NAT / External Connection Times Out to Gateway IP
« on: April 24, 2018, 06:51:53 pm »
We have been using Pfsense router with NAT rules in place for an outside company to transfer files to a computer on our network.  I did all of the port forwarding from their external IP to the internal IP.  And using the ports they asked for.  No issues with that.

But this became a problem when we moved them to another PfSense router on a different subnet internally.  I copied the exact same settings from router 1 to router 2.  They continue to get a Connection Timed Out error on the new router.

There is only one difference in equipment: The new router is using Spectrum ISP.  Their modem is in Bridge mode with a Static IP address. The original ISP is Megapath, but I don't know if that is setup in Bridge mode, I would assume it is since that one is still connecting to router 1 and works fine.

The Port Forwarding is in place for 443, 80, 8081, 22, among a few other misc ports.

I am using a program called ZenMap on my Mac to see if any ports are blocked.  80 and 443 were blocked when I have a NAT / 1:1 setup, but once I disabled that rule, those ports are no longer on the blocked list.

Is it possible the Spectrum modem is blocking access?

And how else can I test from the outside if the WAN/Gateway is accessible?

General Questions / Re: How To Remotely Access Router WebGUI ?
« on: February 12, 2018, 10:28:49 pm »
Thanks @Marvosa...

I am going to try this idea.

General Questions / Re: How To Remotely Access Router WebGUI ?
« on: February 12, 2018, 01:14:27 pm »

edit:  Why exactly do you even need to access your pfsense web gui remotely to be honest?  How often are you doing it that the click the vpn icon on your phone/laptop/pc is such a bother?  I am normally vpn'd into my home network all day from work ;)  But not really to access the webgui of pfsense, unless doing so to take a screenshot to help out on some thread.

I would like access to it because we have several all around the county and some are not so easy to access during the weekend or evenings. There may be some issues that I can resolve without physically being there.

Traffic Shaping / Re: Prioritizing instead of Limiting
« on: February 10, 2018, 01:05:37 pm »
LIMITING won't be so limiting (punt intended) if it allows % of total bandwidth, rather than a fixed number.

But I disagree with above, Pfsense KNOWS how much bandwidth you got, Traffic Shaper MAKE you to tell it doesn't it?  So OK, SOHO have no guaranteed BW, but since Pfsense makes you input something, at least there is something to go by.

The only way I tested it so far was to enter an IP address in the range for the Limiter. Then change my computer IP to that address.  Run a speed test, and it was right on the money. We have 100/100 internet, I made the limits at 12/6.  And it was right there.  Then I changed my IP address outside the range, it was back to 100/100.  So it worked, but only If I knew the IP addresses or range.  That's why I might have to make those 30 computers with static IP range above my DHCP range.  Then I know exactly which machines are limited.

General Questions / How To Remotely Access Router WebGUI ?
« on: February 08, 2018, 10:58:06 pm »
I have been searching for a solution to access my client's router from outside of their office. [such as from home]  Almost like using Team Viewer to a PC.  But I have yet to find a proper solution.  Also wanting to gain the access to the Web GUI.  I have the WAN Gateway address, and I was pretty sure I have to open a port for that.

Does anyone do this and what is your solution?

General Questions / How To Setup Multiple Subnets
« on: February 08, 2018, 10:51:53 pm »
I am running 2.4.2 version.  I would like to setup 2 subnets, such as 192.168.1.x and 50.x.

Do I need 2 LAN interface cards?  And If I get 2 subnets working, can they still communicate to each other?  Such as connecting a PC or Mac to a printer?

Traffic Shaping / Re: Prioritizing instead of Limiting
« on: February 08, 2018, 10:34:20 pm »
Thank you very clear.
Yes I ended up limiting everyone expect the alias I wanted to prioritize.

How did you make your "limits"?  The only way I found was to add any IP address for the limiter.  Anyone else will have full throttle.

In my case, we will have 50 users, and we need to limit about 30 of them.  My best solution that I can think of is make all of the limited machines with Static IP addresses in the range to limit.  Anyone in DHCP will have full access.

Could there be any other way?

Traffic Shaping / Re: How to Modify QoS for a Single Internal IP Address
« on: January 11, 2017, 12:12:55 pm »
Your wording made it sound like you didn't want it to consume more than 60% with the rest for all other clients.  Flip it and make a limiter than limits to 40 Mbps, and then put all other clients in that pipe.

Maybe I wasn't clear in my wording.

We want 1 computer to have access to 60mbps, no more - no less, all others to share the other 40.  There are about 100 people at the company.  I was hoping to maybe include an IP range from our DHCP to limit those to 40, then give the PC that I need 60 on to a static IP outside the DHCP scope, then it would be allowed to have that 60 it needs.

Traffic Shaping / Re: How to Modify QoS for a Single Internal IP Address
« on: January 11, 2017, 10:45:32 am »
Thanks KOM.  I'll check it out.

One thing we are trying to do is not really limit it to 60, but want to keep it at 60 or above due to bandwidth needed for that line.

Traffic Shaping / How to Modify QoS for a Single Internal IP Address
« on: January 10, 2017, 07:20:33 pm »
We are looking to connect our company from Los Angeles to our other office in another city.  But we need to setup only 1 computer to have control of 60% of the bandwidth for a single day.

The company line has 100up/100dn from the ISP.  So we need 60ms to be used for this single computer.  I realize we are talking about upload speed on my end, and at the other office they will be working on the download side because we are transmitting to them.

I am working with the latest pfSense version, 2.3.2.  What would be the best method to achieve this goal?

General Questions / Re: Changing Router IP and DHCP Blocked Internet Access
« on: December 26, 2016, 01:04:57 pm »
Check if pfSense has changed the outbound NAT rule to fit to the new subnet if you use automatic rule generation. If you have set it to manually rule gen the rules has to changed by yourself in any case.

Thanks for the reply.  I will check it this week and let you know.

General Questions / Changing Router IP and DHCP Blocked Internet Access
« on: December 24, 2016, 04:14:49 pm »
We have a router with the typical IP of and DHCP scope that matches.

I wanted to change the subnet from 1.x to 50.x [per client request due to VPN issues].  I changed the router IP to 50.1, changed the DHCP scope to 50.x range.  The router is leasing out new addresses under 50.x.  I made sure to restart all AP units just for good measure.  But now the Internet is not accessible. I finally got to restart the ISP modem, no change. 

I checked on a few items, made sure the DNS servers are the same as before.  At this point I only noticed the WAN gateway screen showed Status as OffLine [to Megapath].  I forgot to capture that screen.

I restored the router settings with the backup config file until we can figure it out.

Any ideas?

I assume your WiFi AP is connected by cable from the LAN of the AP to the LAN port of pfSense. So you would expect to get DHCP from pfSense LAN wen you connect to the WiFi. Often the problem is that the AP is a consumer box that can also function as a firewall/router (also has a WAN port etc). So the AP is also running a DHCP server. The WiFi client gets DHCP from the AP, which gives it the AP IP address as gateway, which does not work.

Turn off DHCP on the AP (if that is the problem).

Ah Ha !  Great points.  Thanks, I'll try that [If I can get logged into it].  But now that makes sense.

Did you get this working?  I have something similar, but with mine I have Internet over Ethernet, but not with WiFi. 

You might need to change that Firewall setting to the 200.x subnet.

I am starting to build my first PfSense box.  2 NICs installed.  I finally got the 2.3 installation to work.  Now I'm on the GUI and checking some of the settings.  Both Ethernet cables are connected from my small office network, this will eventually be at a client but for now just a test system.

THE PROBLEM.  When I have my laptop connected via Ethernet, the Internet works fine.  But when I use only WIFI, it does not.  I'm not sure why that makes a difference.  I am connecting to the WiFi AP, but no Internet that way.

interface setup: (via shell)
      LAN vmx0 192.168.1.x /24
      WAN vmx1 

Any Help ?

