PfSense firewall BEHIND router



  • Please see attached illustrations.

    I have a 4 port DSL modem.  On one of the ports (only ONE of them) I want to go to my pfSense firewall box then from there to a Win7 computer acting as a game server.

    The problem is once I place the pfSense box in the middle the server no longer connects.  I'm sure it has to do with the internal 192.168.1.x addresses and subnets.  But I'm very much a noob.  The Win7 server needs firewall protection and the ability to ban specific IP's, hence the pfSense box.

    My logic may be faulty.  I connected one of the DSL ports to pfSense WAN and Win7 machine to pfSense LAN.
    ![working router.png](/public/imported_attachments/1/working router.png)
    ![working router.png_thumb](/public/imported_attachments/1/working router.png_thumb)
    ![nonworking router pfSense behind.png](/public/imported_attachments/1/nonworking router pfSense behind.png)
    ![nonworking router pfSense behind.png_thumb](/public/imported_attachments/1/nonworking router pfSense behind.png_thumb)



  • You must already have the port(s) for the game server forwarded from the DSL modem to 192.168.1.4 (the original game server IP). So we can take advantage of that to make things a little easier.

    pfSense WAN and LAN sides MUST be different subnets. To make life easy for you, make your pfSense WAN IP the same as the old game server IP - 192.168.1.4

    Now pfSense WAN will be receiving incoming connections on the game port(s).

    Change pfSense LAN to be something else - e.g. 192.168.2.1/24

    Change the game server to be in that new LAN subnet - e.g. 192.168.2.4

    In pfSense, Firewall->NAT, Port Forward, add port forward(s) to forward the needed game ports from WAN to 192.168.2.4

    –------------------
    Extra bit:
    In general I would avoid the 192.168.1.0/24 subnet, because it is used by default by so many devices/routers/WiFi... You save yourself future pain from conflicts by picking some "random" piece of private IPv4 address space to use, in the hope that you will not have future accidental conflicts when you add a VPN connection to your mates house, or the office, or...

    If you want to renumber your whole network, then go for it - pick something like 192.168.42.x/24 for the LAN side of your DSL modem, then 192.168.43.x/24 for the LAN side of your pfSense...

    But of course that means you have to change addresses and port forwards in the DSL modem as well as pfSense etc.



  • Thank you for the quick and detailed reply.  This is a new DSL modem that my ISP just installed.  I have never even attempted to log into it.  I do not know how it assigns the IP's to the ethernet ports.

    I guess it just knows, or Steam knows, how to punch through the modem for the game server.  Without the pfSense in the way it works fine.

    To change my game server to 192.168.2.1/24, will Windows7 automatically detect the new LAN?  I know in Win98 I could manually put in the IP and subnet stuff.  Win7 seems to just do stuff automatically and leave me out of the loop.

    I will have to wait for the weekend to enact the changes, after which I will leave feedback.

    ~Mr. Magoo



  • Yes, I expect Steam knows how to punch out through the upstream modem/router(s) - probably it contacts a known server out on the internet.

    In that case, you just need to get pfSense working

    1. Make the pfSense LAN 192.168.2.1/24
    2. Enable the DHCP server on pfSense LAN and let it give out IP addresses in its default range.
    3. Let the client system with the game just get an IP by DHCP. Windows7 will just learn the new subnet and gateway.


  • Phil,

    Thank you for the reply.  The last time I tried to set up pfSense it would not let me set the LAN to DHCP.  It kept telling me it had to be static.  I don't know if this had to do with my WAN settings being on the same subnet.  I will try it again this weekend.

    ~Magoo



  • I think what Phil is suggesting here is to enable the "Services->DHCP Server" for the static LAN interface.

    That way pfSense will have a fixed LAN address (192.168.2.1 within a /24 subnet) and can supply other 192.168.2.??? addresses to everything else you have on that LAN network.
    Your PC's, and other devices may need to reboot/reconnect to get a new address at first, but it should be pretty seamless.

    As Phil mentioned, you definitely can't have LAN and WAN on the same subnet.



  • This is a new DSL modem that my ISP just installed.

    A router is doing SPI/NAT and a modem not! This is your real problem here as I see it right.
    You could try out to set your ISP router into the so called "bridge mode" that this router is
    acting then likes a pure modem. This would also my personally first choice to try out.

    Internet –- modem --- pfSense --- small switch --- LAN clients
                                      |
                                      |opened & forwarded ports
                                      |DMZ
                                      |
                                      Game Server

    This might be the most common option to handle and solve your "problem" in my eyes.

    The second choice would be to create a router cascade or also called "double NAT" situation.
    You set up on your ISP router the following things:
    Network: 192.168.1.0/24 (255.255.255.0)
    IP Address: 192.168.1.1/24 static or fix
    DHCP: off

    pfSense WAN:
    Network:192.168.1.0/24 (255.255.255.0)
    IP Address: 192.168.1.2/24 static or fix
    DHCP: off
    DNS: 192.168.1.1/24

    pfSense LAN:
    Network:192.168.5.0/24 (255.255.255.0)
    IP Address: 192.168.5.1/24
    DHCP: on IP range from 192.168.5.2 - 192.168.5.254/24
    DNS: 192.168.1.2/24



  • It worked!!!!

    Thank you both so much.  I still have to port forward the game but at least now the Win7 Client is able to access the internet from behind the firewall.

    I set WAN to 192.168.1.4 and LAN to 192.168.2.1 and let LAN act as DHCP server.  It took a reboot, but after that everything seems fine.

    Now I have to figure out how to ban certain IP's (cheaters) that Steam/Valve/Gearbox won't do anything about.

    Thanks again.

    ~Magoo



  • Okay,

    Now I have the game server up and going.  Firewall question …

    I have made aliases with all the IP's that I would like to ban.  I have called them:

    A_cheaters
    B_cheaters
    C_cheaters
    etc.

    In order to ban these IP's from communicating with my server I will place a firewall rule for each one of them.  For this to work I will put the rule on?...

    Rule on LAN source - A_cheaters, destination?

    I am not sure if the destination should be LAN address or LAN net.  If I only ban UDP protocol will this speed up the throughput for less lag, or should I leave it to ban any protocol?

    Or is the above totally off base, and the ban should go on the WAN?

    ~Magoo


  • LAYER 8 Global Moderator

    If you do not want those IPs in your aliases to get to your server through your forwards.  Then you want to put them on rules on your wan BEFORE you allow the traffic in on your forward.

    Or they need to be included in your NAT where your source is a NOT, and then an aliases listing the IPs you don't want in.  That is difficult with multiple aliases.

    When you put a rule on the lan, that would be traffic outgoing from your lan.  So if your server was going to create the connection to those IP then you would want them on the LAN side of it.  But if you allow them in, this will create a state.  And then your server would be allowed to answer no matter what rule you had on the LAN side saying not to talk to those IPs.

    Rules are looked at INBOUND to an interface…  Top down, first rule wins.

    So you have to look to where pfsense would first see the SYN, ie the start/request for a conversation.  For stuff inbound into your network starting conversations this is on your WAN..  For your devices on your LAN starting conversations outside of LAN, this would be the LAN interface..



  • Thank you for the reply.

    To see if I understand, if I want to ban "A_cheaters" alias list I would put:

    Firewall –> Rules --> WAN --> Add new rule -->Block, WAN, IPv4, any protocol, source = single host or alias-A_cheaters, destination = any?

    If I wanted to further ensure that my server doesn't make an outgoing connection to these I would put the same rule on the LAN where source = ?, destination = A_cheaters.

    If my computer does connect to any of these IP's from my end, then it will negate the incoming firewall blocking rule.

    Correct?


  • LAYER 8 Global Moderator

    If you don't want your servers connecting to those IPs, ie create the connection to them (not answer) then yes rule would go on your LAN.  Not sure where your server would ever make a connection to them??

    As your wan rule yeah putting those blocks on the top of your rules list would prevent then from hitting any allow rules for your forwards.



  • Ok thanks,  I think I have it.  I'm still not sure what the destination for the WAN rule should be, so I set it to any.

    Steam has been allowing cheaters to still join my server by routing them through a Valve server.  That is why I am interested in the outbound blocks as well.  The game I am hosting is peer-to-peer.  I have noticed that banned IP's still connect via Valve.  If needed, I will ban the Valve servers to keep them from allowing the cheaters in.

    ~Magoo


  • LAYER 8 Global Moderator

    Your destination would normally be your WAN IP..  Since to be honest that is the ONLY IP it could ever be dest for.


Log in to reply