc. DON'T use 192.168.0.0/24 or 192.168.1.0/24. or 10.0.0.0/24.
The reason I suggest this is those "basic" subnets are used as factory defaults for too many devices and lead to the issues you're currently having (plus others in the future).
Just reassign your LAN address and LAN DHCP to match.
You're plugging your pfSense WAN into the modem/router and getting your DHCP from the first router (inside your modem I presume).
Thus leads to "double NAT" and other less desirable scenarios. It's not the end of the world but is more difficult to resolve once you get into port forwards an other NAT issues.
The best solution is if you can disable the router portion of your modem/router completely (often called putting the device in "bridge" mode) so that pfSense gets an external WAN IP address visible on the internet. Don't worry about the "visible on the internet" part, that's what pfSense id designed for after all.
will be a requirement to make this work at all, 2) is HIGHLY desirable.
Okay, thanks for the input. I can easily disable the routing portion of my modem… which I believe disables wireless access too but that's not a big deal as I have a couple other wireless AP on the network.
I was finally able to log onto the web configuration once I assigned a different IP to LAN, which was 192.168.1.3 but I will change that. My ISP gives me a long IPv6 address but I don't have internet access when pfSense is on the network, something about being unable to reach DNS servers.
If I connect just the LAN interface to my network switch I can use the web interface, and obviously still have internet access. Once I remove the modem connection to the switch and connect it to the WAN port of pfSense it all goes down.
I will move the LAN subnet and make sure my modem is in bridge mode, which I had a hunch is what part of the problem was. Not really sure where the DNS servers come into play as in general setup I can add them, but I am confused as to why pfSense would need that info when the modem is already connected to the internet...
If you have your pfSense WAN setup for DHCP, it gets requests and gets an address from your modem and potentially gets it's DNS info from the modem as well.
When your modem is not in bridge mode, it hands out an address on the 192.168.1.x subnet to the pfSense WAN.
If your LAN interface on pfSense is using any address on the same subnet (192.168.1.x) it will never route between LAN and WAN and you will not get internet access from LAN.
If WAN and LAN are on the same subnet, it won't work.
Okay, that makes sense, thanks. I'll give it another go when I get home from work and hopefully I can get it sorted out.
Keep at it, from what you've described you ARE close to a basic working setup.
It just gets better after that ;)
Welcome to pfSense!
Close, yet so far away…
Something is still not right. Instead of using the same subnet of 192.168.1.3 for the LAN IP i changed it to 192.168.10.3 but I was never able to connect to the pfSense web configuration again. WAN is set to DHCP6 and my router/modem is set to bridged mode.
I also tried enabling the DHCP server function in pfSense but I don't think it was configured right. I ended up just getting a message on the dashboard that said the IP pool was invalid or something. I wanted the same range of 192.168.1.100 to 192.168.1.250 for my local devices but I don't think any of the computers on the network were actually getting IP's from pfSense.
The good news is that the motherboard and NICs I am using haven't died yet, so that's something.
If you changed the LAN IP to 192.168.10.3 then that implies your LAN subnet for all your local devices will be 192.168.10.0/24.
That means your DHCP pool (you want DHCP on LAN) must be in that subnet, eg 192.168.10.100-192.168.250.63 to give you a similar dynamic range to what you have now.
That does mean your home devices are going to change from 192.168.1.100 to 192.168.10.100 for example.
In the end this will be a good thing for your network all though it can be disconcerting at first.
I'll bet if you make that change and renew your IP address on the PC that's trying to connect, you'll find you have access again with a new local IP address.
I think my whole problem is my modem/service… when I switch from normal mode to bridged mode it resets and then I can't seem to connect to it, even when I attach a workstation directly, bypassing everything. If I eventually am able to log into it I notice that my WAN IP is IPv4 and not IPv6. But when I look up my public IP via browser it's clearly IPv6.
That's what it looks like when pfSense is not implemented. Pretty normal, devices getting IP from modem/router etc. Once I install the pfSense unit I can see that the DHCP server changes but I am never able to connect.
Which IP do I enter for WAN? or do I set it to DHCP6? Or am I just confusing myself? :P
Unless your actively setup for IPv6, I would leave that disabled for now to simplify things.
If you're getting an IP address of 192.168.1.x in Bridge mode - er, then you're not in Bridge mode or your modem switches out IPv4 when you as for IPv6.
You should get a valid external IPv4 address not a 192.168.x.x variant.
Your WAN should normally be setup to DHCP IPv4.
Woops, just noticed you have DHCP enabled on the Xfinity, that shouldn't be the case in bridge mode.
Where/how did you think you've changed modes in the modem/router?
Does your ISP give you any helpful tips in this area?
I found a thread on the ComCast forums that may be helpful, it has explicit instructions for changing over to Bridge mode:
Thanks, I wasn't aware that enabling bridge mode made it so only one port worked… that might explain why i couldn't access the modem afterward.
I will keep trying to figure this out; I will probably opt to use a mini itx board with dual LAN ports for pfSense, since they use a lot less power. That may actually make it a little easier to figure out as well, since the NIC I am currently using probably isn't compatible.
Yah, the general idea around Bridge mode is to bypass all the "router" functions of the dual mode device so you get a modem only setting.
That means all the nice router features are gone, but on the plus side pfSense can easily do those functions - and many more.
One last caveat, you're going to end up needing some other means of providing WiFi as that feature will be turned off in the Xfinity as well.
Most people simply attach a WiFi Access Point on their pfSense LAN (a WiFi router with DHCP turned off works well).
Yes I have a pair of access points on the network, we never connected directly to the wifi on the router/modem anyway.
I kind of gave up on the setup I was using, but I have a mini ITX board with an NVIDIA network controller and a realtek PCIe card installed. Again, both interfaces are detected and I can assign the IP addresses no problem but I was never able to connect and see the web configuration.
Is it possible to leave the modem as the DHCP server for the LAN and have pfSense act as a forwarder? Reason being my modem seems to become inaccessible once bridged mode is enabled. On one occasion it set its own IP to 10.0.0.1 and I had to figure that out simply by bringing up the IP configuration via command prompt.
Having pfSense not be the router seems anti-productive but I just can't seem to get it to work :-\
You can try starting with a dual-nat setup to prove that pfSense will work for you.
The cabling is generally setup like:
The modem/router is left in "Normal" mode and provides DHCP on its LAN port.
pfSense is setup for DHCP on WAN (default) and should get an internal IP address from your modem/router.
You'll want DHCP configured on the pfSense LAN interface as well so your various devices can get an address on your LAN network.
Make sure your pfSense LAN subnet is different from the subnet given by your modem/router to the pfSense WAN interface
If all is well, devices connected to your switch should be able to get an IP address.
You should be able to reach the Web GUI at the LAN interface address you setup and you can make sure you have a LAN Firewall rule allowing "Any - Any" to give you outgoing internet access for your devices.
Once this works, you can:
- Mess with double port forwards from your modem/router to pfSense and then on to internal devices that need them.
- Take another stab at changing the modem/router back to bridge mode and figure out what you need to do to get internet access in bridge mode.
- Give up for a while and relax with a cold one or two until you're ready to attack 1) or 2) again (always my favorite) ;)
Don't give up this stuff is all doable, you just need your "Aha!" moment…
Alright, I think I know what to do. Since the pfSense device isn't the DHCP server it needs an internal IP from my modem/router. Enabling DHCP on the LAN interface makes it so the rest of my devices can get their IP's from the modem/router and through the firewall (pfSense)? I do have a question about the upstream gateway… is that asking for the local IP of my modem/router? I entered that figuring that's what it meant but it didn't really seem to do much. Is that something that only gets configured for the WAN interface?
Alright, I think I know what to do. Since the pfSense device isn't the DHCP server it needs an internal IP from my modem/router.
Not exactly, on pfSense you setup the WAN interface to use DHCP to automatically get a WAN IP address from the modem.
Because your modem is also a router, the address pfSense gets will be an "internal" RFC1918 address that cannot be routed on the Internet (192.168.x.x for eg.)
You need to make sure the pfSense WAN interface is setup for DHCP on IPv4, None on IPv6 and uncheck the box that says "Block private networks and loopback addresses".
Enabling DHCP on the LAN interface makes it so the rest of my devices can get their IP's from the modem/router and through the firewall (pfSense)? I do have a question about the upstream gateway… is that asking for the local IP of my modem/router? I entered that figuring that's what it meant but it didn't really seem to do much. Is that something that only gets configured for the WAN interface?
pfSense does provide DHCP on its LAN interface (make sure to set it up that way).
DHCP on the pfSense LAN interface is provided to all your attached devices so that they get an "internal" (RFC1918) address that matches the subnet defined for the LAN interface.
They will ask pfSense to tell them how to get "out to the internet" (or anywhere other than their LAN subnet).
The neat thing is they have no idea (nor do they need any) how pfSense does that, they don't know about the modem/router or the WAN IP
They know the address/subnet pfSense gave them and that the pfSense LAN address is where they can go to get "outside".
This why you DO NOT WANT to enter a gateway address anywhere, leave it at default and pfSense can make things work.
Another subtle gotcha in this setup is that the pfSense LAN subnet CANNOT be the same as the subnet handed out by the modem/router.
This goes back to my earlier advice to move off of the "default" RFC1918 addresses (192.168.0.x,192.168.1.x, etc)
As always, the description of these setups is always WAAAAAY longer than actually doing them.