Lots of stuff not working, don't know where to start
-
@viragomann Thanks for the quick response. I have just reverted back to the oldest backup, but due to me only having 30 and the number of changes I have made trying to fix this, I am not confident it will work.
I just rebooting to see how things go, but have to keep swapping between wifi and cable in order to either use the internet or access PF Sense.
If the restore does not work, is there anything I can provide might help someone spot an error in my configuration?
-
@jknott Hi, as I just explained to @viragomann I have the default 30 (I have just bumped that up to 150!) Will let you know how it goes after the reboot completes, but not confident it is going to help me.
-
@viragomann @JKnott Reboot just completed, but no change, still in the same position.
I am sure it must be a firewall issue because the network graphs on the home page are showing traffic on all the VLANS.
Is there anything else I can provide that might help, before I press the big red nuclear button and start again?
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
I have the following VLANS setup
WAN => igb0
LAN => VLAN 1 on igb1
AdminNet => VLAN 1 on igb1
Servers => VLAN 10 on igb2
WIFI => VLAN 20 igb3
Desktops => VLAN 30 on igb1You are actually using VLAN1? You should avoid that if at all possible:
https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan1You appear to be using igb1.1 for two interfaces which cannot be correct.
You don't appear to be using any interface untagged except WAN. This could be a switch config issue.
Can we see the actual interface assignment as shown on the firewall in Interfaces > Assignment or at the console menu?
Steve
-
Your 'issue' is simple (as always ;) ), the real problem is exactly this :
@simonjcarr said in Lots of stuff not working, don't know where to start:
To be honest, I don't know where to start and am close to just factory resetting the protectli box and starting again, but that is so much work
"Where to start" is your question, and also the answer :
When you install + activate the very first time pfSense, you have a WAN and a LAN interface. Even if your device has several NIC ports, you only use two of them at that moment.Connect a PC type device to the LAN port ( I presume that all NIC are MDI-X these days) and it will get an IP, mask, DNS and gateway : everything works !!!
If you don't want to make live more complicated, stop here and you'll be fine.You want to use VLAN - and you have a (another) VLAN capable device ? And you know how to set up VLANs ? Then ok, on the pfSense side, their is a great manual with all the things you need to know.
Your other device ? Dono, see their forum/FAQ/Support/Helpdesk/whatever.Access point ?
Set it up as an "AP" ( disable DNS, DHCP routing firewall services etc etc), see their forum/FAQ/Support/Helpdesk/whatever. You could even activate VLAN settings, and they should with your managed switch settings, and/or pfSense settings. -
If restoring a known working config doesn't fix it, you may have a hardware problem. I had to get a new computer a year ago when the one I was running pfsense on died. In that case, I had poor performance and pfsense wouldn't boot up. As one who was a computer tech, on the big systems, for 12 years, I can assure you hardware problems can present themselves in a variety of ways.
-
@stephenw10 Thanks for the reply.
I have just completed a full reinstall of PFSense. It's worth noting that as I said in my initial post, everything was working just fine. I assume that I must have changed something.
Anyway, after reinstalling, I am still having problems. I am reasonably sure it's not a hardware issue.
I have enabled all the interfaces on my protectli box and enabled DHCP on all of the networks.
My new configuration is
WAN => igb0
LAN => igb1 192.168.5.1
Servers => ibg2 192.168.10.1
WIFI => igb3 192.168.20.1I have no VLANS configured.
When plugged in via a cable to igb1, I can not access the internet, but I can access the PFSense GUI.
When connected by WIFI on the igb3 port, I can access the GUI through 192.168.20.1 and I can access the internet. However I can not ping 192.168.5.1 or 192.168.10.1.
Is this because I don't have VLAN's configured? I just assumed that PFSense was going to automatically route between these interfaces.
I have set up a Allow Any to Any rule up on all the internal networks.
Simon
-
Does your WAN interface on igb0 have a public IP? If not does it conflict with any other subnet?
Are those internal subnets all /24?
Can we see a screenshot of the firewall rules you have on LAN?
Steve
-
@stephenw10 All internal networks are /24 The WAN port is a private address form a /28 range
-
@stephenw10 I am finding some other strage issues.
I can ping 1.1.1.1 and 8.8.8.8 when I connected via cable to igb1, but although I have DNS servers setup on my MacBook, I can not ping hostnames.
Very strange that I can ping external IP Addresses but not internal PFSense ports and that DNS works on WIFI but on my cabled connection to PFSense.
-
Does that /28 overlap any of your internal /24s?
Are you policy routing traffic?
What DNS servers are you setting on the laptop? Usually it would pull DNS server via DHCP from pfSense. Are you not using DHCP?
Let's see some screenshots of your rules.
Steve
-
@stephenw10 IP Ranges from Internal networks are completely different with no chance of overlap.
A number of screen shots below of my config. I have just reinstalled this evening, so very little changed other than the going through the setup wizard, which I think will be covered by what is in the screenshots.
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
The WAN port is a private address form a /28 range
The screenshot there looks like a public IP on WAN. Was that just a typo?
Everything else looks as expected.
Is your Outbound NAT still set to automatic? Firewall > NAT > Outbound.
You see any blocked traffic in the firewall log on any internal interface?
Steve
-
@stephenw10 Public IP is correct. I have a hitron router. When the static IP addresses are enabled the router effectively becomes a modem. x.x.x.1 is assigned to my router and the other 13 IP addresses are mine to use internally, of which x.x.x.2 I have assigned to my PFSense Firewall.
I have not changed Firewall > NAT > Outbound, so it will be the default value.
I can't see any blocked traffic. I am in process of setting some block rules as the last rule on each of the interfaces with logging turned on, so I can double-check that.
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
Currently, I am only able to connect to pfsense if I plug my laptop directly into igb1 and pickup a 192.168.1 address. I can not connect if I try to connect over WIFI, even ping does not respond
The default LAN interface has a default anti-lockout rule. If you add other LAN or VLAN interfaces from which you want to be able to access pfsense you need to manually add rules to allow that.
-
@patch Hi Patch, as you can see from the screen shots, I have added Allow All to All to every network interface, unless I am missing something, which I obviously am due the problems I seem to be having.
What do you think I need to change?
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
What do you think I need to change?
So what is now the problem?
If you want to control isolation between interfaces this post may help
-
@patch said in Lots of stuff not working, don't know where to start:
this post
My problem is that none of the interfaces on the protectli box can communicate with each other. Even though an Allow All from All rule for all protocols is on all the interfaces, none of them can ping each other.
On top of that anything connected to my wifi interface can talk to the internet but anything connected to my LAN port can not talk to the internet.
The protectli box was reinstalled tonight and scratch and the settings are as per the screen shots I have provided above.
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
none of the interfaces on the protectli box can communicate with each other.
Are you trying to ping / communicate via IP address or logical name. The latter requires more to be set up.
Edit
In particular local network discovery does not work between interfaces by default. -
@simonjcarr Can you disable ipv6 and see whether things begin working with just ipv4?
