Linux gateway/router issues, please help!

[Captain_Rainbowbeard]

If you forwarded 139 and 445 tcp to your 2k8r2 server and its sharing and allowing guest then you should be able to access via \\ipaddressofpfsensewan from 0 network. Use the run box and go directly there your never going to be able to use a browselist for this sort of access.

I tried this but an error message popped up saying that the IP I was trying to access was unavailable. Anyways this is no biggie any more, I have added wireless access to the .1 subnet (PSK encrypted with access control enabled, WPS disabled, nice and secure), this is working fine now for the purposes I require.

For now it appears that my network configuration is just as I would like it though I have a little problem regarding pfSense...

It appears that if the ISP supplied router is restarted (which occasionally needs to be done as periodically the web-based setup stops working and wont display the logon screen again until the router is restarted) pfSense doesn't automatically reconnect, despite having a statically assigned IP leading me to believe it's not a DHCP lease issue, leaving all machines in .1 without internet. Is there any way to automate reconnection on pfSense after a router restart/connection drop?

[+BudMan MVC]

If pfsense has a static IP on its wan --- Which I somehow doubt to be honest, do you mean you setup a dhcp reservation for it on the isp router?

What I would assume is happening is on reboot of isp router your pfsense is getting a different wan IP, say 192.168.100.x

Because if pfsense is static IP assigned on its wan, as long as the network is on - then you would be connected..

Lets see this static assigned pfsense wan setting

And when its not working - lets see the wan status

[Captain_Rainbowbeard]

If pfsense has a static IP on its wan --- Which I somehow doubt to be honest, do you mean you setup a dhcp reservation for it on the isp router?

Yes, I do mean there is a DHCP reservation for it on the ISP router, not a statically assigned IP on the WAN interface, my mistake...

Here is the WAN status:

As you can see here the WAN interface is using DHCP, should I change this setting to assign a static IP to resolve this issue?

[+BudMan MVC]

I don't see the reason for the dhcp on the wan and you want it to be static.

What is the lease time? it should work the way you have it set, even if the isp router reboots - there could be some down time until the isp router finishes reboot, etc.

But you could have a problem with the interface going offline when the router reboots and then coming up again as the ports go active but not getting an IP right away if router has not finished booting, etc.

Couldn't hurt to make it static - so if your isp routers dhcp is say 192.168.0.100 to 150 or something then make your static on the pfsense for something outside that range say 192.168.0.99 or less or .151 or more. That would not conflict with any other devices on the 0 network.

And this should remove any issues with dhcp taking a bit to come back, etc.

When you have the issue - what does pfsense show for its wan IP? Can you ping the isp routers IP? You can do that from the diag tab or from the shell of the pfsense router.

[+Fahim S. MVC]

Why double NAT?

the virgin router can be run in modem mode.

http://help.virginmedia.com/system/selfservice.controller?CMD=VIEW_ARTICLE&ARTICLE_ID=412750&CURRENT_CMD=SEARCH&CONFIGURATION=1002&PARTITION_ID=1&USERTYPE=1&LANGUAGE=en&COUNTY=us&VM_CUSTOMER_TYPE=Cable

[Captain_Rainbowbeard]

Why double NAT?

In short, security is the key factor; not only from web based attacks but also from unknown network users in my shared property, not necessarily from attack by them personally but there is no guarantee that their own workstation security hasn't been compromised somehow and I'm not prepared to take the risk that their machines may be used as a potential launchpad for an attack on my server or personal workstations, for all I know their machines may potentially be riddled with any manner of nasty malware picked up from less than reputable software sources or dodgy websites.

Also the steep learning curve has been a particularly encouraging factor, can't learn if I don't try...

@ BudMan

DHCP lease time on the ISP router is 1 hour, last time it was restarted it was 3 hours before I returned home to discover a lack of internet. WAN IP remained the same after, presumably due to the fact that the WAN interface most likely remained up during this time instead of coming down and then back up.

I have assigned a static IP now to WAN, hopefully next time ISP router requires reboot I shan't run into the same issue.

Thanks again BudMan, you've been a wonderful help through all of this, for now it seems that my network is running rather smoothly and has a setup that more that satisfies my needs and desires, for now all is good, can't thank you enough. Perhaps though you will be seeing further posts from me in the future seeking aid with further networking issues, after all, I do like to tinker and am keen to learn... :D

[+BudMan MVC]

Glad to hear - I would prob remove the double nat as well if possible. Then isolate them from your network via pfsense and another lan segment.. This would ease the access you wanted to do earlier via just a firewall rule vs nat in the way as well. Since everyone would be using pfsense it would ease name resolution for hosts on your lan.

Its another option - and gives you more control ;) You would then either need another wireless AP or push your wireless to a 3 segment and isolate it as well and then give it access into either of your 2 lan segments. You would have your own segment, there would be another hostile segment where other wired house guests are connected and then a 3rd wireless segment.

Been here quite some time, don't plan on going anywhere - so feel free to ask away any questions you might run into.

[Captain_Rainbowbeard]

To be fair I am actually the only wired user in the whole building, I have an ethernet cable running out of my window and into the room where the ISP router resides, which is connected to pfSense at the other end. I only know 2 out of the other 7 people in my building and these are the guys I have connected to my segment and using my SMB share, it would be somewhat problematic trying to get everyone else to connect to a separate segment within my network as it would either require going and speaking to all of these people and either running a cable from their rooms to mine or convincing them to wirelessly connect to another AP and to be quite honest I really don't have the enthusiasm to do this.

As far as I'm concerned I'm happy for the 'unknowns' to continue using the ISP router directly and only allowing particular individuals access to my subnet, besides, I still look forward to the challenge of making FTP work through double NAT, it's been an interesting learning curve already and as such I have deepened my understanding of routing and NAT which essentially was part of the purpose of this experiment.

It's a nice idea nonetheless and I will at some point build another segment for my cisco lab to experiment with this sort of setup as again I would like to keep this separate from my .1 subnet due to the fact I will be experimenting with switching and routing on a more complex level. Does this seem like a reasonable idea to you?

[+BudMan MVC]

Well if others are all wireless they are all competing for shared bandwidth - while you being wired more than likely get the lion share ;)

You can do whatever you want with your network behind pfsense, create as many segments as your box will allow interfaces or if vlan capable switches then you could just use vlan tagging to create your multiple segments all using 1 interface on pfsense, etc.