pfSense - WAN Setup - Only works behind another router

Hi,
Former software engineer here, pfsense NOOB. I have setup a virtualized pfsense router on PC with a dual 1Gb NIC card. There are 2 LANs connected to each port on NIC. Internet access comes in thru a modem. If i leave my current Router connected between modem and pfsense, (WAN set to DHCP) I have internet access. If I bypass the router and connect pfsense box directly to modem I cannot get a DHCP assignment from ISP (no internet, boths LANs are operational). I have tried setting the Default recipes as given, powering down modem, etc to no avail. Seems like comm between modem and pfsense is blocked. Started looking at Firewall logs. Do I need to add any pass FW rules on the WAN?

Any help, steps to take next, etc as what to look at would be greatly appreciated! Thx.

If you are new to pfsense, it’s better to set up on a physical device first, once you suss it out then you’ll know what you need to do to virtualise it. You might want to look at your NAT rules.

Thank you. Its possible that the Host OS could be grabbing the WAN port prior to pfsense is booting up which would not occur with a router in place. Would should I be looking for in the NAT rules?

Could you clarify your setup a bit? I have had pfSense running in VMWare Workstation to test stuff with.

Couple of tips…

Make sure you’re operating your WAN interface in bridge mode (in VM settings) so that it has a real presence on your LAN, unless you’re specifically trying to NOT do this.

Remember that you shouldn’t put two DHCP servers on the same LAN. If you’re modem is hosting DHCP and you’re also attempting to host DHCP on the LAN interface of pfSense, you’ll likely run into problems.

Depending on your desired config, your ISP modem may not be configured to give pfSense the public IP you’re expecting. If you’re attempting to get a private IP from your ISP, I’m pretty certain pfSense blocks that by default (it’s a setting that can be disabled in Interfaces -> WAN -> (bottom of page) Uncheck block private networks). But before you make that change, please clarify what your design is.

Lastly, if you are trying to use pfSense as an internal router (but still behind the ISP router) then you’ll probably need to update the IP network assigned to the LAN interface and confirm the routing changes are active - otherwise clients might get a DHCP address from the ISP and use that as the default gateway, when you want the pfSense host to be the gateway - again requires clarification of your design.

Could you elaborate and maybe draw out what you’re looking to do?

  1. Dual Gb NIC with pfsense in VM with all 3 Ports in “Bridged Mode”
  2. Cable Modem is just a modem not a combo router. It does supply a DHCP Public IP address to the router that is currently between ISP modem and my pfsense. In this case "all is well " and internet access is available to LAN1
  3. Each LAN has DHCP enabled and working
  4. Firewall rules have been setup for LANs
  5. What do I need to do for the WAN? If I remove router and plug Modem into pfsense I do NOT get a gateway or DHCP assignment.

Thank you very much for any assistance in advance.

I’m going to make some small assumptions here, please correct me where I’m wrong.

I’ve seen from experience that attempting to ‘swap’ the device behind the cable modem will not work unless you also power cycle the cable modem - I don’t know if that’s the case with your particular setup but worth testing.

If that’s not the case and even after power cycling the cable modem the pfsense host still does not receive the public IP you expect, then I’d check out how you have your Host/VM networking configured.

You mention a dual port NIC, and I’d assume you know for sure which port on the nic is the correct one being assigned to the WAN interface inside pfsense. I’d start by first determining if you can get dhcp public address on the bare metal host running dhcp-client. Assuming that you do then my next thought is that you don’t have the virtual ethernet ports mapped the way you expect them to be. Fair amount of trouble-shooting to resolve here - hard to give suggestions through forum posts.

Another thought - make sure that you’re not configuring the ethernet port in Linux Mint for the uplink to your cable modem. You want the interface up, but without any assignment. Then you’d want to be sure the interface (the one dhcp-client works with on the host) is mapped to em0 in pfSense. The important part here is to NOT assign DHCP or static IPs on that interface in Linux Mint. That interface is strictly acting as a bridge to the guest em0 interface.

Report back when you’ve reviewed. You’ve got a nice plan here, would love to see it work for you.

Well as we suspected the WAN port WAS being automatically assigned and causing interference with pfsense assignment of the WAN port. I modified the port using the nmcli command - Mint also has an Advanced Network Panel where the auto can be swtiched off.

So THANK YOU! Now I have another related question: If you refer back to the diagram above, em1 LAN1 port has to be be left on Auto Connect - otherwise the Linux Mint Shares are not available on LAN1. I would have thought that pfsense LAN1 definition would have taken care of that when it configures LAN1?

2nd Question: refering back to the diagram: on em2 (LAN2) I can ping other hosts on that LAN.
I found this answer on netgate: https://forum.netgate.com/topic/39883/can-you-block-lan-to-lan-traffic

"
podilarius Dec 10, 2011, 3:46 PM
That is not possible LAN to LAN traffic will never get to the firewall."

So what is the purpose of FW Rules like:
ALLOW SOURCE LAN1 - DESTINATION LAN1 any ??

Is there any way to isolate the IOTs on LAN2 on the diagram?

Thank you

What I’ve done is to define various vlans on different subnets, these are then added to an alias. Then in the firewall rules I either allow or deny access to my Local Subnets Alias.

em1 LAN1 port has to be be left on Auto Connect - otherwise the Linux Mint Shares are not available on LAN1. I would have thought that pfsense LAN1 definition would have taken care of that when it configures LAN1?

I’m not 100% clear on what you mean. but I believe you’re saying that the secondary interface on your host (Linux Mint - eth1 for conversation) is piped into the VM as em1. You want pfSense (via em1) to provide DHCP services to your physical LAN, including the Linux Mint host you’re operating on.

I’ve not tested that specifically, but you would need to keep your eth1 -> em1 VM configuration in Bridge mode, and then make sure that when you’re running dhcp-client that you’re ONLY asking for a DHCP lease on eth1. That should pass the DHCP request into the virtual machine (pfSense) and get an IP (please test and report back). The eth1 interface would need to be connected to your switch so the other devices can get a LAN address from the pfSense host also.

If you do NOT want IoT devices reachable on the same LAN, then you’d need to configure a VLAN interface in pfSense (and in Linux Mint). If they exist on the same IP network, then the firewall on pfSense never has a chance to intercept and block the traffic (because of the way networks and routing work). I won’t go into details here (pfSense VLAN config here )

Once you have the done, then you’ll also need to configure the appropriate security zones/rules between the new zones and the firewall/public network, dhcp server, etc…

Share an update when you’re ready.

Thank you again for your help and also for Tom’s great videos! I now have the network operational as designed and and happy with its operation.

1 Yes the seconday interace on HOST must be auto configured - it will not connect otherwise - I would have expected pfsense to “know” that it was on LAN1. I have setup a static IP for it. LAN is in bridged mode.

2 “If you do NOT want IoT devices reachable on the same LAN, then you’d need to configure a VLAN interface in pfSense (and in Linux Mint). If they exist on the same IP network, then the firewall on pfSense never has a chance to intercept and block the traffic (because of the way networks and routing work)” I have thought about this - VLANs require a managed switch to filter the various VLANs to the subnets ( although your response hints that it might be possible to do without a managed switch???
===> please respond on this.<==)

One other issue I have noted is in regards to my wireless AP on LAN2: I am using a router that has been flashed with DDWRT and set it up with a static IP on LAN2 in ROUTER mode (DHCP disabled). It works with the pfsense DHCP server providing IPs to Wireless clients. HOWEVER, while it is on LAN2 it does NOT show up in the DHCP leases. I can ping it and it passes traffic to wireless clients which DO show up in the Leases. Please comment.

Thanks again to you and the Lawrence team.

VLANs require a managed switch to filter the various VLANs to the subnets ( although your response hints that it might be possible to do without a managed switch???

There is a bigger conversation to be had, but technically speaking you do NOT need a managed switch to use VLANs if you trust all your devices. You could (with some limitations) run both networks on the same switch without VLAN assignments. One very important limitation is that you would not be able to run 2 DHCP servers on the same switch, because the clients would not know which server to ask for an address from (the difference between 192.168.1.0/24 and 192.168.2.0/24).

Additionally, you could pass VLANs around with an unmanaged switch, the switch just won’t know about it. Assuming that you’re not attempting to untag a VLAN packet, then a traditional switch should work just fine. The switch will pass tagged/untagged ports, but it cannot separate them. For example, If you are operating a linux host and setup a VLAN interface on ID 2 and 3, the parent interface is now considered a trunk. While the switch doesn’t know about it (in the sense of understanding the difference between them) it will still accept the packets. To finish out that scenario, if you then have a second host also configured with VLAN 2 or 3, those networks would be picked up (separately) and used on both hosts. The switch makes it easier for the clients to support a network without having the over head of managing a trunk port.

That said, you could (if the devices support it) configure a VLAN interface with JUST the desired ID on the target endpoint. Most modern network drivers would support this function, though I’m not sure if the IoT devices would (I suspect not).

Those are really bad examples and I’d recommend against it, but I believe you could do exactly that. I’m not sure what value it would provide, but it should work.