pfSense Support Subscription

Author Topic: Routing between PFSense and second router ???  (Read 426 times)

0 Members and 1 Guest are viewing this topic.

Offline Cant.Make.Any:PFSENSE...

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Routing between PFSense and second router ???
« on: October 30, 2017, 06:49:38 pm »
If any of you could please look at the simplified diagram of my new network that I have attached in this post and post the actual image for me.  :D

Ideally, maybe someone could tell me how I should be able to setup routing between the PFSsense router and the Fios Router.  ;D

I would like to access the Fios Router GUI (192.168.20.1) from a PC (192.168.1.100) on one of the interfaces on the PFSense Router (192.168.1.1)...

I am assuming that I will have to put a PC on the Fios Router LAN (192.168.20.1), log into the GUI and create a port-forward or special rule?

However, I clearly do not know...

Do I have to make any changed within the GUI on the PFSense router? More importantly my WAN gets routed through OpenVPN on the PFSense router; are there any additional changes necessary with the addition of the VPN?

Thank you in advance  :)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #1 on: October 30, 2017, 06:57:06 pm »
So your natting at this fios router, that your using for wifi?

Why would you not just use it as a AP?  If you want to access behind a NAT you have to port forward.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Cant.Make.Any:PFSENSE...

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #2 on: October 30, 2017, 07:46:54 pm »
The Fios Router is used for:

-Our Fios cable tuners over coax
-WIFI for my Wife
-Some streaming devices for the Televisions over ethernet
-(All stuff my Wife exclusively uses...)

I wanted to give my Wife something of her own network... I route the Fios traffic over the default PFSense gateway on its own interface and my PFSense LAN and other interfaces over OpenVPN with all different firewall rules.

Regarding port-forwarding; I need to set that up from the Fios GUI or the other-way around?

My apologies!

Should i have configured what is seen in the diagram differently? Take into consideration that there is quite a bit missing from the diagram.

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 462
  • Karma: +6/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #3 on: October 31, 2017, 04:01:43 am »
You would setup the port forward from behind the Fios router. There should be a remote management option. There is a better way to do what you want if you want to add a managed switch or as Johnpoz suggested turn the Fios router into a access point. You can do this by setting the LAN up so it's in the range of your of pfsense interface. Disable dhcp on Fios access point and then move the cat6 from the wan port on the Fios app and move it to any of the LAN ports, I suggest the last port.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #4 on: October 31, 2017, 08:53:22 am »
You could put this g1100 on its own network without having to do NAT on it..

Did you setup port forwarding on pfsense to your g1100, if not I don't think certain things function like caller ID or remote scheduling of recording, etc.

You show 2 different connections into your pfsense box... So there is not even really a need for vlan switch to set this up..  Since you have different physical networks.  Using the moca bridging feature to your cable boxes doesn't matter if the device is just AP or doing NAT from my understanding.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Cant.Make.Any:PFSENSE...

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #5 on: October 31, 2017, 09:24:06 pm »
Thank you to Johnpoz and Mikeisfly!  :D

I may move the FIOS interface I created on the PFSense router to a LAN port on the FIOS G1100 as you suggested... Why the last port?

Can the FIOS G1100 be used as a MOCA bridge or do I simply buy a MOCA bridge in addition? Do I lose the WIFI and LAN as a G1100-MOCA bridge?

The ONLY setup for NAT that I see in the PFSense GUI is Outbound-Manual rules generation. I believe I had to set that up for use with OpenVPN???

To date I have absolutely no type of Port-Forwarding done on the PFSense router. However, Everything operates properly in terms of FIOS functionality.

The FIOS interface on the PFSense router is NOT routed over the VPN... I was worried FIOS would bitch about it!  >:(

Since I clearly do not Know; You say I have Natted the FIOS G1100... Is that because I have OCD and manually assigned IP addresses and range? Or is it double-NAT I think because both sides of the FIOS G1100 are private network IPs? I believe I read that Port-Forwarding gets screwed up in a double-NAT setup, But since my IP ranges don't repeat/ overlap, maybe it will work?

The Paint diagram I created is missing quite a bit from what is actually configured in my home network...

The PFSense router has one 4-Port 1G NIC and one 2-Port 10G NIC (Both NICs are RJ45/ Ethernet, I may switch to SFP+ for the 10G side of things) There are four interfaces configured on the 1G nic (WAN, LAN, FIOS, and WIFI) Two of those interfaces go to individual 4-Port switches (LAN and WIFI have individual switches) The LAN switch of course has a few PCs on it and there are a few Unifi APs on the WIFI switch. The 10G NIC is a NAS interface for one NAS and my main PC on it (the main PC has both LAN and NAS connectivity).

My personal wireless devices use the PFSense WIFI interface, where as my Wife uses the WIFI from the FIOS G1100.

I would like to add two more interfaces with another NIC; Should I be doing this all through one large switch (with both 1G and 10G), instead of all the individual 4-Port switches??? Should I run all the different interfaces into one switch? Does that simplify or complicate things? Do I need VLANs at that point or just when I have no more physical interface ports remaining?

I am increasing the amount of devices the the 10G NAS interface... Have 10G RJ45 components come down in price now? Or should I change to SFP+ to save money?

So, I think I'm good with setting up a Port-Forward on the FIOS G1100.
All I think I need to know is which port you guys recommend? Do I simply use 443 for HTTPS?
I'm sure I should enter the PFSense router IP address in the rule that I will create on the FIOS G1100 Port-Forward configuration. I believe this is so the port I open, is only open to my PFSense router IP address and not simply everywhere.

Thanks again guys!
« Last Edit: October 31, 2017, 11:44:10 pm by Cant.Make.Any:PFSENSE... »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #6 on: November 01, 2017, 04:25:14 am »
My head hurts after trying to read that.. ;)  When you mentioned OCD... did you mean ADHD?   Look a Squirrel!!!

"You say I have Natted the FIOS G1100"

If you have it connected to your network via its WAN.. Then yeah your double natting..  That is what that hardware does out of the box.. Did you turn off natting on it?  If you did then you would have to setup downstream routing on pfsense, etc.

"All I think I need to know is which port you guys recommend? Do I simply use 443 for HTTPS?"

That would all depend on what your trying to access exactly behind it.


- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Cant.Make.Any:PFSENSE...

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #7 on: November 01, 2017, 02:13:36 pm »
HAHA! Thanks!  ;)

OOO! a Bird!

As far as using port 443, I don't know. I just want to log into the FIOS router GUI from a PC on my PFSense LAN...

I was guessing port 443 because My PFSense web-configurator protocol is set to HTTPS and I think somewhere else I restricted all the HTTP traffic on my LAN to be pushed to HTTPS...

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 462
  • Karma: +6/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #8 on: November 02, 2017, 05:33:12 am »
So there is a lot to unpack with your last post. First I will start with why you the last port? It doesn't really matter which port you use but when I am wiring a switch I start from port 1 when the port leads to something in that room or building and I start from the last port if the port goes to a router/firewall/access point/switch (anything that will have multiple MACs on that port) or another building or room where a switch will be depending on how large the project is. That way you don't have port one going to something local but port two goes to your firewall and port three goes to another local port somewhere .... The way I do it as you keep adding things you will eventually meet in the middle of the switch. Just makes it easier for me.

Secondly, your Fios wireless router is really a NAT router / Access point. So anytime you connect one of your PfSense lan ports to the wan of the Fios router and then have devices connected to the lan side of that router via wire or wireless then you are natting. Your PfSense box is natting too because you are giving a public ip on pfsense's WAN interface but then you have private IPs on the LAN side. So anything connected to that Fios router will be doubled natted. First by your PfSense box and then by your Fios router. By moving the wire from the wan port on your Fios router to a lan port there is no natting at that point. The packets will be switched. Remember before you do this you will have to make sure the Fios router is in the same IP range and the lan port it is connected to on the PfSense box. At that point you will not need to setup any port forwarding to access the Fios Gui and everyone will be able to surf. You can restrict traffic to the Fios router from PfSense at that point. By the way when you move the wire from the wan port to the lan port you are essentially not using the Fios router as a router you are making it a access point. The MocA bridge should still work and if you wanted to connect other devices to that MoCa bridge you will need to buy more Moca Bridge devices. Remember though MoCa bridges act like a hub. I prefer to just run a cat5e or cat6 cable you will get much faster speeds.

Thirdly you asked should you use a switch? I would because router/Firewall ports are expensive. Not in terms of cost but in the fact that you only get a few and you don't want to waste them like the way you are doing (I assuming you are using a PC that is why you have some many). Some will argue that when you add vlan tags to a interface it will lower the payload size of the packet which in turn will lower the your bandwidth but in real life you will not notice any speed differences. Also it's just good practice to come off your firewall with a switch and have everything connected to that switch imho.

Lastly, the reason I would use Https to access any gui is just because the traffic is encrypted. It can be a pain because the certificate is self signed so you will get a warning message every time you access your device but it help with anyone trying to intercept that traffic.

I hope this helps, if it is still a little unclear let me know and I can make a diagram. I may make a YouTube video because I think it is a good little topic that I think a lot of people may get something from. Good luck to you and let us know how you make out.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #9 on: November 02, 2017, 07:33:29 am »
Did you enable remote admin on the g1100?  Most routers be it soho or not are not going to enable remote admin out of the box on any port.. 443 or https yes is a typical default on the WAN or internet side of the router.  If you want to use it in a double nat way.  Which I would not recommend then you would need to enable remote admin on that device to hit its gui from its wan side.

You could then port forward to stuff you want to access behind it.

It much simpler to just use it as just an AP.  This can be done with any soho wifi router/gateway.  Just connect it to your network via one of its lan ports, turn off its dhcp server.  And then for ease of management of your wifi.  Give its lan an IP on your network your plugging it into.  A problem with many soho wifi routers is they do not allow to set a gateway on the lan interface.  So this makes management from a different network a problem.

This can be solved a couple different ways.  You can source nat on pfsense so the AP thinks connections to its IP are on the same network its plugged into (pfsense IP on this network).  Other option is to put 3rd party firmware on it that allow to set a gateway on the lan.  This is normally not possible if the device is actually a gateway device (modem/router combo).

3rd option is to just plug it in as AP on your normal lan network... Problem is unless it supports vlans it now makes it not possible to easy firewall your wifi networks from your lan network.

All of this becomes moot if just buy a real AP that supports vlans.. Vs attempting to leverage some isp gateway device as your AP.  Or use it as some downstream natting router.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Cant.Make.Any:PFSENSE...

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #10 on: November 03, 2017, 12:08:16 pm »
Thank you MikeIsFly!!!

Thank you JohnPoz!!!

The two of you have been a great help!  :D :D :D

Please look at the new Paint diagram I created, as it reflects what I will try to attempt. This diagram is also more complete compared to the original that I posted.
Most of all my 1G system is now shown; Just the 10G stuff is now missing for the NAS, ETC...

I am going to configure the FIOS G1100 as an AP, just as both of you suggested.
I will remove the PFSense interface cable (FIOS 192.168.2.1) from the WAN port (192.168.2.100) on the FIOS G1100 and move it to the LAN port (192.168.2.100).
I will set the FIOS G1100 IP range to match my PFSense FIOS interface (192.168.2.2 - 192.168.2.254).
What IP address do I assign to access the FIOS GUI in this configuration.
When I used the WAN port on the FIOS G1100, I had a LAN IP of 192.168.20.1 for the GUI. This will no longer be the case with the new IP range!

On another note; can you guys recommend a high port count switch that handles 10G as well as 1G. I do not want to buy two large switches.
With all the physical ports that I have on my hardware; is there any benefit to purchasing a switch that supports VLANs?
Is a simple managed switch enough to work for me?
Do you guys have a managed switch with a preferred GUI?

Thanks again!  ;D
« Last Edit: November 03, 2017, 12:11:38 pm by Cant.Make.Any:PFSENSE... »

Offline mikeisfly

  • Sr. Member
  • ****
  • Posts: 462
  • Karma: +6/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #11 on: November 03, 2017, 08:40:12 pm »
The Way that you have your diagram the FiOS GUI IP will be 192.168.2.100. Just as Johnpoz said disable the DHCP on the FiOS router and let PfSense assign IPs on that LAN segment. As far as switches I use a brocade FastIron 648p which has 48 gigabit ports which are also PoE. The first four ports are dual personality which means they are either fiber or copper. There is a optional 10Gb module that you will have to buy in addition to the switch if you want to have a 10gb link. I interface the switch through the command line but it does have a GUI if that is what you prefer.

Offline Cant.Make.Any:PFSENSE...

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #12 on: November 03, 2017, 11:26:44 pm »
MikeIsFly! Okay! I believe I have got it! Thank you!

I forgot about the FIOS G1100 performing DHCP services... I will turn that off.

I will look into the network switch you mentioned. DAMN!!! That is a MF swith!!! OMG!
What can be viewed with a serial console on that switch? Just the CLI or GUI? Can one see their PFSense CLI or GUI from it too?

What type of shell/ terminal does this switch use for a command line interface?
I have experience with BASH and with Windows CMD, but not much else... Even with PFSense/ FreeBSD there has been little to no use case for SH.
So I have never learned SH... I'm told BASH is similar enough and/ or a better substitution/ replacement.

Hopefully I can get by, as I do not prefer a GUI. I am becoming accustomed to using a GUI thanks to PFSence...
Years ago I had to start learning to use a mouse... I use one all the time now, however it is not my preference.

Excluding some Wireless APs, RASPBERRY-PIs, and a ROKU; I don't know what else I could power with POE... What are you powering with POE?
« Last Edit: November 03, 2017, 11:34:57 pm by Cant.Make.Any:PFSENSE... »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14276
  • Karma: +1329/-191
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #13 on: November 04, 2017, 03:37:21 am »
Your not going to buy such a switch new - not for home use.. That is going to be an ebay special..

If your looking for a smart switch to do vlans.. There are multiple options out there that support cli and or gui, etc.  I have new sg300-28 and sg300-10 on my network.  And a bunch of cheaper ones to play with netgear, tp-link, d-link.. these are cheap 8 port gig smart switches.. Very limited in feature set - but very affordable for the home budget in the less than $50 market.. More like $30, etc.. I would for sure stay away from the tp-link 105e or 108e models.. They leave vlan 1 on every port, no way to remove it..

POE for sure could be an option.. If your running 4 unifi AP, what model?  Their different models support different modes of POE... like the lite and LR models use passive 24 volts.. So you have to be careful on what POE switch you get.  Even some of their switches don't support it, etc.

As to POE, I only have 3 AP currently.. Just use the injectors - but somewhere down the road is camera's that will be most likely from unifi..  So I can see getting a smaller port density poe switch to handle those.

BTW where you running your controller for your AP?  On that same 192.168.3 or you doing L3 adoption?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.1-RELEASE on VM esxi 6.5 (home)

Offline Cant.Make.Any:PFSENSE...

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing between PFSense and second router ???
« Reply #14 on: November 04, 2017, 11:14:44 am »
Yeah......

A switch of that caliber is not in my budget, nor do I own anywhere near enough devices to require that level of switch.

It's DAMN NICE though!!!

I am using Unifi AC Pro APs... I used the Unifi mobile application from my cell phone (L3 adoption).

I don't remember exactly, however I believe I originally configured the APs via SSH (Putty) from a PC on my LAN interface.
I may have had the Unifi controller/ discovery software on that same PC also (Layer 2 while the APs were plugged into the 192.168.1.1 interface) ...

As far as I know; PFSense does not have the resources to run a controller or other variant software for APs... Do you know if any new features came with FreeBSD 11 in this regard?