Super Confused - LAN Gateway

bearhntr · Dec 9, 2022, 7:26 PM

I have a pfSense installation on a stand-alone box, I am looking to move it to a VM which I am trying to setup and test before I switch over.

My pfSense stand-alone box has 3 NICs one for WAN, one for LAN and one which I was not using - so I set this up with another IP Segment 10.9.28.x /24 (and static address of 10.9.28.250/24).

I plugged this into the LAN NIC on the VM (there are 2 NICs there - nothing in WAN at the moment. I gave the LAN on the new VM 10.9.28.254/24. Before I added the LANGW (and pointed it at 10.9.28.250...I was not able to ping anything from pfSense web console other than its own address (10.9.28.254).

I have a Windows VM on the same VM host and I pointed it to the same vmbr2 that pfSense is using for LAN and when I boot it - it gets an address from this pfSense DHCP (of 10.9.28.11) and I can access the pfSense console. However I cannot get any INTERNET. It is also pulling an IPv6 address from the stand-alone pfSense which is 192.168.10.254.

login-to-view

I am completely confused - and know it has to be something simple....I just do not know what it is.

viragomann · Dec 9, 2022, 8:35 PM

@bearhntr
Check if it's a DNS issue. Try a ping to 8.8.8.8.

Consider that you need to add a rule to allow DNS and any other traffic on an additional interface.

Jarhead · Dec 9, 2022, 9:47 PM

@bearhntr What's the LANGW and where did you add it?
Should be a WAN gateway, not LAN

bearhntr · Dec 11, 2022, 7:06 PM

@viragomann

Ping 8.8.8.8 from where?

bearhntr · Dec 10, 2022, 11:42 PM

@jarhead

Are you saying that I need to point the LANGW to the WAN Address of the working pfSense? Everything that I have ready, states that you point it to the LAN port on the other router, and let it handle the traffic.

That is how I read this:
login-to-view

Jarhead · Dec 10, 2022, 11:58 PM

@bearhntr
I'm asking you what the LANGW is.
You shouldn't add a gateway on the LAN, so leave it at none as in the picture you posted. But the question stands, what are you considering LANGW??

Not sure what you're expecting to work if you don't have a wan connected?
Why not just connect the WAN port of the VM to a LAN port on your existing network, make sure you uncheck "block rfc1918" on the VM WAN and you'll get internet access through the VM pfSense for testing purposes?

bearhntr · Dec 11, 2022, 12:11 AM

@jarhead said in Super Confused - LAN Gateway:

@bearhntr
I'm asking you what the LANGW is.
You shouldn't add a gateway on the LAN, so leave it at none as in the picture you posted. But the question stands, what are you considering LANGW??

My goal is to configure the new pfSense on the VM and be able to access it from the current LAN (192.168.10.xxx/24) - as I want to change the LAN when I move to the VM (10.9.28.xxx/24). Not saying that I need Internet access on the new LAN.NET to set it all up - but I cannot get any of the VMs which are pulling an address from the 10.9.28.xxx DHCP server on the new MV pfSense to see anything on the 192.168.10.xxx network. (If that makes sense).

Not sure what you're expecting to work if you don't have a wan connected?
Why not just connect the WAN port of the VM to a LAN port on your existing network, make sure you uncheck "block rfc1918" on the VM WAN and you'll get internet access through the VM pfSense for testing purposes?

I tried this, and I was getting some weirdness on the VMs which are on the 10.9.28.xxx network.

I do not want to BACKUP and RESTORE the working pfSense onto the VM pfSense - I tried this and also seeing some wierdness with MAC Addresses and such which I could not seem to change.

chpalmer · Dec 11, 2022, 12:28 AM

@bearhntr said in Super Confused - LAN Gateway:

I plugged this into the LAN NIC on the VM nothing in WAN at the moment. I gave the LAN on the new VM 10.9.28.254/24. Before I added the LANGW (and pointed it at 10.9.28.250...I was not able to ping anything from pfSense web console other than its own address (10.9.28.254).
However I cannot get any INTERNET

Your second box (VM) will not try and access the internet through its LAN.. (well.. not by default.. you would have to do some changes..) You are probably better off adding a firewall rule to the VM to allow your access to it via the WAN port and then configuring it that way. Especially if this is a temporary setup.

Make sure that your second LAN on your first box (10.9.28.0/24) has outbound NAT enabled for it. (it should by default but no one knows what you might have changed before all of this)

bearhntr · Dec 11, 2022, 12:39 AM

@chpalmer said in Super Confused - LAN Gateway:

@bearhntr said in Super Confused - LAN Gateway:

I plugged this into the LAN NIC on the VM nothing in WAN at the moment. I gave the LAN on the new VM 10.9.28.254/24. Before I added the LANGW (and pointed it at 10.9.28.250...I was not able to ping anything from pfSense web console other than its own address (10.9.28.254).
However I cannot get any INTERNET

Your second box (VM) will not try and access the internet through its LAN.. (well.. not by default.. you would have to do some changes..) You are probably better off adding a firewall rule to the VM to allow your access to it via the WAN port and then configuring it that way. Especially if this is a temporary setup.

Make sure that your second LAN on your first box (10.9.28.0/24) has outbound NAT enabled for it. (it should by default but no one knows what you might have changed before all of this)

On PF1 (my working and original pfSense box) - I set the OPT1 port to 10.9.28.250/24 (static).
on PF2 (my new MV pfSense box) - I set the LAN to 10.9.28.254/24 (static).

Once the PF2 it up and running I am accessing the Web page from VM on the VM server using vmbr2 as its NIC - and a static address of 10.9.28.100/24 - gateway set to 10.9.28.254 and DNS the same (and added 1.1.1.1 as well).

I am able to web into PF2 with no issues. I can PING anything on that network (2 other VMs all with 10.9.28.x/24 static address) but not the 10.9.28.250 address from PF1.

That is where I was reading to use the LANGW. So I created it, and pointed it to 10.9.28.250. I still cannot ping it,...nor, can I ping 10.9.28.254 from PF1.

I have these rules on PF1 for OPT1:

login-to-view

which should leave that network (wide open) - as I see it.

chpalmer · Dec 11, 2022, 1:06 AM

@bearhntr

Your client device 10.9.28.100 is a LAN device behind 10.9.28.250 is it not?? Its gateway should be set to 10.9.28.250.

Everything else is on its subnet so no gateway needed to access anything there. (say that outloud to yourself.)

Anything on the /24 is local. Understand? You will be able to reach anything on that subnet as long as your allowed by firewall rules.. speaking of-

What does the OPT interface firewall ruleset look like on PF1?

Your pf2 LAN port will not look at pf1 for its internet without some special massaging. Basically with that "massaging" then you would be turning your pf2 LAN port into another WAN port.

Its an "If and Then" argument. If the address Im trying to reach is within my subnet.. Then go directly to it. If the address Im trying to reach is outside my subnet then go via the gateway address Ive been provided. If you provide the wrong gateway address to a device it will not find its way out of the subnet.

bearhntr · Dec 11, 2022, 1:06 AM

@chpalmer said in Super Confused - LAN Gateway:

@bearhntr

Your client device 10.9.28.100 is a LAN device behind 10.9.28.250 is it not?? Its gateway should be set to 10.9.28.250.

Nope - 10.9.28.100 is a static IP on the VM server where I am attempting to setup new pfSense (PF2).

Lets see if this helps:

login-to-view

Everything else is on its subnet so no gateway needed to access anything there. (say that outloud to yourself.)

Anything on the /24 is local. Understand? You will be able to reach anything on that subnet as long as your allowed by firewall rules.. speaking of-

What does the OPT interface firewall ruleset look like on PF1?

The WAN port on the PF2 (all images in White - are new VM pfSense) - is using vmbr1 on the Proxmox - nothing plugged into that.

login-to-view

The LAN port on the PF2 - is using vmbr2 on the Proxmox (same as the Windows box at 10.9.28.100)

login-to-view

Your pf2 LAN port will not look at pf1 for its internet without some special massaging. Basically with that "massaging" then you would be turning your pf2 LAN port into another WAN port.

Yes - that is what I am reading by using the LANGW (below):
login-to-view

login-to-view

Its an "If and Then" argument. If the address Im trying to reach is within my subnet.. Then go directly to it. If the address Im trying to reach is outside my subnet then go via the gateway address Ive been provided. If you provide the wrong gateway address to a device it will not find its way out of the subnet.

Yes... as I have approximate 80 devices on the PF1 LAN (192.168.10.xxx/24) - I cannot reach any of those from PF2.

chpalmer · Dec 11, 2022, 1:09 AM

@chpalmer said in Super Confused - LAN Gateway:

What does the OPT interface firewall ruleset look like on PF1?

10.9.28.250 ??

bearhntr · Dec 11, 2022, 1:13 AM

@chpalmer said in Super Confused - LAN Gateway:

@chpalmer said in Super Confused - LAN Gateway:

What does the OPT interface firewall ruleset look like on PF1?

10.9.28.250 ??

login-to-view

bearhntr · Dec 11, 2022, 1:14 AM

@chpalmer

This is the LAN on PF1

login-to-view

Jarhead · Dec 11, 2022, 1:15 AM

@bearhntr
Listen, you wanna keep trying what you are now, go for it. But you're being foolish.
Just connect the wan of vm to your existing lan and be done with it.
You can then add a rule on the vm wan to allow access through it for configuring it if you need to.

From orig pfSense, can you ping the new vm pfSense 10.9.28.254?