Hi,
Former software engineer here, pfsense NOOB. I have setup a virtualized pfsense router on PC with a dual 1Gb NIC card. There are 2 LANs connected to each port on NIC. Internet access comes in thru a modem. If i leave my current Router connected between modem and pfsense, (WAN set to DHCP) I have internet access. If I bypass the router and connect pfsense box directly to modem I cannot get a DHCP assignment from ISP (no internet, boths LANs are operational). I have tried setting the Default recipes as given, powering down modem, etc to no avail. Seems like comm between modem and pfsense is blocked. Started looking at Firewall logs. Do I need to add any pass FW rules on the WAN?
Any help, steps to take next, etc as what to look at would be greatly appreciated! Thx.
If you are new to pfsense, itâs better to set up on a physical device first, once you suss it out then youâll know what you need to do to virtualise it. You might want to look at your NAT rules.
Thank you. Its possible that the Host OS could be grabbing the WAN port prior to pfsense is booting up which would not occur with a router in place. Would should I be looking for in the NAT rules?
Could you clarify your setup a bit? I have had pfSense running in VMWare Workstation to test stuff with.
Couple of tipsâŚ
Make sure youâre operating your WAN interface in bridge mode (in VM settings) so that it has a real presence on your LAN, unless youâre specifically trying to NOT do this.
Remember that you shouldnât put two DHCP servers on the same LAN. If youâre modem is hosting DHCP and youâre also attempting to host DHCP on the LAN interface of pfSense, youâll likely run into problems.
Depending on your desired config, your ISP modem may not be configured to give pfSense the public IP youâre expecting. If youâre attempting to get a private IP from your ISP, Iâm pretty certain pfSense blocks that by default (itâs a setting that can be disabled in Interfaces -> WAN -> (bottom of page) Uncheck block private networks). But before you make that change, please clarify what your design is.
Lastly, if you are trying to use pfSense as an internal router (but still behind the ISP router) then youâll probably need to update the IP network assigned to the LAN interface and confirm the routing changes are active - otherwise clients might get a DHCP address from the ISP and use that as the default gateway, when you want the pfSense host to be the gateway - again requires clarification of your design.
Could you elaborate and maybe draw out what youâre looking to do?
Dual Gb NIC with pfsense in VM with all 3 Ports in âBridged Modeâ
Cable Modem is just a modem not a combo router. It does supply a DHCP Public IP address to the router that is currently between ISP modem and my pfsense. In this case "all is well " and internet access is available to LAN1
Each LAN has DHCP enabled and working
Firewall rules have been setup for LANs
What do I need to do for the WAN? If I remove router and plug Modem into pfsense I do NOT get a gateway or DHCP assignment.
Thank you very much for any assistance in advance.
Iâm going to make some small assumptions here, please correct me where Iâm wrong.
Iâve seen from experience that attempting to âswapâ the device behind the cable modem will not work unless you also power cycle the cable modem - I donât know if thatâs the case with your particular setup but worth testing.
If thatâs not the case and even after power cycling the cable modem the pfsense host still does not receive the public IP you expect, then Iâd check out how you have your Host/VM networking configured.
You mention a dual port NIC, and Iâd assume you know for sure which port on the nic is the correct one being assigned to the WAN interface inside pfsense. Iâd start by first determining if you can get dhcp public address on the bare metal host running dhcp-client. Assuming that you do then my next thought is that you donât have the virtual ethernet ports mapped the way you expect them to be. Fair amount of trouble-shooting to resolve here - hard to give suggestions through forum posts.
Another thought - make sure that youâre not configuring the ethernet port in Linux Mint for the uplink to your cable modem. You want the interface up, but without any assignment. Then youâd want to be sure the interface (the one dhcp-client works with on the host) is mapped to em0 in pfSense. The important part here is to NOT assign DHCP or static IPs on that interface in Linux Mint. That interface is strictly acting as a bridge to the guest em0 interface.
Report back when youâve reviewed. Youâve got a nice plan here, would love to see it work for you.
Well as we suspected the WAN port WAS being automatically assigned and causing interference with pfsense assignment of the WAN port. I modified the port using the nmcli command - Mint also has an Advanced Network Panel where the auto can be swtiched off.
So THANK YOU! Now I have another related question: If you refer back to the diagram above, em1 LAN1 port has to be be left on Auto Connect - otherwise the Linux Mint Shares are not available on LAN1. I would have thought that pfsense LAN1 definition would have taken care of that when it configures LAN1?
What Iâve done is to define various vlans on different subnets, these are then added to an alias. Then in the firewall rules I either allow or deny access to my Local Subnets Alias.
em1 LAN1 port has to be be left on Auto Connect - otherwise the Linux Mint Shares are not available on LAN1. I would have thought that pfsense LAN1 definition would have taken care of that when it configures LAN1?
Iâm not 100% clear on what you mean. but I believe youâre saying that the secondary interface on your host (Linux Mint - eth1 for conversation) is piped into the VM as em1. You want pfSense (via em1) to provide DHCP services to your physical LAN, including the Linux Mint host youâre operating on.
Iâve not tested that specifically, but you would need to keep your eth1 â em1 VM configuration in Bridge mode, and then make sure that when youâre running dhcp-client that youâre ONLY asking for a DHCP lease on eth1. That should pass the DHCP request into the virtual machine (pfSense) and get an IP (please test and report back). The eth1 interface would need to be connected to your switch so the other devices can get a LAN address from the pfSense host also.
If you do NOT want IoT devices reachable on the same LAN, then youâd need to configure a VLAN interface in pfSense (and in Linux Mint). If they exist on the same IP network, then the firewall on pfSense never has a chance to intercept and block the traffic (because of the way networks and routing work). I wonât go into details here (pfSense VLAN config here )
Once you have the done, then youâll also need to configure the appropriate security zones/rules between the new zones and the firewall/public network, dhcp server, etcâŚ
Thank you again for your help and also for Tomâs great videos! I now have the network operational as designed and and happy with its operation.
1 Yes the seconday interace on HOST must be auto configured - it will not connect otherwise - I would have expected pfsense to âknowâ that it was on LAN1. I have setup a static IP for it. LAN is in bridged mode.
2 âIf you do NOT want IoT devices reachable on the same LAN, then youâd need to configure a VLAN interface in pfSense (and in Linux Mint). If they exist on the same IP network, then the firewall on pfSense never has a chance to intercept and block the traffic (because of the way networks and routing work)â I have thought about this - VLANs require a managed switch to filter the various VLANs to the subnets ( although your response hints that it might be possible to do without a managed switch???
===> please respond on this.<==)
One other issue I have noted is in regards to my wireless AP on LAN2: I am using a router that has been flashed with DDWRT and set it up with a static IP on LAN2 in ROUTER mode (DHCP disabled). It works with the pfsense DHCP server providing IPs to Wireless clients. HOWEVER, while it is on LAN2 it does NOT show up in the DHCP leases. I can ping it and it passes traffic to wireless clients which DO show up in the Leases. Please comment.
VLANs require a managed switch to filter the various VLANs to the subnets ( although your response hints that it might be possible to do without a managed switch???
There is a bigger conversation to be had, but technically speaking you do NOT need a managed switch to use VLANs if you trust all your devices. You could (with some limitations) run both networks on the same switch without VLAN assignments. One very important limitation is that you would not be able to run 2 DHCP servers on the same switch, because the clients would not know which server to ask for an address from (the difference between 192.168.1.0/24 and 192.168.2.0/24).
Additionally, you could pass VLANs around with an unmanaged switch, the switch just wonât know about it. Assuming that youâre not attempting to untag a VLAN packet, then a traditional switch should work just fine. The switch will pass tagged/untagged ports, but it cannot separate them. For example, If you are operating a linux host and setup a VLAN interface on ID 2 and 3, the parent interface is now considered a trunk. While the switch doesnât know about it (in the sense of understanding the difference between them) it will still accept the packets. To finish out that scenario, if you then have a second host also configured with VLAN 2 or 3, those networks would be picked up (separately) and used on both hosts. The switch makes it easier for the clients to support a network without having the over head of managing a trunk port.
That said, you could (if the devices support it) configure a VLAN interface with JUST the desired ID on the target endpoint. Most modern network drivers would support this function, though Iâm not sure if the IoT devices would (I suspect not).
Those are really bad examples and Iâd recommend against it, but I believe you could do exactly that. Iâm not sure what value it would provide, but it should work.
So I changed
System â Routing â Gateways change âDefault gatewayâ from âAutomaticâ to âWAN_DHCPâ
Secondly, after reading a post by user Gerard I changed the following:
Disabled gateway monitoring action that fixed my problem.
System â Routing â Gateways â Edit
Sincerely hope this saves someone else some issues.
Hi Sterling - No need to apologize! PFS is complicated and sharing info helps all out! TY! Was curious on your issue with the Gateway Monitoring - what problem were you having? I had an issue where it would cause intermittent loss of internet. The selection of the monitoring IP is important. One DNS (9âŚ) caused weird issues - switching to another DNS resolved it!
Gator:
Iâd been using pfSense for about 4 years when my 4 port NIC failed.
Suddenly very intermittentâŚthen soon dead.
I decided to roll a new SSD in with the new NIC.
Setup seemed to go OK. I was behind a spare router just for the setup.
When I moved the pfSense pc to be my main router it would not connect to the internet. Very flakey. Defied normal troubleshooting ability.
My experience is like yours: DNS is usually the culprit.
In this case I could not âresolveâ the problem until I ran across Gerardâs post.
I also noted the additional step I found in the documentation.
I saw many others with similar problems. Experienced folks who just gave up.
I hope this can help others.
If I can throw in one more tip:
I noticed the NIC seemed to be warm to the touch.
So when I replaced it I modâed the case to add a small 60mm fan