2 weeks still nothing.
-
@pfsensenewbie1 what are you using for wireless behind pfsense - if your trying to use the wireless of your "gateway" device - that no there is not going to work and is a complete mess.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
can I be sure the Nat is forwarding to my dns?
You can for setup pfsense to forward to yoru dns server, and clients behind it points to pfsense lan IP for dns.. If that is what you want.
But you seem to be confused on what - what network is your gateway handing out, what network are you using? 192.168.0, .1. what?
What network is pfsense lan network? What is providing the wireless for devices behind pfsense?
-
@johnpoz yes I had issues with dhcp not getting an ip but seems randomly to not work. Today I checked and dhcp had no ip on wan so went to static - but perhaps this doesn’t matter as clients cannot get to the gui from lan anyway as was mentioned. Hmmm. Ok I’ll enable dhcp on wan and see if I can get access restored but surely static should work also?
-
@pfsensenewbie1 said in 2 weeks still nothing.:
but perhaps this doesn’t matter
Not getting a dhcp - the solution is not to go to static. Because if dhcp isnt working points to connectivity issue, so static never going to work either. I would of looked to why pfsense wan doesn't its dhcp address from your gateway.
And I have a funny feeling your trying to leverage wifi off your gateway as pfsense lan.. Or you have overlapping IP ranges.
But your setup as drawn is clicky clickly workie workie with really nothing to do.. Other than making sure your pfsense wan and lan network do not overlap.. And your not trying to leverage your gateway wifi as pfsense lan network.
-
@johnpoz ok - so lan interface on pfsense must be on a different subnet? That’s one thing I didn’t do. Can wan interface be on same subnet as modem/router? My entire network is currently using 192.168.1.x.
-
@johnpoz no I’m aware clients connected to the gateway (modem/router) cannot use pfsense - I did originally want all clients to use it but just not possible as it is. I know my diag is crap just to illustrate. Modem/router 192.168.1.1 dns server 1.2 pfsense wan interface 1.4 and tried setting pfsense lan to 1.3 - with gateway dishing out dhcp to everything. Will try different subnet for lan interface and test but getting late so willl update tomorrow. Thanks all for help.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
so lan interface on pfsense must be on a different subnet?
yeah - how do you think it routes if both its interfaces are in the same network? It wouldn't even let you create a static on pfsense wan that overlapped with your lan network.
If your using 192.168.1/24 on pfsense "wan", ie your gateway lan - what is pfsense "lan" this should be something different say 192.168.2/24
What is providing wifi behind pfsense? You have AP, your trying to use some other wifi router as just an AP?
If your gateway is 192.168.1 network - then set pfsense lan to say 192.168.2.1/24 address. Plug its wan into your gateway network as dhcp and shazam all workie... Now if you want clients behind pfsense to use your dns server, then either point them directly to that, or have pfsense forward to it, and have your clients use pfsense 192.168.2.1 address as their dns - this would what would be default handed to dhcp clients behind pfsense.
If you then want clients on your pfsense wan to be able to hit the pfsense gui, then turn off the block rfc1918 rule on your wan, and create a wan firewall rule to allow access to your gui port on the wan address.
-
@johnpoz well.... this is interesting. I took the advice and changed pfsense lan(wireless) to 2.1 and got immediate full crash and restart. Next time I tried it I now have access to the gui from my own lan but not from wireless however pfsense still cannot update or cannot fetch update info. It can ping pfsense.org and tracert confirms dns is not being redirected but is getting out of the network. But...wireless clients now have no internet at all. I enabled dhcp on wireless interface and got access to internet on devices as the dhcp is giving ip on my own lan ip range. I think I must change subnet mask on my modem/router to allow the 2.1 network to access lan devices. Man this is getting deep now. Am I correct in all subnet masks must be the same? Or only the pfsense lan part?
-
@pfsensenewbie1 said in 2 weeks still nothing.:
I think I must change subnet mask on my modem/router to allow the 2.1 network to access lan devices
Your gateway has ZERO to do with devices behind pfsense access devices on pfsense wan..
Again what are you using for wireless behind pfsense?
Man this is getting deep now.
Its not - this is plug it in and it works.. I have no idea what your doing but this works out of the box plug it in.. There is ZERO to do on your gateway... The only thing you have to make sure is pfsense lan network is not the same as its wan network, ie they do not overlap..
There is nothing special to do.. Pfsense becomes a client on your gateway network just like your PC.. To your gateway its just another device on its network.
What are your wireless clients using for wifi - if your trying to leverage your wifi off your gateway that is not going to work for also trying to be behind pfsense.
edit: this is a typical double nat setup that 1,000 if not 10 or 100's of thousands of setups use.. Any time the idiot guy at the store tells them they need another router to get more ports or extend their wifi - they are in a double nat.
Anyone that is using pfsense that is using a gateway they can not put into bridge mode is doing this - its a simple double nat, and works out of the box.. As long as your not using the same network on pfsense wan and its lan..
-
@johnpoz ok firstly I sense the frustration you have towards me, how can I overcome this? I am just after some help.
Also I’m not understanding your question about what’s providing wireless behind the pfsense as The pfsense is itself providing wireless to wireless clients as per my diagram. The wireless of my pfsense box is in access point mode.
My issue here is that on a default setup, with wireless on lan interface setup as access point, now on a separate subnet - wireless clients are getting a dhcp ip from my modem/router (I.e. 192.168.1.81) I have enabled a single Nat rule to forward from wan interface to my dns server. I have unchecked block networks on the wan interface to allow me access to the gui from my lan which is more convenient and is temporary. I have also setup a bridge between pfsense lan and wan.
I cannot explain to you how much this didn’t work out of the box - don’t misunderstand, I got farther using this software than the competition. However As I mentioned the setup insisted on 2 active interfaces and as the box only had 2 I had to trick it to work. Apart from this when I did get it running I just couldn’t get both the gui and the wireless clients to access internet at the same time. I had already tried all dhcp from the outset and apart from the obvious changing ip situation I just couldn’t get it working correctly. Either the gui could ping and access the internet, but no clients could, or clients could access internet but gui couldn’t, and various combinations herein.
I’m not trying to put this great free software down as it is amazing - just very hard to get it to do what I want which was simply direct wireless clients connected directly to the pfsense box to my dns and allow access to the internet thereafter, with access to the gui from inside the lan, but I’m still not there yet I’m afraid.
Anyway this will be my last tonight I have work and I’m sure everyone else does so fresh eyes tomorrow after work I’ll update if anything is different. I may even be tempted to record a video of oob from the beginning. Hoping I don’t need to as I’m quite close I feel.
-
@pfsensenewbie1 Think about what you're saying.
Wireless clients BEHIND pfSense receive an IP from your gateway. Impossible.
They are clearly not behind the pfSense and are connected to the gateway.
It really is plug it in and it works.
So whatever you had to "trick" it into doing, stop doing that!Best bet at this point, reset pfSense to default, change the LAN subnet, and connect things properly.
It'll work. -
@pfsensenewbie1 The network architecture you are using is making the work involved in setting it up hard.
It would be much easier to administer if you used one not multiple routers.
-
Can you connect the wired clients to your pfsense router?
-
Connect the DNS to the pfsense router. Or better yet for initial setup, just use the DNS built into pfsense
-
Removed the router currently directly connected to the internet or at least put it in bridge mode so it is only used as a modem
-
FreeBSD 12.3 (which pfsense 2.6 is based on) apparently has relatively poor wifi support. Using dedicated access points for wifi is likely to provide better wifi functionality.
-
-
@pfsensenewbie1 I think the terminology may be confusing us. Typically in this setup the pfSense WAN is towards your wired network i.e. towards the Internet. pfSense LAN is your wireless.
If that was the setup then I’d expect pfSense to by default connect out to the Internet fine and provide NAT for the wireless devices.
It sounds like you’ve set up an Internal/External bridge which is more advanced, and bypasses the normal routing pfSense is designed to do. I’d read through all the docs on bridging if you go that route. I have never had to use a bridge.
If you were to remove the bridge, set pfSense LAN as a different subnet, I’d expect everything would get to the internet, though the wireless devices would be on their own network. As noted above they still could connect to the DNS server in the pfSense WAN however, because to them, that’s essentially the same as using Google DNS.
Generally posts found here will say wireless driver support in FreeBSD is not great, and suggest an external AP. A typical use would be to use an AP in place of your pfSense, and not use routing or bridging.
-
@steveits said in 2 weeks still nothing.:
you’ve set up an Internal/External bridge
That might be a possibility - has made zero mention of doing that.. What would be the point even? That sort of setup makes no sense in what he has drawn up, other then complexity..
@pfsensenewbie1 if your trying to actually leverage some wifi card in pfsense - that is also a pretty pointless endeavor and will only cause frustration.. Freebsd has never been the os for choice for wireless.. Best you could hope for is N.. This isn't 2010..
If that is what your trying to do - get yourself some wifi router for like $20 and use it as just an AP.. Any wifi router - ANY can be used as just an accesspoint with just turning off its own dhcp server and plugging it into your network with one of its "lan" ports.
This really is plug it in and work.. There is nothing to do special, there is nothing to extra config - this would work out of the box as long as the network on pfsense "wan" is different than the network on its "lan"
So clearly there is something missing in what your doing that you have not expressed.. Have you tried to setup some bridge in pfsense? Bridge setups and pfsense as wifi AP are not very common setups - and should really be avoided unless there is no other possible choice.. And with the caveat that you actually understand how to set them up.. Like this connectivity has to work now - and this is the only thing I have to work with. And the actual hardware to do it correctly can not be delivered til monday sort of thing.
-
@johnpoz “I have also setup a bridge between pfsense lan and wan.”
:)
I assume the goal is one flat network but an AP would be way easier.
-
@steveits Should of stated that in OP for gosh sake! ;)
So in other words it a complete and utter Cluster F ;)
So not only is he trying to use pfsense as wifi AP - he is also trying to bridge that that into his network - WTF for??
Let me recall my old Navy days - FUBAR!
So something that would be a 2 minute setup has turned into 2 weeks of utter frustration ;) Yeah seems about right.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
I then bridged the connections and
That's the point where the OMG exclamation enters.
Easy life saver : Do not bridge. Even if think you need bringing : stay away from it.
Or do the easy bridge : replace pfSense for a dumb switch, and connect one or more APs to it.Btw : a router has two interfaces. Otherwise it isn't a router.
The easy way would be : two physical wired NICs. That's the reason why we all slam these into our pfSense boxes.
Or even better, why we use these devices.Your trick of creating a VLAN right after install was the way to do it.
Most often, these devices do not contain any Wifi functionality, as FreeBSD supports only a (very) limited set of Wifi adapters.
I know, our ISP have made effort to integrate a wifi nic, a switch, some VOIP and a subscriber line interface (fiber, phone, ADSL, Cable, whatever) into one "box". Very nice for a typical home solution. But it doesn't do all the extra goodies pfSense offers.IMHO, the most known network install is :
A ISP router (modem) upfront.
This is what I do. I've shut down the phone capabilities (our company already has 6 ISDN lines),
I've shut down the 'TV' capabilities.
I've shut down the wifi of the box.
I've shut down the IPv6 capabilities as my ISP only offers a /64, worthless for a company.After the ISP router : pfSense, with a WAN and one or more LAN's.
For me :
A LAN with my trusted devices. This LAN contains some APs for my trusted BJOD (that is : my own Phone, and some wireless credit card terminals etc)
Another LAN for my non trusted devices : clients that walk in and want to use our wifi.
pfSense also handles my IPv6 needs.This network is easy to maintain and pretty straight forward.
Stay away from complicated stuff, make your network simple. This way, when something goes wrong, you can re create your network in a couple of minutes to get basic Internet up again.
-
Ok I seem to have made it harder by trying anything I could to make it work.
I was reading tutorials in the beginning and each said use a bridge between interfaces and set a single Nat rule - that clearly isn’t the case.
I’ll be removing the bridge - I did think it was required for the 2.1 to 1.1 connection 192.168.2.x -> 192.168.1.x.
Next I assume trace route is the best way to detect if the dns is being routed correctly? I have been clearing cache to eliminate possible issues. If so my traceroute currently shows gateway first then asterisks for next 2 hops then Internet address space ip’s.
If the bridge removal doesn’t fix things I’ll bite the bullet and reinstall from the beginning. I will also record it to make sure I didn’t miss a step or do anything wrong. I’m glad my vlan trick was the way to go.
Someone asked why my setup, well it seemed correct for the way it was as I’m adding onto an existing network and reason for not using pfsense for all wireless clients is exactly because of what was mentioned, that Wifi support is poor in bsd. I just bought a cheap mini pc for pfsense routing as this was cheapest way to get what I need and have further expandability in the future (like moving the dns server to it etc). As for connecting the dns to the pfsense - unfortunatly the dns server is on a pi atm which has no wireless so cannot connect directly to pfsense. Not ideal but it works. My modem/router only has 4 Ethernet ports but very good wireless and as it is also the modem it made a good choice for the gateway.
Again thank you for the replies, I will update if there’s any news.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
Next I assume trace route is the best way to detect if the dns is being routed correctly?
Huh??? Where would you have gotten that idea from?
Traceroute has to do with the network path your taking - that has zero to do with who you ask for what is the ip of www.netgate.com
So in the big picture - you want to expand your wifi, and you thought pfsense was the best solution? Seems a 20$ old wifi router used as an AP would be a much better fit for what your trying to do.
The only thing dns has to do with a traceroute - is if in the traceroute your wanting to resolve the PTRs of the IPs along your path.. Or if you use a fqdn as to where your tracing too vs an IP.
user@NewUC:~$ traceroute www.netgate.com traceroute to group3.sites.hscoscdn00.net (199.60.103.30), 64 hops max 1 192.168.2.253 0.596ms 0.186ms 0.200ms 2 69.47.60.1 20.122ms 19.230ms 9.810ms 3 216.80.79.9 13.406ms 12.512ms 15.430ms 4 207.172.18.116 31.214ms 15.457ms 16.177ms 5 207.172.19.255 14.927ms 18.085ms 13.353ms 6 208.115.136.180 19.068ms 16.339ms 22.470ms 7 172.70.176.2 16.507ms 18.613ms 12.932ms 8 199.60.103.30 21.435ms 17.625ms 21.402ms user@NewUC:~$ traceroute www.netgate.com --resolve-hostnames traceroute to group3.sites.hscoscdn00.net (199.60.103.226), 64 hops max 1 192.168.2.253 (sg4860.wlan.local.lan) 0.730ms 0.227ms 0.236ms 2 69.47.60.1 (d47-69-1-60.col.wideopenwest.com) 14.747ms 9.375ms 12.144ms 3 216.80.79.9 (static.rcn.com) 14.484ms 11.982ms 28.447ms 4 207.172.18.48 (hge0-0-0-14.core2.chgo.il.rcn.net) 13.457ms 17.367ms 11.223ms 5 207.172.19.141 (hge0-0-0-3.border2.eqnx.il.rcn.net) 21.958ms 19.420ms 16.802ms 6 208.115.136.180 (13335.chi.equinix.com) 13.663ms 14.947ms 13.875ms 7 172.70.128.2 (172.70.128.2) 21.985ms 23.804ms 14.090ms 8 199.60.103.226 (199.60.103.226) 20.734ms 16.899ms 11.529ms user@NewUC:~$See in the 2nd one it comes back with names for some of the IPs along the path..
To see what your using for dns, nslookup or dig or host - whatever your fav dns tool is.
-
@johnpoz I presumed that traceroute would show the full path that packets would take and should have taken into account dns. Clearly I don’t know enough about networks, but while your help is useful and I’m appreciative of, the attitude is not. I ask you please tone down your critical responses, to just be information, Im having a hard enough time getting this to work as it is. I’m here to learn and clearly I have a lot still to learn. I’ll give those tools a look when I’m at home. Do any of them exist in pfsense interface?
