pfSense help

THUMPer

Supreme [H]ardness
Joined
May 6, 2008
Messages
4,181
I'm confused

I have a comcast SMC gateway/modem with a static ip of 192.168.1.1 DHCP Disabled
I have a Domain controller/DHCP server. IP is 192.168.1.100


My DHCP Address pool is 192.168.10 - 99

for my pfSense box I have a 2 NIC's for WAN/LAN
WAN is set to DHCP - it picked up a 192.168.1.1 and LAN is static 192.168.1.69

I don't have any internet access, and I don't know why. I can't ping the gateway at 192.168.1.1.
Does WAN need to be DHCP or Static?
Do I have to do any forwarding on pfSense?
 
did you say the PFsense box picked up the ip 192.168.1.1 -- didnt you say that was your gateway IP? that seems to me like what is happening here is you have 2 devices with the same IP 192.168.1.1 and both are listed as gateways, set pfsense to 192.168.1.2 and gateway modem to 192.168.1.1 check to see that your modem actually picked up a public ip from your ISP either by plugging in your computer directly to the modem and seeing if you get an address
 
What he said. Also you need the DHCP server set on the IP of the pfsense router for the default gateway. I think in Windows server it defaults to the IP of the server.

EDIT: What does it say if you try 192.168.1.50?
 
did you say the PFsense box picked up the ip 192.168.1.1 -- didnt you say that was your gateway IP? that seems to me like what is happening here is you have 2 devices with the same IP 192.168.1.1 and both are listed as gateways, set pfsense to 192.168.1.2 and gateway modem to 192.168.1.1 check to see that your modem actually picked up a public ip from your ISP either by plugging in your computer directly to the modem and seeing if you get an address

I just tried this. I got an error when trying to save
"IPv4 address 192.168.1.2/24 is being used by or overlaps LAN 192.168.1.69/24"
 
that error is beyond me, why the fuck would it think that ip overlaps the other, i have no clue unless its the /24 you are putting afterwards thats fucking it up, when you slap /24 it means all ip from 192.168.1.0-192.168.1.255 which includes the broadcast IP's are you sure the syntax you are using is correct? like does it require the /24
 
I'm not putting the /24 in the box for the IP. Its in a drop down box next to the Static IP. I'm using the web interface FYI. I went to Interfaces/WAN and changed it to Static IPv4, then tried to enter the 1.2 IP.
 
ok we will have to wait for someone who is more familiar with the PFsense interface to respond, we know the issue is around IP addressing, so it should be a simple fix, once we figure out why it wont take those IP's or what other device is effing with stuff cause of a misconfig'd IP
 
Well i forced the static IP for the WAN to 1.2 through the console, but after I rebooted it I can no longer get to the web interface at the 1.69 IP address. I suck....
 
just keep trying things, trust me this kind of stuff can be really fucking annoying and confusing and im sure someone will hit us up on this forum with a better answer than mine.
 
maybe PF sense wants a different subnet? maybe set 192.168.1.2 to wan on pfsense, 192.168.1.1 as the gate for pfsense, and then set your lan to 192.168.2.xx and then set all you lan boxes to 192.168.2.xx or set the WAN side of it, modem/pfsense to 192.168.2.1 192.168.2.2 and on the lan nic make sure the gate is 192.168.2.1 and see what happens
 
as long as PF sense knows how to route from one NIC to the other NIC that should work just fine.
 
Is it possible I have the WAN/LAN backwards?

Does the WAN go to the Gateway/modem or the switch?
 
WAN goes to the modem. What is the DHCP server you have running on? It may be something with that as well. You could verify that by using the pfsense DHCP server to see if it works first then re-enable the one you are using.

I actually have used pfsense for 10+ years now. I just don't use it the way you do.
 
The DHCP server is a windows 2016 server.

It's in an office, and I left so I cant test it now. In this case I'm pretty sure the WAN was going to the modem.
 
Ok that makes sense. I'll try that when I'm back in the office. Dhcp is already set up I just need to change that gateway setting from the modem ip to the lan ip of the pfsense.
 
You should see if there is a way you can enable a bridge mode on your SMC gateway, if I understand how you have things setup now you will be running double-NAT. You could also look into buy a standalone modem, that would simplify your setup and make you cable bill a little cheaper by not having to leave their equipment.

I have a Arris SB6183 with a PCEngines APU2 running pfSense.
 
You should see if there is a way you can enable a bridge mode on your SMC gateway, if I understand how you have things setup now you will be running double-NAT. You could also look into buy a standalone modem, that would simplify your setup and make you cable bill a little cheaper by not having to leave their equipment.

I have a Arris SB6183 with a PCEngines APU2 running pfSense.

It's comcast business. I'm not sure if I have that option, but I have an extra Surfboard.
 
I would get your modem setup to pass the public IP directly to the pfsense wan. This will make it much easier to setup, and give you better visibility in the PFsense gui. This is how I have my setup at home.

Does your pfsense gateway check pass when it pulls the 192.168.1.1 IP on the wan interface?

In the WAN interface settings, did you check the box to allow BOGON traffic?
 
I'm confused

I have a comcast SMC gateway/modem with a static ip of 192.168.1.1 DHCP Disabled
I have a Domain controller/DHCP server. IP is 192.168.1.100

My DHCP Address pool is 192.168.10 - 99

for my pfSense box I have a 2 NIC's for WAN/LAN
WAN is set to DHCP - it picked up a 192.168.1.1 and LAN is static 192.168.1.69

I don't have any internet access, and I don't know why. I can't ping the gateway at 192.168.1.1.
Does WAN need to be DHCP or Static?
Do I have to do any forwarding on pfSense?

Why are your LAN and WAN interfaces on the same subnet?

Call Comcast and have your modem be placed in bridge mode. Connect your ISP modem to the WAN NIC on your pfSense, set your WAN NIC to be DHCP - you should either get a public IP address or something within CGNAT (100.64.0.0/10) if they are using it.

Connect the LAN interface to your LAN switch. Turn off DHCP services on ANYTHING within that VLAN except for your DC/DHCP server.

Verify the default routes on the pfSense are correct. The default gateway should be the ISP gateway. The internal devices on your LAN default gateway should be the LAN IP address of the pfSense.
 
It's one of the old SMC's. It's not the new fancy gateways with wifi so I'm not sure it can be put in Bridge mode. I'll ask though. thanks for the tips.
 
It's one of the old SMC's. It's not the new fancy gateways with wifi so I'm not sure it can be put in Bridge mode. I'll ask though. thanks for the tips.

That's even better. It's easier to set the straight dumb modems to bridge instead of the crappy wifi routers they send out.
 
That's even better. It's easier to set the straight dumb modems to bridge instead of the crappy wifi routers they send out.

The basic modems generally are already set to work like in bridge mode.

This confuses the situation even more. If this modem is just a basic gateway and not doing NAT, then his physical connectivity is wrong, or he has rogue DHCP servers and IP conflicts all over the joint.

THUMPer - can you provide a basic diagram of what is connected to what with each interface?
 
moo.jpg


I noticed my Untangle server says "bridged". it also has Dual NIC
moo2.jpg
 
Last edited:
What are you trying to do here? I thought we were talking about pfSense? Are you replacing the Untangle for pfSense, or are you keeping both? If so, why?

Bridged interfaces pass traffic through, and it acts as a single logical interface. Bridged interfaces generally are used for inline appliances, like web filters, or transparent firewalls. What is this gateway for 192.168.1.1, the Comcast modem or the pfSense? I am very confused here and feel you have overthought this into oblivion...

https://en.wikipedia.org/wiki/KISS_principle
 
I'm replacing the Untangle. Sorry.
The gateway IP of 192.168.1.1 is the comcast modem.
When I set the WAN to DHCP it was pulling the same IP (192.168.1.1) as the Comcast gateway.

We have a static public IP address for the office though.
 
Last edited:
I'm replacing the Untangle. Sorry.
The gateway IP of 192.168.1.1 is the comcast modem.
When I set the WAN to DHCP it was pulling the same IP as the Comcast gateway.


You either need to enable bridge mode/disable DHCP on the modem, or enable DHCP on the modem to assign your PFSense wan a private IP. If you go with option 2, you have to change the LAN subnet so it is not the same as the private subnet being used by your modem, or pfsense will not be able to route the packets.

Bridge mode is the preferred option as it avoids double natting.
 
Yes, this goes back to my original response - you can't have the LAN and the WAN be on the same subnet. Get that modem bridged and don't let them touch your traffic. Connect your pfSense WAN interface to the Comcast modem, set it to receive IP via DHCP or static depending on what you have, then configure the LAN IP address to be 192.168.1.1 and turn off DCHP services on it.
 
Right now your untangle is acting as a transparent firewall that is inline, so it's not providing NAT, which is why it's working now. With the pfSense not operating in a bridge mode, each interface is a separate L3 link, meaning it must have its own IP address and they must be on separate subnets.
 
Call your ISP and have them do it for you. Just say that you have your own router and you only need it in bridge mode.
 
I ran into a related issue when setting up my pfsense it did the same thing. I just changed my pfsense IP to 10.0.0.1 and made it DHCP server for the internal network. Problem solved have internet.

Only downside is my WIFI on my gateway modem cant see the lan, but its only for phones anyways
 
Call your ISP and have them do it for you. Just say that you have your own router and you only need it in bridge mode.

good luck with that. Comcast does not like home users running servers, in fact I had issues for a while years back they would shut down my connection because they port scanned and saw servers running
 
Well we have Comcast business. They are a lot better in that aspect.
 
good luck with that. Comcast does not like home users running servers, in fact I had issues for a while years back they would shut down my connection because they port scanned and saw servers running

What does using your own firewall/router have anything to do with hosting web servers? THUMPer just needs them to not inspect/NAT his traffic at the modem and connect his own pfSense.
 
What does using your own firewall/router have anything to do with hosting web servers? THUMPer just needs them to not inspect/NAT his traffic at the modem and connect his own pfSense.
yea cause if comcast sent them the SMC they can alike tr-069 into the modem and set it into bridge mode for you.
 
Back
Top