Adding a Subnet to an Interface
-
@nogosubnet what are the rules you put on the bge1 interface? What IP be it public or private has nothing to do with it being able to access anything on the lan network.
-
@johnpoz Nothing but the default setup. LAN is set to PPoE with my broadband service provider credentials. That is it.
The only firewall rule is that of the BOGON, not the private range option because that could, potentially, block access to the webserver on bge1. I have deliberately kep everything to default settings whenever and wherever possible in order to simplify things whilst I resolve the LAN - OPT connectivity issue.
-
@nogosubnet said in Adding a Subnet to an Interface:
10.100 /24 on the pfSense (which equates to LAN -
So 10.100/24 is your lan network - ok fine.. What are the rules on your bge1 interface - doesn't matter what network is on that or what IP your webserver has be it private or public.. Access to the lan network would be allowed per the rules on the bge1 interface, if your forcing traffic out a gateway then you would need a rule above that to allow access to your lan network - no matter what that network is as well.
-
@nogosubnet said in Adding a Subnet to an Interface:
LAN is set to PPoE with my broadband service provider credentials.
NO it freaking isn't - that would be a WAN interface...
-
@johnpoz Yes, - you are right (my apologies), - I am confusing things here. - The 10.100 /24 would be on LAN, with the PPoE credentials on rge1 - WAN.
I have had a further look at my webserver and can confirm that there are no issues there (yes, including the firewall - disabled during tests); so, looking at some historical posts that touch upon similar issues, it looks as though I am going to have to decide between routed subnet or being able to connect to the webserver. Not ideal, so I am relieved that I have saved £200 - £300 on not buying a hardware pfSense router in the first place and that I have been able to confirm the situation by talking to you, - thanks.
-
@nogosubnet What??? Have no idea what your going on about..
I am going to have to decide between routed subnet or being able to connect to the webserver.
Have no idea what your taking about..
So you have a routed /29 on your bge1 interface - wtf does have to do with being able to access that from your lan 10.100 network? Nothing!! How about you post up your rules on your lan and your bge1 interface..
Doesn't matter what IP ranges you have on bge0 and bge1 interfaces - doesn't matter if 1 is public IP space that is routed to you via the wan.. They are 2 locally attached networks to pfsense - the only thing that would keep them from taking to each other would be firewall rules..
If you were bridging from wan to bge1 and device on this network was getting IP from upstream and pfsense was just bridge then you could have a problem.
-
@johnpoz Thanks anyway, but don't worry about it: I have been over all the settings now and have confirmed that, when using pfSense, it is definitely not possible to manage a network via a local address subnet on an interface already using a routed IP subnet.
The issue here is that once a routed IP subnet has been assigned to an interface, - in this case OPT - bge1, - it is no longer possible to connect to that interface from LAN - bge0 regardless of firewall rules to allow completely open access between the interfaces (including that of re0 - WAN, of course).
On the webserver side (RHEL) you will normally see a private (local) address under ifconfig or ip addr show and this is normally pulled from the router (probably via DHCP address assignment) and requires no changes to the network script files in the event of it changing (although a reboot may be necessary in order for it to be picked-up in some cases).
With a pfSense setup this does not happen (again regardless of firewall rules), so it becomes impossible to connect (even ping, for that matter) the WAN local subnet (or the LAN subnet, if aliased) and there appears to be absolutely nothing that can be done about this, which also appears to be expected behaviour with pfSense.
As I have said, this is not ideal, and means that, in using pfSense for this arrangement, you have a choice of subnet or internet access (with management only by disconnecting the LAN machine and connecting directly to the webserver) ...so pfSense is another "home user" product and not suited for power, SoHo, or SME use, which is a real pity (and, yes, I am aware of paid support, but am not prepared to pay $399 just to have what I have already said confirmed and with no refund after basically telling me that pfSense cannot do what I need it to do).
-
@nogosubnet said in Adding a Subnet to an Interface:
it is no longer possible to connect to that interface from LAN - bge0 regardless of firewall rules to allow completely open access between the interfaces (including that of re0 - WAN, of course).
Nonsense.. Plan and simple.. Again... What IP space is on an interface has zero to do with access from another network attached to pfsense.
which also appears to be expected behaviour with pfSense.
Where are you getting such nonsense?
A device on either of these networks can talk to each other without issue.. Unless you have firewall rules blocking them, or policy route not allowing it.. Doesn't matter what the IP space is!
-
Normally I would agree, but that is not holding up on pfSense.
We can assume that rules on the router are not a factor because all of this is happening behind the router, and the router is functioning as a bridge only and we are dealing with private / local networks, so this argument (at this stage) is purely between re0, bge0, and bge1.
As for the rules in place in the webConfigurator (which is accessed via bge0 - LAN), I have rules between re0, bge0, and bge1 that allow each to talk openly to each other - IPv4 & IPv6, any protocol, any application; so how can the firewall possibly be getting in the way of things? - Provided that the BOGON and local net tick-boxes are not ticked, and therefore not a factor, the only way that the firewall could still be influencing things is if something is bugged, broken, or otherwise not working as intended.
On both bge0 and bge1 I have also taken the precaution of disabling the firewalls (as in those software firewalls that would normally be present on those systems), too, and, again, that made no difference (even following reboots, resets, etc.).
-
@nogosubnet said in Adding a Subnet to an Interface:
and the router is functioning as a bridge
Well there might where you have problem like I mentioned already..
If the router doesn't have an IP in the bridge, then no your not going to be able to talk to anything in the bridged network via routing.. Put an IP on the bridge interface so pfsense can route to it.
What exactly are you bridging - bge0 and bge1 to me just means its broadcom interfaces
-
@johnpoz the DSL line is connected to the Draytek router which, in turn, connects - and bridges the internet - to the pfSense setup, ie: rge0 - WAN (pfSense WAN, not the router WAN).
I would not be able to connect pfSense directly to the DSL line, as pfSense has no means of modulating and de-modulating the signal; however, I could look at adding the required subnet as a WAN IP alias on the router side and having that IP join the NAT IP Address Pool. - If I am understanding things correctly, that should advertise the subnet to all interfaces associated with rge0 - WAN and would mean that I could, potentially, access OPT - bge1 from LAN - bge0.
Internet connectivity works fine with the current setup, as it is, though: the issue is purely one of being able to get LAN - bge0 and OPT - bge1 talking to each other, so the latter can be managed via the former.
-
@nogosubnet dude I have no idea what your talking about.. Your dsl isp device being in bridge mode or pfsense setting up a bridge has zero to do with each other.
Do you have bridge setup in pfsense between wan and bge1?? And clients on bge1 network are pulling IPs via dhcp from your isp?
And that has zero to do with a specific public range being routed to you..
Please show this screen!
a bridged connection from a router
Is not a bridge in pfsense..
The routed subnet is /29 block of IPv4 addresses, so these are assigned via Static IPv4
What does that have to do with bridge in pfsense? You do not need to bridge in pfsense.. To be able to assign a public IP range to one of its interfaces.
-
This post is deleted! -
I think he is trolling you.
So many things dont make any sense from him. -
@marv21 No, not trolling, - I am actually trying to find a solution to the problem ...which is definitely not going to be with a group of people who are clearly incapable of reading several carefully-worded explanations and understanding that what they are dealing with is a basic network configuration (yes, I understand more about these issues than I let on).
Either way, though, and regardless of the above, I now know for definite that what I outlined here is not possible with pfSense (plus that there are zero workarounds) and will not be wasting any more time with a seemingly ignorant and hostile forum. I am also seriously glad that I did not waste several hundred pounds on a Netgate paperweight.
Incidentally, if you want answers from people it helps if you are capable of formulating a question specific enough to elicit the information you require ...and if you can avoid demanding the same information from people over and over again when the above could be used far more effectively. Also, should an image be required, it helps if the OP can be given an outline of the required format, labels, etc..
For anyone else wanting to know the conclusion of this post, and in summary: if you have (in this case) a personal computer, a webserver, and pfSense running on its own board (with a 2-port LAN card (bge0 for the personal computer and bge1 for the webserver)), bridged from a router (with DSL line to the router), and with a requirement to connect to the webserver from the personal computer, you will not be able to: in theory you should be able to route a connection request from the personal computer (LAN) to the webserver (OPT1) but, in practise, this is not possible with a pfSense configuration and there are no workarounds.
In my case there is also the issue of a routed subnet on the webserver side, which was variously added as a Routed IP Subnet on the router side and into the OPT1 configuration under the webConfigurator but, whether added to just one or both, neither configurations worked ...and even with this left out completely it was still not possible to establish a connection between the personal computer and the webserver.
Those who have replied insist on the problem being down to firewall rules, but this has been exhaustively ruled out (with the firewalls on both the webserver and personal computer disabled) and with fully open rules connecting all the interfaces; so, no, the indications are that this is is very definitely down to some serious limitations and possible coding issues in the pfSense software.
-
@nogosubnet said in Adding a Subnet to an Interface:
bridged from a router (with DSL line to the router
<rolleyes>
Your shooting yourself in the foot dude if your creating a bridge with pfsense.. And you can not even post a simple screenshot.
Why do you think you should bridge pfsense? Why??
You clearly can not state your issue correctly - or even post a specific screenshot when asked..
How do you think you could talk to something inside a bridge if you have no IP in this bridged network on pfsense?? But there is ZERO reason to bridge it.. ZERO!!
If you have your /29 bridged all the way to your webserver - then its not freaking routed.. Your PC is directly attached to your isp network through the bridge..
How would something with a public IP attached to some ISP via a bridge talk to a rfc1918 address?? If the network is actually routed to you - then route it to pfsense public IP that it gets through your bridged "Draytek" on its wan - rfc1918 connected to pfsense, and some other network connected to pfsense can route between each other just fine.
-
@nogosubnet said in Adding a Subnet to an Interface:
very definitely down to some serious limitations and possible coding issues in the pfSense software.
I understand your frustration but that’s incorrect. pfSense will route between its networks unless blocked by the firewall. So there’s something else going on but unfortunately we don’t know enough to help.
Re:bridging, I think you’re saying you bridged your ISP router so your pfSense has a public IP? That’s fine, but then saying your pfSense is bridged is confusing, since pfSense itself can be set up as a bridge.
-
@steveits yeah he seems to have bridge all the way through to his webserver?? Bridge on edge router, and another bridge on pfsense. Yet he states this /29 is routed to him..
An no if that is how he is setup he will not be able to talk to this rfc1918 hanging off pfsense. Just not possible without pfsense having an IP in the /29 on the bridge it can route via to the rfc1918 space
-
@johnpoz the bridge is from the router.
The router has to the first piece of hardware after the DSL line, correct?
...and the mainboard running pfSense has to go next in line, right?
...and all the guides indicate that the router (in this case a Draytek Vigor 2860) has to be in bridged mode (which makes sense because, otherwise, the pfSense setup would just be another device alongside the PC and the webserver communicating with the internet but otherwise serving no purpose); hence the router is working in bridged mode in order to allow pfSense to control the internet traffic to and from the PC and the webserver (not to mention any traffic between the PC and the webserver).
I am certain that I am not wrong in this, and I can confirm that I have not added any bridge configuration under the webConfigurator. - If that is going to be required, then fair enough, but, as it stands at the moment, I have not configured any bridge and can access the internet from the PC, via pfSense, with no problem.
I will reset pfSense and submit a screenshot of the dashboard, which will hopefully clarify some things.
-
@nogosubnet said in Adding a Subnet to an Interface:
I have not added any bridge configuration under the webConfigurator.
Then pfsense would HAVE TO HAVE an IP in your /29
If so then you you could route between your rfc1918 on lan and the network on your opt1 network.. As long as device in lan is using pfsense lan IP as its gateway, and device in your /29 is using pfsense IP on opt as its gateway.
