Super Confused - LAN Gateway

bearhntr

@chpalmer said in Super Confused - LAN Gateway:

@bearhntr said in Super Confused - LAN Gateway:

I plugged this into the LAN NIC on the VM nothing in WAN at the moment. I gave the LAN on the new VM 10.9.28.254/24. Before I added the LANGW (and pointed it at 10.9.28.250...I was not able to ping anything from pfSense web console other than its own address (10.9.28.254).
However I cannot get any INTERNET

Your second box (VM) will not try and access the internet through its LAN.. (well.. not by default.. you would have to do some changes..) You are probably better off adding a firewall rule to the VM to allow your access to it via the WAN port and then configuring it that way. Especially if this is a temporary setup.

Make sure that your second LAN on your first box (10.9.28.0/24) has outbound NAT enabled for it. (it should by default but no one knows what you might have changed before all of this)

On PF1 (my working and original pfSense box) - I set the OPT1 port to 10.9.28.250/24 (static).
on PF2 (my new MV pfSense box) - I set the LAN to 10.9.28.254/24 (static).

Once the PF2 it up and running I am accessing the Web page from VM on the VM server using vmbr2 as its NIC - and a static address of 10.9.28.100/24 - gateway set to 10.9.28.254 and DNS the same (and added 1.1.1.1 as well).

I am able to web into PF2 with no issues. I can PING anything on that network (2 other VMs all with 10.9.28.x/24 static address) but not the 10.9.28.250 address from PF1.

That is where I was reading to use the LANGW. So I created it, and pointed it to 10.9.28.250. I still cannot ping it,...nor, can I ping 10.9.28.254 from PF1.

I have these rules on PF1 for OPT1:

which should leave that network (wide open) - as I see it.

chpalmer

@bearhntr

Your client device 10.9.28.100 is a LAN device behind 10.9.28.250 is it not?? Its gateway should be set to 10.9.28.250.

Everything else is on its subnet so no gateway needed to access anything there. (say that outloud to yourself.)

Anything on the /24 is local. Understand? You will be able to reach anything on that subnet as long as your allowed by firewall rules.. speaking of-

What does the OPT interface firewall ruleset look like on PF1?

Your pf2 LAN port will not look at pf1 for its internet without some special massaging. Basically with that "massaging" then you would be turning your pf2 LAN port into another WAN port.

Its an "If and Then" argument. If the address Im trying to reach is within my subnet.. Then go directly to it. If the address Im trying to reach is outside my subnet then go via the gateway address Ive been provided. If you provide the wrong gateway address to a device it will not find its way out of the subnet.

bearhntr

@chpalmer said in Super Confused - LAN Gateway:

@bearhntr

Your client device 10.9.28.100 is a LAN device behind 10.9.28.250 is it not?? Its gateway should be set to 10.9.28.250.

Nope - 10.9.28.100 is a static IP on the VM server where I am attempting to setup new pfSense (PF2).

Lets see if this helps:

Everything else is on its subnet so no gateway needed to access anything there. (say that outloud to yourself.)

Anything on the /24 is local. Understand? You will be able to reach anything on that subnet as long as your allowed by firewall rules.. speaking of-

What does the OPT interface firewall ruleset look like on PF1?

The WAN port on the PF2 (all images in White - are new VM pfSense) - is using vmbr1 on the Proxmox - nothing plugged into that.

The LAN port on the PF2 - is using vmbr2 on the Proxmox (same as the Windows box at 10.9.28.100)

Your pf2 LAN port will not look at pf1 for its internet without some special massaging. Basically with that "massaging" then you would be turning your pf2 LAN port into another WAN port.

Yes - that is what I am reading by using the LANGW (below):

Its an "If and Then" argument. If the address Im trying to reach is within my subnet.. Then go directly to it. If the address Im trying to reach is outside my subnet then go via the gateway address Ive been provided. If you provide the wrong gateway address to a device it will not find its way out of the subnet.

Yes... as I have approximate 80 devices on the PF1 LAN (192.168.10.xxx/24) - I cannot reach any of those from PF2.

chpalmer

@chpalmer said in Super Confused - LAN Gateway:

What does the OPT interface firewall ruleset look like on PF1?

10.9.28.250 ??

bearhntr

@chpalmer said in Super Confused - LAN Gateway:

@chpalmer said in Super Confused - LAN Gateway:

What does the OPT interface firewall ruleset look like on PF1?

10.9.28.250 ??

bearhntr

@chpalmer

This is the LAN on PF1

Jarhead

@bearhntr
Listen, you wanna keep trying what you are now, go for it. But you're being foolish.
Just connect the wan of vm to your existing lan and be done with it.
You can then add a rule on the vm wan to allow access through it for configuring it if you need to.

From orig pfSense, can you ping the new vm pfSense 10.9.28.254?

bearhntr

@chpalmer

This is from my home PC (192.168.10.xxx) -

Jarhead

@bearhntr
Try from pfSense.

If it's no good, it's not connected properly.

bearhntr

@jarhead

Jarhead

@bearhntr
So fix the connection before anything else.
Layer 1 problem.

bearhntr

This is what I do not understand....

from PF2 -- (which is 10.9.28.254/24)

chpalmer

@bearhntr I would make the OPT1 Net the source.. on your PF1 firewall rules page.. Probably just me though..

chpalmer

Set your 10.9.28.11 statically and set its gateway to .250.. you will then be able to get to the internet with that machine if your first pf is working correctly.

Once you get there then you can tear your hair out on making your pf2 LAN port into another WAN port.

chpalmer

Can you also show this page from pf2?

/system_gateways.php

Jarhead

@bearhntr said in Super Confused - LAN Gateway:

This is what I do not understand....

from PF2 -- (which is 10.9.28.254/24)

They're not connected.
Are you using a virtual switch?
How are you connecting the two routers?
Is the pc you were connecting to the VM a physical machine? If so, disconnect it and use that cable to connect to OPT on router 1. Does it ping that way?

bearhntr

@chpalmer said in Super Confused - LAN Gateway:

@bearhntr I would make the OPT1 Net the source.. on your PF1 firewall rules page.. Probably just me though..

Tried this -- did no good. Still cannot ping PF2 from PF1 and vice versa using pfSense.

bearhntr

@chpalmer said in Super Confused - LAN Gateway:

Can you also show this page from pf2?

/system_gateways.php

Please explain how to do this. The image above in WHITE is from PF2 >> STATUS >> GATEWAYS.

I went to the SHELL, and I do not see the file you mention.

Jarhead

@bearhntr Just do this.
Make the OPT 10.10.1.1/30
Make the VM WAN 10.10.1.2/30
Connect the two. Make sure to uncheck block private networks on VM WAN.
You'll now have internet on the VM.
You can allow the original LAN through the VM firewall if you want or just configure it from the VM LAN.

bearhntr

@jarhead

The PF1 (192.168.10.254/24) is an HP T620+ ThinClient with a 2-port NIC installed in the expansion slot. The built in NIC is used for OPT1, and the port 0 on the 2-port card is WAN to my cable modem, port 1 is LAN to my Wireless AP (Netgear ORBI).

The PF2 (will be 10.9.28.254/24) is the new one on the Proxmox. There are 5 ports on this box (on-board NIC is the console port for Proxmox and is set to 192.168.10.250/24 (this will change once I get 10.9.28.xxx/24 working) and connects to one port on the ORBI. The 4-port card in the PCIe slot is as follows:

*port 0 = (to be the new WAN - is vmbr1 (Linux Virtual Bridge) to this port {I have another posting to see if this should be virtualized or or IOMMU PCI port into pfSense VM.

port 1= (is to be the new LAN - is vmbr2 (Linux Virtual Bridge) to this port.*

That leaves me with 2 ports not in use.

From the LAN port on the Proxmox - I have a cable plugged into a hub, in turn from there another cable in to the OPT1 port on the PF1 box (which is static 10.9.28.250/24) - have even tried a cable directly from OPT1 to PF2-LAN made no difference. I put the HUB there in case I wanted to plug a laptop in there to test as well. When I get his working - the HP T620+ will be OFF and stored incase I need a replacement some day.

See if this helps: