Lots of stuff not working, don't know where to start
-
If restoring a known working config doesn't fix it, you may have a hardware problem. I had to get a new computer a year ago when the one I was running pfsense on died. In that case, I had poor performance and pfsense wouldn't boot up. As one who was a computer tech, on the big systems, for 12 years, I can assure you hardware problems can present themselves in a variety of ways.
-
@stephenw10 Thanks for the reply.
I have just completed a full reinstall of PFSense. It's worth noting that as I said in my initial post, everything was working just fine. I assume that I must have changed something.
Anyway, after reinstalling, I am still having problems. I am reasonably sure it's not a hardware issue.
I have enabled all the interfaces on my protectli box and enabled DHCP on all of the networks.
My new configuration is
WAN => igb0
LAN => igb1 192.168.5.1
Servers => ibg2 192.168.10.1
WIFI => igb3 192.168.20.1I have no VLANS configured.
When plugged in via a cable to igb1, I can not access the internet, but I can access the PFSense GUI.
When connected by WIFI on the igb3 port, I can access the GUI through 192.168.20.1 and I can access the internet. However I can not ping 192.168.5.1 or 192.168.10.1.
Is this because I don't have VLAN's configured? I just assumed that PFSense was going to automatically route between these interfaces.
I have set up a Allow Any to Any rule up on all the internal networks.
Simon
-
Does your WAN interface on igb0 have a public IP? If not does it conflict with any other subnet?
Are those internal subnets all /24?
Can we see a screenshot of the firewall rules you have on LAN?
Steve
-
@stephenw10 All internal networks are /24 The WAN port is a private address form a /28 range
-
@stephenw10 I am finding some other strage issues.
I can ping 1.1.1.1 and 8.8.8.8 when I connected via cable to igb1, but although I have DNS servers setup on my MacBook, I can not ping hostnames.
Very strange that I can ping external IP Addresses but not internal PFSense ports and that DNS works on WIFI but on my cabled connection to PFSense.
-
Does that /28 overlap any of your internal /24s?
Are you policy routing traffic?
What DNS servers are you setting on the laptop? Usually it would pull DNS server via DHCP from pfSense. Are you not using DHCP?
Let's see some screenshots of your rules.
Steve
-
@stephenw10 IP Ranges from Internal networks are completely different with no chance of overlap.
A number of screen shots below of my config. I have just reinstalled this evening, so very little changed other than the going through the setup wizard, which I think will be covered by what is in the screenshots.
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
The WAN port is a private address form a /28 range
The screenshot there looks like a public IP on WAN. Was that just a typo?
Everything else looks as expected.
Is your Outbound NAT still set to automatic? Firewall > NAT > Outbound.
You see any blocked traffic in the firewall log on any internal interface?
Steve
-
@stephenw10 Public IP is correct. I have a hitron router. When the static IP addresses are enabled the router effectively becomes a modem. x.x.x.1 is assigned to my router and the other 13 IP addresses are mine to use internally, of which x.x.x.2 I have assigned to my PFSense Firewall.
I have not changed Firewall > NAT > Outbound, so it will be the default value.
I can't see any blocked traffic. I am in process of setting some block rules as the last rule on each of the interfaces with logging turned on, so I can double-check that.
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
Currently, I am only able to connect to pfsense if I plug my laptop directly into igb1 and pickup a 192.168.1 address. I can not connect if I try to connect over WIFI, even ping does not respond
The default LAN interface has a default anti-lockout rule. If you add other LAN or VLAN interfaces from which you want to be able to access pfsense you need to manually add rules to allow that.
-
@patch Hi Patch, as you can see from the screen shots, I have added Allow All to All to every network interface, unless I am missing something, which I obviously am due the problems I seem to be having.
What do you think I need to change?
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
What do you think I need to change?
So what is now the problem?
If you want to control isolation between interfaces this post may help
-
@patch said in Lots of stuff not working, don't know where to start:
this post
My problem is that none of the interfaces on the protectli box can communicate with each other. Even though an Allow All from All rule for all protocols is on all the interfaces, none of them can ping each other.
On top of that anything connected to my wifi interface can talk to the internet but anything connected to my LAN port can not talk to the internet.
The protectli box was reinstalled tonight and scratch and the settings are as per the screen shots I have provided above.
-
@simonjcarr said in Lots of stuff not working, don't know where to start:
none of the interfaces on the protectli box can communicate with each other.
Are you trying to ping / communicate via IP address or logical name. The latter requires more to be set up.
Edit
In particular local network discovery does not work between interfaces by default. -
@simonjcarr Can you disable ipv6 and see whether things begin working with just ipv4?
-
One has nothing to do with the other.
-
Not being able to connect out to the internet from LAN is a pretty basic problem somewhere.
How exactly are you testing?
-
@jknott Simplification sometimes helps solve vexing problems.
-
@patch I am going to try testing with another PC tomorrow because I am getting confused now.
I can connect to the internet and to PFSense over WIFI
When connected via Cable, I can ping a domain name like google.com, but can not connect via the browser and I see nothing in the PFSense logs.
Very confused because both connections over wifi and via cable were from the same Macbook but with very different outcomes.
Scratching my head.
Simon
-
Quite so, but disabling IPv6 won't do anything for IPv4. You also have to understand what affects what when working on a problem.
