Jump to content

Welcome to ExtremeHW

Welcome to ExtremeHW, register to take part in our community, don't worry this is a simple FREE process that requires minimal information for you to signup.

 

Registered users can: 

  • Start new topics and reply to others.
  • Show off your PC using our Rig Creator feature.
  • Subscribe to topics and forums to get updates.
  • Get your own profile page to customize.
  • Send personal messages to other members.
  • Take advantage of site exclusive features.
  • Upgrade to Premium to unlock additional sites features.

AllenG

Members
  • Posts

    17
  • Joined

  • Last visited

  • Days Won

    1
  • Feedback

    0%

AllenG last won the day on November 30 2021

AllenG had the most thanked content!

Reputation

10 Has started their journey

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I'd be curious as to see if your issues arise around the same time as your real world ip address updates via dhcp upstream?
  2. You will need to segregate your clients in some sort of way (there are a multitude of ways to accomplish this, all have their up sides and down sides.) Then modify your outbound rules to send the traffic not meant for your local networks out the VPN's assigned gateway. Port forwarding as you are thinking probably will not work, most vpn services will be blocking ALL traffic IN at their end and you have no control of that, so port forwarding though the vpn service isn't really going to work. If you want to host something real world you will have to port forward to your real WAN address. To be honest, i think you may be mistaking the need of port forwarding for the reason of improper outbound rules. I take it you are having a hard time getting traffic to pass out the VPN connection as most traffic is trying to take the path of the standard WAN? Another note, when you do get your issues above sorted out then there is still the issue of DNS leaks. By default, when making a DNS request it will ask all upstream dns servers to respond to the query (including your ones on the WAN port). Effectively you wont be fully routing all requests and traffic out the VPN. You will have to play with the DNS forwarder or resolver configurations (again different ways to get it done and they all have their ups and downs.) The easiest way i can think of to get around this is configure the clients you wish to use the VPN only, to look directly at the VPN's dns servers instead of your local opnsense dns forwarder.
  3. Sounds like a solid setup! Glad i could be of help. VPN routing is tricky, alot of vpn providers have interesting setups to route through and most want you to use their software clients.
  4. Sounds like it could be a bug in how the newer kernel calls for pci express lanes to be throttled or cut back (power management related). I've noticed in the past that x550's will work on too little lanes, but they wont do 10g. I've seen the x550's do some odd things, tend to favor the x540's still as those have always been rock solid for me.
  5. Awesome, glad it's all working out for ya so far! Like i said, you were close on those port forwards, just have to point them to a particular IP address. Use what was outlined in the previous posts about setting up DHCP static mappings to give the computer running the program being port forwarded an IP that is consistently the same... do this on the pfsense LAN side of course.
  6. LOL Nah, you will want to leave it on. Who knows what services of the OneHub itself turning off it's firewall might put at risk... That's effectively leaving your whole OneHub level LAN routable and accessible by the real world (this includes your OneHub's interface itself). If the DMZ is working correctly, it is bypassing the firewall, doing transparent NAT, and sending straight to your pfsense.
  7. That's a pretty cool multi function router. I like that it has a SIP to FXS! The fact that the ADSL modem is built in is cool, but to be honest DSL is a dying technology. Whatever connection you get next will likely use a cable modem which is not the same as a DSL modem, or have a true fiber ONT and will dump you the straight gigabit ethernet to go directly to your pfsense WAN anyways. Personally, i wouldn't buy anything more just yet... You are already sitting on one of the most versatile and powerful platforms you can get. To be honest, having any extra routing downstream of your pfsense is just more bottleneck.
  8. Fair enough. Bummer on the wildcard, we can still specify entire port range though if the DMZ doesn't work correctly. Since the Hub One can do static DHCP mappings, if you prefer you can go ahead and set a static mapping up using the Hub One then... just find the mac address of your pfsense in your current DHCP table on the Hub One and use that to assign 192.168.0.1 to the pfsense WAN everytime. If you do it this way that means you can skip 1. A.-D. on the pfsense side of the configuration instructions, 1. E. still needs to be done though. I would also recommend Set IPv6 Configuration Type as "None" still. I will say i like setting my routers as a static ip instead though, that way it doesn't ever go down for the split second it takes to renew it's dhcp lease. When you apply the "enable" on the DMZ i'd imagine more options will appear. I believe it should just need the ip address we specified in the last post (192.168.0.1). I've seen some devices decide on it's own what ip it gives, in that case we may have to use that one instead... but we will have to see what options it gives us. Looking good so far! What you may need when you go fiber will be determined by your provider. I know alot of areas (especially residential) where they run "fiber" over coax, which effectively uses a cable modem. Some do dump out straight ethernet off the fiber, i have really only seen this with verizon fios and carrier class fiber connections though. You can usually request when you get sent your modem (if you will need one) for it to be setup in bridge mode because you already have your own router... they will usually do it. Atleast that's how it is for the most part here in the states, elsewhere it might be different. Either way i just said here, you would leave your pfsense WAN as DHCP. NOTE: As soon as you get supplied a real world ip address you will want to go back to your WAN interface in pfsense and set "Block private networks and loopback addresses" back to checked... otherwise it will leave you vulnerable to attack.
  9. If going fiber in the near future, i wouldn't purchase anything for this then. Now that you have put up your screenshots, you are part of the way there already. Is there anywhere in there under "DHCP Table" or "Devices" where it allows a static dhcp mapping to be created? Also, on the port forwarding, will it allow you to place "*" in those port ranges and apply it? First we will try to use the Hub One's DMZ feature, hopefully it is a true DMZ and not filtered. First part we will get the Hub One setup, 1. Advanced Settings > Firewall > Configuation > Set to "Default". This will get our first firewall back online so nothing can attack the 192.168.0.xxx network or the isp modem itself. 2. Advanced Settings > Home Network > IP Addresses. Set the IP Address as: 192.168.0.254 Leave the subnet mask as 255.255.255.0. Make sure the DHCP server is still set to "Enable" and that your DHCP Network Range is set for "192.168.0.64 - 192.168.0.253". 3. Apply those settings and reboot the hub one. Reconnect to hub one at new ip address of 192.168.0.254. 4. At this point, make sure to remove all port forwarding's under Settings > Port Forwarding, also under Advanced Settings > Firewall > Port Forwarding. Finally, any IPV6 Pinholes also. 5. Advanced Settings > Firewall > DMZ. Enable DMZ. Set DMZ IP address as 192.168.0.1 (This is the address that we will assign the pfsense WAN port.) 6. Reboot Hub One. At this point, there are two ways to assign the proper IP address to the pfsense WAN port, one is to set a static DHCP mapping for that device on the Hub One... The screenshots don't show much on this as an option though so you would have to tell me if it can do it. The other way, which i prefer usually anyways is to set pfsense up as a static IP on its wan port. We will go this route. Second part is now configuration of the pfsense router. 1. Login to your pfsense interface. Goto Interfaces > WAN. A. Make sure "Enable interface" is checked. Set ipv4 Configuration Type as "Static IPv4". Set IPv6 Configuration Type as "None". B. Set IPv4 Address as "192.168.0.1" and set the / as "24". C. Add a new gateway named "WANGW0" with the Gateway IPv4 address of "192.168.0.254" Select "Default gateway" and press add. D. Make sure WANGW0 is selected is the "IPv4 Upstream gateway". E. Finally, make sure "Block private networks and loopback addresses" is UNchecked. Go ahead and click save at the bottom of the page. 2. Goto System > General Setup under DNS servers put "192.168.0.254" with "none" as the gateway. If you would like, you can find your real world dns addresses from the ip info page of your hub one and enter them here instead of relying on the HubOne also. Click save at the bottom of the page. 3. Reboot pfsense. At this point, you should be fully online and functional with your pfsense router. All devices on the LAN side of pfsense should have full connectivity to the internet and lower laying HubOne network of 192.168.0.xxx. This will now allow for port forwarding via pfsense as long as the port forwards on pfsense are configured correctly. Devices on the HubOne network of 192.168.0.xxx will not be able to access devices on the pfsense LAN side network of 192.168.1.xxx unless you setup a port forward on the pfsense box. You can turn off the wifi on the HubOne, or you can leave it on and use it as a isolated guest wifi seeing as its now one level removed from your real network. Once all this works properly, we can start playing with port forwarding on pfsense for COD. Your port forward rules were almost right. Instead of deleting them, you can disable them for now and come back to it (edit and select the disable checkbox)... or setup its destination to be the specific ip of the COD running box. Having "lan address" on all of those destinations will break that particular traffic in and out for sure.
  10. They sure don't give much information, do they? I wish there were more screenshots about what options can be selected for port forwarding, and the dhcp settings... but we will make it through i think. I see two ways of getting it done so far. My first question is do you use the wifi off this hub one, or are you putting a wifi access point upstream off of the pfsense LAN?
  11. Yeah, pfsense isn't going to be port forwarding anything correctly like that. Unfortunately the isp box isn't just acting like a modem in this configuration... a true modem does no NAT, there for it would be handing you your real world ip address out of its ports. As long as it is handing a 192.168.xxx.xxx or any other private address, it is still acting as a NAT router... maybe with the firewall off now. Which isn't really good. If you don't mind me asking, what brand and model is your isp box? I'll see what i can find out to help ya. If you don't want to post things like that publicly, go ahead and pm me. There is multiple ways to accomplish this task, even if the isp box doesn't have a direct bridge mode. At this point, i think some steps need to be taken in reverse and modified a little bit. I'll do my best to guide you from the bottom up, but i think some things are getting lost in translation and are causing you some issues. I see you mention the idea of changing the subnet ip on the isp box some posts back... is that what you ended up doing? If so, what ip address and subnet did you assign the LAN side of the isp box?
  12. Looks like you've got most everything setup right now. As far as how pfsense behaves out of the box as a firewall, it seems you are finding out. It's one of the most secure things i've seen over the years straight out of the gate... especially since you don't have to worry about some odd vendor specific features that might be connecting out which you don't know about (such as Chinese garbage). Diffident nailed it for what rules are required to let your devices communicate out. If you have any special port forward settings, or other routing settings you have added just for your nas then go ahead and remove them. The only time you really want to port forward something is if you want to have access to that port from the internet. If you don't want to be able to go out in the real world somewhere and access your server's port from the public then do not forward anything. As for your call of duty warzone port forwarding, your nat ip needs to be the ip address of the computer or server that is running warzone. Not the lan address. Also on the source port, in this case make it match your destination port. I see you managed to bypass your isp box some... is your pfsense now being handed via dhcp a real world ip address, or is it still handing you a 192.168.xxx.xxx address? If it's still giving you a private address on your WAN port, there is a good chance you may run into some issues. Port forwarding through a WAN that is on a DMZ of another upstream router effectively is a bit different of an animal.
  13. If you disable routing and firewalling on the ISP's box AKA bridge mode, then pfsense will have to handle your DHCP services. That would effectively be going the first route. If you fix the ISP routing issue, then you run pfsense the way it is currently configured. That second half i said to possibly disregard of changing your subnet, and messing with the LAN interfaces DHCP parameters will not be needed if you do go that first route.
  14. If your ISP router is supplying a private area address such as 192.168.1.xxx then you should turn off routing in your ISP's box to then allow your pfsense WAN port to DHCP your real world IP address. In most ISP modem router combos this would be referred to as bridge mode... or in some cases routed bridge. I've seen it named some odd things in ATT modems, so you may have to refer to your modem's userguide. This would be the correct way to setup the WAN side of your pfsense box for you to have the most control and let pfsense do all of your fire-walling and port forwarding duties. If you pursue this route, disregard what i say next. If you just want it to work, so you can play with it and aren't actually looking to replace the duties of your current router/firewall; but make another routed secure firewalled network inside your currently routed and firewalled network then continue on. Know that all clients on the LAN side of the pfsense box will effectively be running through double NAT though, which causes issues for some network services. If your pfsense's WAN port is indeed picking up a 192.168.1.xxx address, then that is the reason things are not working. Your wan network and lan network cannot reside in the same subnet... choose a different subnet for the lan side such as 192.168.2.1. Also, if you choose to run this way then make sure to uncheck the box that says "Block Private Networks" under the WAN interface tab. When you apply that, it will lose connection to the pfsense interface and require you to set a static ip address in that same subnet (192.168.2.xxx) on your client computer you are using to configure the pfsense box so you can reconnect to the interface and setup the DHCP service pool on the LAN interface to now hand out ip addresses in the 192.168.2.xxx range. After that your pfsense LAN clients will be handed the correct addresses again, at this point you can switch your configuration computer back to DHCP from the static ip. Should have full access to the internet and the 192.168.1.xxx network from your LAN on the pfsense... your 192.168.1.xxx network devices will not be able to see your pfsense LAN devices (192.168.2.xxx) as that is how the firewall works. Hope this helps!
  15. That is great news they finally got around to fixing it properly. At least they didn't drop your request to fix it like they did for mine, not sure if the tech i was working with just didn't want to deal with it or if my testing notes weren't up to par. Based on your posted tests, that looks good and like everything is finally functioning properly. Hopefully they actually release this bios now. I guess it's time for me to open another ticket to try and get the version you have... the tech i was dealing with hasn't responded in two weeks now. Rack setup is looking good! Good catch on the arrangement to keep cables fanning out proportionally... i see it backwards like that alot in real life actually, funny when you know it was that simple of a change.
×
×
  • Create New...

Important Information

This Website may place and access certain Cookies on your computer. ExtremeHW uses Cookies to improve your experience of using the Website and to improve our range of products and services. ExtremeHW has carefully chosen these Cookies and has taken steps to ensure that your privacy is protected and respected at all times. All Cookies used by this Website are used in accordance with current UK and EU Cookie Law. For more information please see our Privacy Policy