DD-WRT to pfSense

I’m trying to use a ProtectLi pfSense as a router for part of a network, but not directly interface with the modem. A DD-WRT router is directly connected to the modem.

ISP Modem → DD-WRT Router → pfSense ProtectLi → PC

Despite allowing these private connections in the Wizard setup, it’s not allowing the internet through.

I also checked the DD-WRT router’s DHCP and the ip addresses should work together. Should I post screen shots of both setup panels here?


Seems like you are trying to use double NAT, i.e. two firewalls. DD-WRT + pfSense.
While double NAT can be made to work, in the long run it will be problematic.

You might be better off connecting pfSense directly to your ISP’s modem. Assuming you are using DD-WRT for WiFi connectivity, connect DD-WRT LAN side to pfSense LAN side and configure DD-WRT in what is commonly referred to as Access Point (AP) mode. It also makes future WiFi upgrades significantly easier since it sits behind your enterprise class pfSense firewall.


1 Like
I dont have DD-WRT but have 2 pfsense fw, a protectli-vault and a zotac.

isp -- protectli-vault --
                               |--(dhcp)-- zotac --

any clients in the zotac network can access Internet.

Alright I figured out my problem was MAC address spoofing. Does MAC address spoofing through pfSense only work when it’s directly connected to the ISP Modem?

I’m assuming the MAC address spoof messes up the DHCP assignment of IP addresses. But I don’t understand why if the device needs both a MAC and IP

If you still have pfSense behind your existing DD-WRT router, you don’t need to enable MAC spoofing since pfSense will get a private DHCP IP address from your DD-WRT router. In fact enabling MAC spoofing and entering a MAC that is already in use by another device will be unable to route traffic, as you discovered. MAC spoofing is really only necessary if your ISP ties your service to the WAN MAC address of your firewall and not the modem, and you want to avoid reprovisioning when you change firewalls.

A MAC address is unique to the hardware. A DHCP server uses the unique HW MAC address to assign an IP address which will change depending on what network you are connected to. If you want a client to have the same IP address (e.g. a server), you can either set a static IP address on the client or assign a static IP reservation in your DHCP server using the client MAC address and the desired IP address. Just make sure the static IP address is outside your DHCP server IP address pool range.


DD-WRT and other open source firmware (LEDE/OpenWrt, etc) are good for what they do. Keeping otherwise unsupported OEM consumer WiFi routers out of landfills. DD-WRT has been in perpetual alpha/beta since at least 2006. Do you really want to keep running DD-WRT as your edge firewall or use open source enterprise class firewall pfSense?

Thanks for your help, you clearly know more about this than the original Elvis Presley.

I understand that MAC spoofing on pfSense, when it’s already behind a DD-WRT router is pointless. But I am confused why MAC spoofing by itself would cause it to fail? I did not use the MAC of a different network device.

I did have a IPv4 DHCP on the DD-WRT, and a IPv6 MAC that I made up. Is that the issue? How do I make up a good bullshit MAC?

If I have both routers on, “double firewall” slows the internet from like 50 mbps to 6. Why is this?

Could be any number of things.

  1. Bad cable or port connection
  2. Poor performing HW
  3. Poor performing SW
  4. Improper configuration

My previous post is still recommended.

I know Tom has a number of pfSense videos, but this one by Chuck is hilarious if you can stomach his caffeine fueled sense of humor.

ok thank-you. do you know any videos on pfSense MAC spoofing?

I am not looking to “clone”, but just total bullshit. it’s having issues with my random numbers/letters though

Your question might be better addressed on the official ofSense forum. Pun intended.