Start by asking one of your devices (PC) to show whether it is getting an IP address or not. If Windows, bring up a cmd shell and type ipconfig/all . If the device has an IP address not in your LAN range (169.254. 0.0 to 169.254. 255.255), it’s probably and autoconfig address. If it has an expected IP address, then your firewall rules are probably blocking you. If you don’t get an IP address, you have an issue with DHCP.
If it was me, I would plug both the Pfsense and the Linksys into your switch, make the Linksys the .5 IP but make sure the DHCP configuration is handing out the .1 address for the gateway.
Not sure if you have the option in your Linksys or not to make the gateway a different IP.
Alternatively, unless you have a massive network then it should not be too time consuming to migrate your DHCP configuration onto Pfsense, including any static reservations. Means you can get rid of your Linksys.
If the pfSense is plugged into one of the LAN ports on the Linksys, you need to ensure that the router is configured to use the .5 address as its default gateway, and to pass on that default gateway information through DHCP to everything else in the network.
If you are plugging the pfSense into the WAN port of the Linksys, you need to set up the pfSense and the Linksys to use a secondary subnet (E.g. 192.168.0.0/24) and make the pfSense the .1 and the Linksys the .2 on that network. Then the default routing configuration should work on the Linksys, but opening up internal ports might be trickier.
I’d prefer to put the Linksys in “dumb switch” mode and let the pfSense do the DHCP and DNS duties for the internal network and just plug it into one of the LAN ports on the Linksys.
Is the NordVPN just for incoming VPN connections? Then I’d go with openVPN on the pfSense, it works very nicely. You should be able to set up port passthru for the NordVPN, if you really want to. But disable it to start with, until you get everything else working. Adding VPN into the mix can cause its own problems, so it is better to get the basic configuration working first, then gradually build up until you have everything working again.
I agree, other than devices with static IPs which would need changed.
I don’t really use Nord but do you need to create an outbound VPN as well as receive inbound connections? E.g. be an open vpn client and server? If so the Pfsense can do this. If you simply just want to VPN into your home when remote then you can do this with Pfsense using openvpn or wireguard.
Sounds like you need to keep the Linksys inline between your LAN and the Pfsense if you want to keep it and use it to create an outbound tunnel. Again if it was me I would ditch the Linksys and do it all from Pfsense but maybe you’re not that comfortable with it Pfsense yet. There are guides on how to connect to Nord using Pfsense when you’re ready for it.
ISP— Pfsense — Linksys
You should use something like 192.168.2.0/24 between Pfsense and your Linksys. Turn off NAT on the Linksys if you can. Add a static route in the Pfsense for the 192.168.2.0 network with a next hop of the Linksys WAN interface, and add firewall rules if needed to allow the 192.168.1.0 network to access the internet.
Let’s get one thing figured out first. What device do you want to face the Internet, and for what reason. Is it the firewall or is it your router? There are different tradeoffs for each choice, but you got to pick one.
The next decision is whether you want double NAT or not. Both devices are cable of running DHCP and providing NAT capabilities. Which one, or both, do you want to do these tasks and why?
If you do want double NAT, for the extra security it will offer, then you should NOT use overlapping IP ranges. Use 192.168.1.x/24 for one and 192.168.2.x/24 for the other (as one possible config.)
To start with, I would try putting pfSense as your primary router, and put your wireless router into AP mode (also known as bridge mode) and plug it into the pfSense. This will turn off a lot of your router’s features, but it will let you experience pfSense as your primary router. You may have to play with firewall rules at this point to get traffic flowing as you like. Once you know how to do all this, you will have figured out pfSense pretty well, and now you can decide if you like the result, or you want to switch to something else.
If pfSense has 192.168.1.1, then the Router also needs a 192.168.1.0/24 address, otherwise they won’t see each other.
If the pfSense is plugged into a LAN port on the router, the other devices on the network will also need an address in the 192.168.1.0/24 range (I’m assuming you aren’t using any VLANs). The router needs to have the pfSense as the default gateway.
If the pfSense is plugged into the WAN port, the WAN port on the router will also need a 192.168.1.0/24 address, but you can then use a 192.168.2.0/24 address on the internal network and the router remains the default gateway and all devices on the internal network also get a 192.168.2.0/24 address.
Personally, I’d plug the pfSense into a LAN port on the router and put everything in the same address range and finished. Especially if you want to use openVPN/Wireguard on the pfSense.
You can only have one DHCP server active. You will need to decide, whether you want the pfSense or the router to be your DHCP server.
From your previous message:
pfSense 192.168.1.1 connected to one of the internal network ports on the router
router 192.168.1.2 set its Standard Gateway setting to 192.168.1.1 (pfSense)
In router, disable DHCP.
In pfSense, set DHCP to offer:
Lease addresses in range 192.168.1.20 - 192.1681.254 (I always leave some addresses free at the front for critical devices that get a fixed address)
DNS - 192.168.1.1
Standard Gateway 192.168.1.1
(If you really want to, you can turn off DHCP in the pfSense and use the router, it doesn’t make much difference, the settings need to be the same, either way.)
This is not true if you’re doing double NAT. I asked the question of whether the OP wants double NAT or not, and still awaiting the answer. Steve Gibson used to recommend the “three dumb router” approach (for isolating IoT from non-IoT) and that implies double NAT.
In the double NAT approach, one router gets its WAN IP address from the other router’s LAN IP range.