the pfense club

[ENTERPRISE]

1 hour ago, Diffident said:

 

I would make a "Warzone" alias so everything is in one rule.  But since you have a NAT issue, this tutorial may work better.

 

 

Thanks, I will give that a go tomorrow I will let you know how it pans out.

[AllenG]

Looks like you've got most everything setup right now. As far as how pfsense behaves out of the box as a firewall, it seems you are finding out. It's one of the most secure things i've seen over the years straight out of the gate... especially since you don't have to worry about some odd vendor specific features that might be connecting out which you don't know about (such as Chinese garbage).

 

Diffident nailed it for what rules are required to let your devices communicate out. If you have any special port forward settings, or other routing settings you have added just for your nas then go ahead and remove them.

 

The only time you really want to port forward something is if you want to have access to that port from the internet. If you don't want to be able to go out in the real world somewhere and access your server's port from the public then do not forward anything.

 

As for your call of duty warzone port forwarding, your nat ip needs to be the ip address of the computer or server that is running warzone. Not the lan address. Also on the source port, in this case make it match your destination port.

 

I see you managed to bypass your isp box some... is your pfsense now being handed via dhcp a real world ip address, or is it still handing you a 192.168.xxx.xxx address? If it's still giving you a private address on your WAN port, there is a good chance you may run into some issues. Port forwarding through a WAN that is on a DMZ of another upstream router effectively is a bit different of an animal.

[ENTERPRISE]

3 hours ago, AllenG said:

Looks like you've got most everything setup right now. As far as how pfsense behaves out of the box as a firewall, it seems you are finding out. It's one of the most secure things i've seen over the years straight out of the gate... especially since you don't have to worry about some odd vendor specific features that might be connecting out which you don't know about (such as Chinese garbage).

 

Diffident nailed it for what rules are required to let your devices communicate out. If you have any special port forward settings, or other routing settings you have added just for your nas then go ahead and remove them.

 

The only time you really want to port forward something is if you want to have access to that port from the internet. If you don't want to be able to go out in the real world somewhere and access your server's port from the public then do not forward anything.

 

As for your call of duty warzone port forwarding, your nat ip needs to be the ip address of the computer or server that is running warzone. Not the lan address. Also on the source port, in this case make it match your destination port.

 

I see you managed to bypass your isp box some... is your pfsense now being handed via dhcp a real world ip address, or is it still handing you a 192.168.xxx.xxx address? If it's still giving you a private address on your WAN port, there is a good chance you may run into some issues. Port forwarding through a WAN that is on a DMZ of another upstream router effectively is a bit different of an animal.

Right now the ISP router is just a modem, so as such its handing out a private IP to Pfense. The ISP router has no bridge mode or anything like that. So for now I have it setup the easiest way I can I guess. 

[AllenG]

Yeah, pfsense isn't going to be port forwarding anything correctly like that. Unfortunately the isp box isn't just acting like a modem in this configuration... a true modem does no NAT, there for it would be handing you your real world ip address out of its ports. As long as it is handing a 192.168.xxx.xxx or any other private address, it is still acting as a NAT router... maybe with the firewall off now. Which isn't really good.

 

If you don't mind me asking, what brand and model is your isp box? I'll see what i can find out to help ya. If you don't want to post things like that publicly, go ahead and pm me.

 

There is multiple ways to accomplish this task, even if the isp box doesn't have a direct bridge mode. At this point, i think some steps need to be taken in reverse and modified a little bit. I'll do my best to guide you from the bottom up, but i think some things are getting lost in translation and are causing you some issues.

 

I see you mention the idea of changing the subnet ip on the isp box some posts back... is that what you ended up doing? If so, what ip address and subnet did you assign the LAN side of the isp box?

 

[ENTERPRISE]

18 hours ago, AllenG said:

Yeah, pfsense isn't going to be port forwarding anything correctly like that. Unfortunately the isp box isn't just acting like a modem in this configuration... a true modem does no NAT, there for it would be handing you your real world ip address out of its ports. As long as it is handing a 192.168.xxx.xxx or any other private address, it is still acting as a NAT router... maybe with the firewall off now. Which isn't really good.

 

If you don't mind me asking, what brand and model is your isp box? I'll see what i can find out to help ya. If you don't want to post things like that publicly, go ahead and pm me.

 

There is multiple ways to accomplish this task, even if the isp box doesn't have a direct bridge mode. At this point, i think some steps need to be taken in reverse and modified a little bit. I'll do my best to guide you from the bottom up, but i think some things are getting lost in translation and are causing you some issues.

 

I see you mention the idea of changing the subnet ip on the isp box some posts back... is that what you ended up doing? If so, what ip address and subnet did you assign the LAN side of the isp box?

 

Thanks for the help. So the ISP I am with is Plusnet. The router us there "Plusnet Hub One" which is made by Sagecom. You can see a plentiful amount of screenshots of the admin interface here : 

 

All Screenshots for the Plusnet Plusnet Hub One

SETUPROUTER.COM

---

A collection of user submitted screenshots for the Plusnet Plusnet Hub One.

 

[AllenG]

They sure don't give much information, do they? I wish there were more screenshots about what options can be selected for port forwarding, and the dhcp settings... but we will make it through i think. I see two ways of getting it done so far. My first question is do you use the wifi off this hub one, or are you putting a wifi access point upstream off of the pfsense LAN?

[ENTERPRISE]

13 hours ago, AllenG said:

They sure don't give much information, do they? I wish there were more screenshots about what options can be selected for port forwarding, and the dhcp settings... but we will make it through i think. I see two ways of getting it done so far. My first question is do you use the wifi off this hub one, or are you putting a wifi access point upstream off of the pfsense LAN?

 

Hey bud,

 

No problem, please see below images of the areas you wanted, easy enough for me to admin into my router and screenshot

 

DHCP Area

 

 

Port forwarding Area

 

 

As for Wifi, no this comes off another AP that is fed via Pfense. Wifi is disabled on the ISP router. 

 

Let me know if you need any other info from the router. 

 

Cheers,

E

[tictoc]

I don't know anything about that router/modem, but a quick search looks like it cannot be configured as a bridge.  I'm assuming this is ADSL or VDSL2, so you should be able to use some other router/modem that can be configured as a bridge, and have your pfsense box take care of all the routing and firewall.  I am in a similar situation in the states, but luckily there are a number of different routers that I can use as dumb bridges, rather than using the ISP provided gear.

[ENTERPRISE]

That is something I may have to look into.  Any recommendations if I have to go that route ? Cheaper the better. I may also be upgrading to full fibre here soon as well (Fibre To The Premesis) so anything I did get would be relatively short lived. 

[tictoc]

1 hour ago, ENTERPRISE said:

That is something I may have to look into.  Any recommendations if I have to go that route ? Cheaper the better. I may also be upgrading to full fibre here soon as well (Fibre To The Premesis) so anything I did get would be relatively short lived. 

 

I'm not sure on what would be compatible with your network/provider, but in the quick search I did on that router there were quite a few posts discussing options for gear that would work as a transparent bridge.  Unfortunately nearly every ISP handles this differently, so the only thing I could suggest is to search for other users with your same ISP who are running their modem/router as a transparent bridge and using their own equipment for routing and firewall. 

[AllenG]

If going fiber in the near future, i wouldn't purchase anything for this then. Now that you have put up your screenshots, you are part of the way there already. Is there anywhere in there under "DHCP Table" or "Devices" where it allows a static dhcp mapping to be created? Also, on the port forwarding, will it allow you to place "*" in those port ranges and apply it? First we will try to use the Hub One's DMZ feature, hopefully it is a true DMZ and not filtered.

 

First part we will get the Hub One setup,

1. Advanced Settings >  Firewall > Configuation > Set to "Default". This will get our first firewall back online so nothing can attack the 192.168.0.xxx network or the isp modem itself.

2. Advanced Settings > Home Network > IP Addresses. Set the IP Address as: 192.168.0.254 Leave the subnet mask as 255.255.255.0. Make sure the DHCP server is still set to "Enable" and that your DHCP Network Range is set for "192.168.0.64 - 192.168.0.253".

3. Apply those settings and reboot the hub one. Reconnect to hub one at new ip address of 192.168.0.254.

4. At this point, make sure to remove all port forwarding's under Settings > Port Forwarding,  also under Advanced Settings > Firewall > Port Forwarding. Finally, any IPV6 Pinholes also.

5. Advanced Settings > Firewall > DMZ. Enable DMZ. Set DMZ IP address as 192.168.0.1 (This is the address that we will assign the pfsense WAN port.)

6. Reboot Hub One.

At this point, there are two ways to assign the proper IP address to the pfsense WAN port, one is to set a static DHCP mapping for that device on the Hub One... The screenshots don't show much on this as an option though so you would have to tell me if it can do it. The other way, which i prefer usually anyways is to set pfsense up as a static IP on its wan port. We will go this route.

Second part is now configuration of the pfsense router.

1. Login to your pfsense interface. Goto Interfaces > WAN.

       A. Make sure "Enable interface" is checked. Set ipv4 Configuration Type as "Static IPv4". Set IPv6 Configuration Type as "None".

       B. Set IPv4 Address as "192.168.0.1" and set the / as "24".

       C. Add a new gateway named "WANGW0" with the Gateway IPv4 address of "192.168.0.254" Select "Default gateway" and press add.

       D. Make sure WANGW0 is selected is the "IPv4 Upstream gateway".

       E. Finally, make sure "Block private networks and loopback addresses" is UNchecked. Go ahead and click save at the bottom of the page.

2. Goto System > General Setup under DNS servers put "192.168.0.254" with "none" as the gateway. If you would like, you can find your real world dns addresses from the ip info page of your hub one and enter them here instead of relying on the HubOne also. Click save at the bottom of the page.

3. Reboot pfsense.

At this point, you should be fully online and functional with your pfsense router. All devices on the LAN side of pfsense should have full connectivity to the internet and lower laying HubOne network of 192.168.0.xxx. This will now allow for port forwarding via pfsense as long as the port forwards on pfsense are configured correctly. Devices on the HubOne network of 192.168.0.xxx will not be able to access devices on the pfsense LAN side network of 192.168.1.xxx unless you setup a port forward on the pfsense box.

 

You can turn off the wifi on the HubOne, or you can leave it on and use it as a isolated guest wifi seeing as its now one level removed from your real network. Once all this works properly, we can start playing with port forwarding on pfsense for COD. Your port forward rules were almost right. Instead of deleting them, you can disable them for now and come back to it (edit and select the disable checkbox)... or setup its destination to be the specific ip of the COD running box. Having "lan address" on all of those destinations will break that particular traffic in and out for sure.

Edited November 30, 2021 by AllenG

[ENTERPRISE]

1 hour ago, AllenG said:

If going fiber in the near future, i wouldn't purchase anything for this then. Now that you have put up your screenshots, you are part of the way there already. Is there anywhere in there under "DHCP Table" or "Devices" where it allows a static dhcp mapping to be created? Also, on the port forwarding, will it allow you to place "*" in those port ranges and apply it? First we will try to use the Hub One's DMZ feature, hopefully it is a true DMZ and not filtered.

 

First part we will get the Hub One setup,

1. Advanced Settings >  Firewall > Configuation > Set to "Default". This will get our first firewall back online so nothing can attack the 192.168.0.xxx network or the isp modem itself.

2. Advanced Settings > Home Network > IP Addresses. Set the IP Address as: 192.168.0.254 Leave the subnet mask as 255.255.255.0. Make sure the DHCP server is still set to "Enable" and that your DHCP Network Range is set for "192.168.0.64 - 192.168.0.253".

3. Apply those settings and reboot the hub one. Reconnect to hub one at new ip address of 192.168.0.254.

4. At this point, make sure to remove all port forwarding's under Settings > Port Forwarding,  also under Advanced Settings > Firewall > Port Forwarding. Finally, any IPV6 Pinholes also.

5. Advanced Settings > Firewall > DMZ. Enable DMZ. Set DMZ IP address as 192.168.0.1 (This is the address that we will assign the pfsense WAN port.)

6. Reboot Hub One.

At this point, there are two ways to assign the proper IP address to the pfsense WAN port, one is to set a static DHCP mapping for that device on the Hub One... The screenshots don't show much on this as an option though so you would have to tell me if it can do it. The other way, which i prefer usually anyways is to set pfsense up as a static IP on its wan port. We will go this route.

Second part is now configuration of the pfsense router.

1. Login to your pfsense interface. Goto Interfaces > WAN.

       A. Make sure "Enable interface" is checked. Set ipv4 Configuration Type as "Static IPv4". Set IPv6 Configuration Type as "None".

       B. Set IPv4 Address as "192.168.0.1" and set the / as "24".

       C. Add a new gateway named "WANGW0" with the Gateway IPv4 address of "192.168.0.254" Select "Default gateway" and press add.

       D. Make sure WANGW0 is selected is the "IPv4 Upstream gateway".

       E. Finally, make sure "Block private networks and loopback addresses" is UNchecked. Go ahead and click save at the bottom of the page.

2. Goto System > General Setup under DNS servers put "192.168.0.254" with "none" as the gateway. If you would like, you can find your real world dns addresses from the ip info page of your hub one and enter them here instead of relying on the HubOne also. Click save at the bottom of the page.

3. Reboot pfsense.

At this point, you should be fully online and functional with your pfsense router. All devices on the LAN side of pfsense should have full connectivity to the internet and lower laying HubOne network of 192.168.0.xxx. This will now allow for port forwarding via pfsense as long as the port forwards on pfsense are configured correctly. Devices on the HubOne network of 192.168.0.xxx will not be able to access devices on the pfsense LAN side network of 192.168.1.xxx unless you setup a port forward on the pfsense box.

 

You can turn off the wifi on the HubOne, or you can leave it on and use it as a isolated guest wifi seeing as its now one level removed from your real network. Once all this works properly, we can start playing with port forwarding on pfsense for COD. Your port forward rules were almost right. Instead of deleting them, you can disable them for now and come back to it (edit and select the disable checkbox)... or setup its destination to be the specific ip of the COD running box. Having "lan address" on all of those destinations will break that particular traffic in and out for sure.

 

Those be some awesome directions bud. I will give them a shot tomorrow, thanks very much for the thorough guidance.  Yes there is a section where you can find a device and reserve an IP from the DHCP pool  for it. Screenshot below.  

 

 

 

As for the Port forward I tried a wildcard but gives me an error. 

 

 

 

Also just for reference this is the DMZ Page. 

 

 

[Diffident]

Once you go fiber, you probably won't need an ISP router.  With Verizon Fios, I have an ethernet cable coming from the ONT (Optical Network Terminal) straight to my pfsense router.

[ENTERPRISE]

26 minutes ago, Diffident said:

Once you go fiber, you probably won't need an ISP router.  With Verizon Fios, I have an ethernet cable coming from the ONT (Optical Network Terminal) straight to my pfsense router.

Do you need any connection details configured in pfense though ?

[Diffident]

1 hour ago, ENTERPRISE said:

Do you need any connection details configured in pfense though ?

The stock pfsense config works for networking.  Since I'm not using an ISP router, the only "extra" thing I needed to do was buy a MoCa network adapter so On-Demand and the channel guide worked on the STB for TV.

[AllenG]

Fair enough. Bummer on the wildcard, we can still specify entire port range though if the DMZ doesn't work correctly. Since the Hub One can do static DHCP mappings, if you prefer you can go ahead and set a static mapping up using the Hub One then... just find the mac address of your pfsense in your current DHCP table on the Hub One and use that to assign 192.168.0.1 to the pfsense WAN everytime. If you do it this way that means you can skip 1. A.-D. on the pfsense side of the configuration instructions, 1. E. still needs to be done though. I would also recommend Set IPv6 Configuration Type as "None" still.

I will say i like setting my routers as a static ip instead though, that way it doesn't ever go down for the split second it takes to renew it's dhcp lease.

 

When you apply the "enable" on the DMZ i'd imagine more options will appear. I believe it should just need the ip address we specified in the last post (192.168.0.1). I've seen some devices decide on it's own what ip it gives, in that case we may have to use that one instead... but we will have to see what options it gives us.

 

Looking good so far!

 

What you may need when you go fiber will be determined by your provider. I know alot of areas (especially residential) where they run "fiber" over coax, which effectively uses a cable modem. Some do dump out straight ethernet off the fiber, i have really only seen this with verizon fios and carrier class fiber connections though. You can usually request when you get sent your modem (if you will need one) for it to be setup in bridge mode because you already have your own router... they will usually do it. Atleast that's how it is for the most part here in the states, elsewhere it might be different. Either way i just said here, you would leave your pfsense WAN as DHCP. NOTE: As soon as you get supplied a real world ip address you will want to go back to your WAN interface in pfsense and set "Block private networks and loopback addresses" back to checked... otherwise it will leave you vulnerable to attack.

Edited December 1, 2021 by AllenG

[ENTERPRISE]

10 hours ago, AllenG said:

Fair enough. Bummer on the wildcard, we can still specify entire port range though if the DMZ doesn't work correctly. Since the Hub One can do static DHCP mappings, if you prefer you can go ahead and set a static mapping up using the Hub One then... just find the mac address of your pfsense in your current DHCP table on the Hub One and use that to assign 192.168.0.1 to the pfsense WAN everytime. If you do it this way that means you can skip 1. A.-D. on the pfsense side of the configuration instructions, 1. E. still needs to be done though. I would also recommend Set IPv6 Configuration Type as "None" still.

I will say i like setting my routers as a static ip instead though, that way it doesn't ever go down for the split second it takes to renew it's dhcp lease.

 

When you apply the "enable" on the DMZ i'd imagine more options will appear. I believe it should just need the ip address we specified in the last post (192.168.0.1). I've seen some devices decide on it's own what ip it gives, in that case we may have to use that one instead... but we will have to see what options it gives us.

 

Looking good so far!

 

What you may need when you go fiber will be determined by your provider. I know alot of areas (especially residential) where they run "fiber" over coax, which effectively uses a cable modem. Some do dump out straight ethernet off the fiber, i have really only seen this with verizon fios and carrier class fiber connections though. You can usually request when you get sent your modem (if you will need one) for it to be setup in bridge mode because you already have your own router... they will usually do it. Atleast that's how it is for the most part here in the states, elsewhere it might be different. Either way i just said here, you would leave your pfsense WAN as DHCP. NOTE: As soon as you get supplied a real world ip address you will want to go back to your WAN interface in pfsense and set "Block private networks and loopback addresses" back to checked... otherwise it will leave you vulnerable to attack.

Thanks bud. 

 

I had a thought the other day. I can get a router, Draytek for example that allows for your standard ADSL/VDSL as well as Ethernet WAN.  I was thinking of purchasing one of these as this would cover me for my current broadband and again for FTTP when I get it later on. Plus from experience the Draytek routers are highly configurable unlike ISP routers.

 

I was taking a look at something like this : https://www.broadbandbuyer.com/products/43524-draytek-v2766-k/

 

I Would imagine that would support DHCP bridging out of the box too. Just means im not relying on ISP gear and I would have something I can use independently.

 

[AllenG]

That's a pretty cool multi function router. I like that it has a SIP to FXS! The fact that the ADSL modem is built in is cool, but to be honest DSL is a dying technology. Whatever connection you get next will likely use a cable modem which is not the same as a DSL modem, or have a true fiber ONT and will dump you the straight gigabit ethernet to go directly to your pfsense WAN anyways.

 

Personally, i wouldn't buy anything more just yet... You are already sitting on one of the most versatile and powerful platforms you can get. To be honest, having any extra routing downstream of your pfsense is just more bottleneck.

[ENTERPRISE]

2 hours ago, AllenG said:

That's a pretty cool multi function router. I like that it has a SIP to FXS! The fact that the ADSL modem is built in is cool, but to be honest DSL is a dying technology. Whatever connection you get next will likely use a cable modem which is not the same as a DSL modem, or have a true fiber ONT and will dump you the straight gigabit ethernet to go directly to your pfsense WAN anyways.

 

Personally, i wouldn't buy anything more just yet... You are already sitting on one of the most versatile and powerful platforms you can get. To be honest, having any extra routing downstream of your pfsense is just more bottleneck.

That is a fair point. Will configure want I have and when going FTTP , I should be able to go ONT straight to Pfense. Will have to go for a premium install to get them to put the ONT in my office upstairs lol.

 

Will try those configurations end of this week/weekend and let you know how I get on. It is also blocking my Plex server at the moment which is not great but is what it is.

[Sgt_Swanny]

A lot of work, just to play Warzone

[ENTERPRISE]

18 hours ago, Sgt_Swanny said:

A lot of work, just to play Warzone

 

Only to play with you fools. 

 

@AllenG 

 

I have completed the configuration, in fact I had actually done most of it, just had to tweak and put the Pfense in the DMZ. However shouldn't the Hub One have its firewall disabled anyway ?

[AllenG]

LOL

 

Nah, you will want to leave it on. Who knows what services of the OneHub itself turning off it's firewall might put at risk... That's effectively leaving your whole OneHub level LAN routable and accessible by the real world (this includes your OneHub's interface itself).

 

If the DMZ is working correctly, it is bypassing the firewall, doing transparent NAT, and sending straight to your pfsense.

[ENTERPRISE]

2 minutes ago, AllenG said:

LOL

 

Nah, you will want to leave it on. Who knows what services of the OneHub itself turning off it's firewall might put at risk... That's effectively leaving your whole OneHub level LAN routable and accessible by the real world (this includes your OneHub's interface itself).

 

If the DMZ is working correctly, it is bypassing the firewall, doing transparent NAT, and sending straight to your pfsense.

 

Yeah that is fair enough. its not very granular so it is hard to see what it is disabling when the firewall goes off. I have sorted everything bar the port forwards which I will do tomorrow and I will see how I get on.

[AllenG]

Awesome, glad it's all working out for ya so far! Like i said, you were close on those port forwards, just have to point them to a particular IP address. Use what was outlined in the previous posts about setting up DHCP static mappings to give the computer running the program being port forwarded an IP that is consistently the same... do this on the pfsense LAN side of course.

 

[ENTERPRISE]

Just a small update. 

 

So I have everything setup and working well.  Other than PfSense handling DNS and DHCP for my network, I also have it doing a local cache of web pages via Squid Proxy Server with ClamAV enabled for additional security for all that incoming traffic. Lastly as I hate ads, I have installed and setup pfBlockerNG. This kind of finishes off everything I wanted to far as a box to handle the main network workload as well as other nice features for security.  

 

Fortunately with having 8GB RAM in this box it allows for me to stretch pfSense a little further, especially with ClamAV & pfBlockerNG with the larger definition tables and I can cache web pages into RAM depending upon defined limits.

 

I do not yet have Wireguard setup for VPN. Deciding whether I want the pfSense to handle that or stick to clients on the PC's. I am aware of the pro's and cons but have not made a decision. Thanks to all that helped, especially @AllenG !