Crazy issuses getting DHCP/New interface up and running
-
Hello,
Not too new to PfSense, I know how to navigate my way around and do a few things, but im just totally stumped on this issue. Hopefully someone can help a networking wanna-be geek like me that has no idea what hes doing :P
I am currently attempting to add another interface to my PfSense box, so that I can plug my new super cool wireless N router into it. I currently have 2 NIC cards installed (WAN/LAN) 1 Wireless network card that is not in use due to crappy range, and 1 built on ethernet port on my motherboard. Motherboard is an ASUS P4P800, and im currently running the latest distro of PfSense. My LAN is hooked into a network switch that has 1 lonely computer and a printer wired up. I turned off my ethernet on my printer just incase this was causing any subnet conflicts (Double checked, correct and looks good) but just unhooked it anyways for now. My LAN subnet is 192.168.1.1/24 for PfSense. Well I created an OPT1 interface and named it (NRouter) and put it on 192.168.2.1/24 subnet, did not bridge or anything. Added OPT rule to firewall to enable traffic to pass (Here's the firewall settings) Action: Pass (Source) LAN Subnet (Destination) Any, gateway set on default, and named description NRouter Pass. Basically I want this new interface to be able to access LAN Subnet just as it would my hardwired desktop. So I pretty much cloned my LAN firewall rules to my new opt interface to allow all. I now currently have 3 interfaces under firewall:rules. Added interface to DHCP Server 192.168.2.11-192.168.2.13 for now, enabled DHCP on this interface, did not mess with any other settings. Well before plugging in my new router, I plugged my laptop into the new interface to ensure that my internet was working, and I could access my LAN etc. My laptop is running Winblows 7, but bam, I get a nasty 169 IP, no nothing. Rebooted firewall, swapped out ethernet cables just incase, and now my laptop is able to connect with an IP address of 192.168.2.13 YAY! Well, no internet, cannot ping LAN can't do anything. So I check out my System Logs>Firewall, and the firewall is actually blocking my IP Address of 192.168.2.13 and alot of ports next to it. Ive searched all over and made sure everything was correct, cannot figure out why its blocking it. I only have Snort installed, and no extra firewall rules other than what PfSense comes preloaded with and my OPT rule I added….. No snort block alerts or anything. Im totally stuck. I can ping 192.168.2.1, but I get 50% packet loss so I know the ethernet port is working, and machines are talking. But what I did notice was when I did an ifconfig, my new interface states under media: Ethernet autoselect (none)
while the rest say media: Ethernet autoselect (100baseTX <full-duplex>). Im thinking this could have something to do with my issue but I am not sure, heres a copy of ifconfig:$ ifconfig
sk0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=b <rxcsum,txcsum,vlan_mtu>ether 00:0c:6e:ce:03:cd
inet6 fe80::20c:6eff:fece:3cd%sk0 prefixlen 64 scopeid 0x1
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (none)
status: no carrier
dc0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:1a:70:13:01:29
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::21a:70ff:fe13:129%dc0 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dc1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:1a:70:13:af:8d
inet6 fe80::21a:70ff:fe13:af8d%dc1 prefixlen 64 scopeid 0x3
inet 98.xxx.xx.xxx netmask 0xfffffc00 broadcast 255.255.255.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ral0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
ether 00:23:69:0e:aa:7e
media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
status: no carrier
ssid "" channel 1 (2412 Mhz 11b)
authmode OPEN privacy OFF txpower 50 bmiss 7 scanvalid 60 bgscan
bgscanintvl 300 bgscanidle 250 roam:rssi11b 7 roam:rate11b 1 bintval 0
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=100 <promisc>metric 0 mtu 33204Please let me know what additional information you need from me, and if ya advise, can you please tell me exactly how to do it? Im still learnin :(
I know there are other alternatives to hooking my router up, but I want it on its own interface because im weird like that :P
I would try a different NIC card, but I gave my friend my last 3 gigabit NIC's (GRR) but I dont think my onboard NIC that im trying to use is busted. I even checked through bios to ensure onboard ethernet was working properly.
Thanks so much for helping out a fellow PfSense networking newbee and best reguards!!!!!!!!!!!
-Brandon
mechanicalmetal@gmail.com</promisc></up,running></up,loopback,running,multicast></broadcast,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></rxcsum,txcsum,vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex> -
My LAN subnet is 192.168.1.1/24 for PfSense. Well I created an OPT1 interface and named it (NRouter) and put it on 192.168.2.1/24 subnet, did not bridge or anything. Added OPT rule to firewall to enable traffic to pass (Here's the firewall settings) Action: Pass (Source) LAN Subnet (Destination) Any, gateway set on default, and named description NRouter Pass.
On the OPT1 interface you added a rule to pass traffic FROM the LAN subnet? Wouldn't you want to pass traffic FROM the OPT1 subnet?
$ ifconfig
sk0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=b <rxcsum,txcsum,vlan_mtu>ether 00:0c:6e:ce:03:cd
inet6 fe80::20c:6eff:fece:3cd%sk0 prefixlen 64 scopeid 0x1
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (none)
status: no carrier</rxcsum,txcsum,vlan_mtu></up,broadcast,running,promisc,simplex,multicast>No carrier indicates the interface can't see anything on the other end of the attached cable. Depending on your interfaces you MAY need a cross over cable to connect this interface to the router. (Some newer interfaces sense which wires are receive and automatically "cross over" if required. Older interfaces generally don't do this.) The LEDs around the socket generally are a good indication of connectivity.
-
My LAN subnet is 192.168.1.1/24 for PfSense. Well I created an OPT1 interface and named it (NRouter) and put it on 192.168.2.1/24 subnet, did not bridge or anything. Added OPT rule to firewall to enable traffic to pass (Here's the firewall settings) Action: Pass (Source) LAN Subnet (Destination) Any, gateway set on default, and named description NRouter Pass.
On the OPT1 interface you added a rule to pass traffic FROM the LAN subnet? Wouldn't you want to pass traffic FROM the OPT1 subnet?
$ ifconfig
sk0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=b <rxcsum,txcsum,vlan_mtu>ether 00:0c:6e:ce:03:cd
inet6 fe80::20c:6eff:fece:3cd%sk0 prefixlen 64 scopeid 0x1
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (none)
status: no carrier</rxcsum,txcsum,vlan_mtu></up,broadcast,running,promisc,simplex,multicast>No carrier indicates the interface can't see anything on the other end of the attached cable. Depending on your interfaces you MAY need a cross over cable to connect this interface to the router. (Some newer interfaces sense which wires are receive and automatically "cross over" if required. Older interfaces generally don't do this.) The LEDs around the socket generally are a good indication of connectivity.
Thanks so much for the helpful reply! I did get some progress, but not all the way. It would make since to set a firewall rule for traffic to pass through the OPT interface since DHCP is enabled on the interface. Thanks to your help, I can access my lan, but no internet. My OPT interface now states that its up and running properly with the new firewall rule. Checked all settings to ensure subnets were correct, rebooted firewall, but for some reason my firewall is still blocking my connection! Heres the error im getting under system logs >Firewall
Time If Source Destination Proto
Apr 21 21:14:07 NRouter 192.168.2.13:49952 192.168.2.10:53 UDP
Apr 21 21:37:25 NRouter 192.168.2.13:138 192.168.2.255:138Well what im not understanding is that the rule that I have set for the OPT interface under firewall rules is Action: PASS|Source: NRouter Subnet and Destination: LAN Subnet…... But my firewall is blocking a destination of 192.168.2.10 when my LAN subnet is 192.168.1.1? Makes no since to me :(
Heres so more of my settings,
OPT interface>DHCP Server> 192.168.2.11 to 192.168.2.15
Interfaces> Enabled, ip 192.168.2.10/24
Im totally stumped. Anyone got any ideas on what I can do to get this interface online?
Thanks
-
Well I got everything working, I can now access the internet and my LAN on my new subnet, modifying some firewall rules.
Under my OPT firewall rules I set source for NRouter Subnet, and destination to ANY. This fixed it. However I know theres some security issues there since its not protected by my LAN, please correct me if I am wrong. Is this safe? I just want to make sure everything is secure. Please let me know if I need to approach this firewall modification the safest way I can do it.
I hope I did everything right, but let me know if I did anything wrong to breach security!
You guys are fantastic, thanks so much!!!!!!!!!!
-
I hope I did everything right, but let me know if I did anything wrong to breach security!
You haven't specified what security you want so its impossible to say if you have broken security. For example, you might be using your current setup as a testbed for a larger configuration. Your wireless network might be "inhouse" making it safe to allow traffic between LAN and wireless network. Your wireless network might be to provide internet access to guests in which case you might want to allow access to no LAN systems or only one.
If you allow any access from OPT1 you might as well connect your router to LAN and cut the processing load on the pfSense box.
The default install configuration of pfSense is to allow internet access from LAN (since that seems to be what most people want) and block access from OPT interfaces since there isn't any obvious common case. The purpose of a firewall is to control access. Starting with a "wide open" firewall is seen as much less desirable than starting with a "closed" firewall that can be opened as required.
-
I hope I did everything right, but let me know if I did anything wrong to breach security!
You haven't specified what security you want so its impossible to say if you have broken security. For example, you might be using your current setup as a testbed for a larger configuration. Your wireless network might be "inhouse" making it safe to allow traffic between LAN and wireless network. Your wireless network might be to provide internet access to guests in which case you might want to allow access to no LAN systems or only one.
If you allow any access from OPT1 you might as well connect your router to LAN and cut the processing load on the pfSense box.
The default install configuration of pfSense is to allow internet access from LAN (since that seems to be what most people want) and block access from OPT interfaces since there isn't any obvious common case. The purpose of a firewall is to control access. Starting with a "wide open" firewall is seen as much less desirable than starting with a "closed" firewall that can be opened as required.
Thanks for the quick reply. I basically want to have my OPT interface protected by my LAN. I share my internet with a few of my neighbors and limit the bandwidth and I just want to make sure I am setting the safest firewall rules for this OPT interface. I know setting destination>ANY for OPT firewall rule is like leaving a wide open door for anyone to access, but if I try to set my interface to LAN Subnet destination, I get no internet connection, but get access to my network. So im kinda stuck. Do you know how I can have my source type to my OPT Subnet, and have my destination to access my LAN Subnet while still giving me access to the internet and my internal network when I am on my laptop? If you could please tell me how to do this, it would be much appreciated.
Thank you so much and sorry for being such a pain.
-
I'm sorry I didn't follow your explanation of what you want to do (Its not clear where your laptop will connect, perhaps OPT, and I don't know what you mean by I basically want to have my OPT interface protected by my LAN, perhaps OPT interface protected FROM my LAN). I assume what you want is:
-
Allow LAN to access the Internet.
-
Block LAN initiating connections to OPT.
-
Allow OPT to access internet, LAN and pfSense.
In summary, OPT can access everything, LAN can access everything except OPT).
To do this you should add a firewall rule to LAN: Action: Block (Source) LAN Subnet (Destination) Opt subnet.
Note that firewall rules are processed for incoming traffic on a interface and rule processing goes "down" the rule list until the incoming packet matches a rule for the interface on which the packet was received. Hence my suggested additional rule for LAN should probably be the first rule on LAN. (I don't know what rules you already have for LAN.)
After you have setup your rules you should probably reset firewall states (from web GUI, Diagnostics -> States, click on Reset states tab then click on the Reset button) then test the rules block everything you want blocked and allow everything you want allowed.
-
-
I'm sorry I didn't follow your explanation of what you want to do (Its not clear where your laptop will connect, perhaps OPT, and I don't know what you mean by I basically want to have my OPT interface protected by my LAN, perhaps OPT interface protected FROM my LAN). I assume what you want is:
-
Allow LAN to access the Internet.
-
Block LAN initiating connections to OPT.
-
Allow OPT to access internet, LAN and pfSense.
In summary, OPT can access everything, LAN can access everything except OPT).
Thanks man for all of your help. Thats still not letting me get online :( All I am planning to do is hook up a wireless router into an OPT interface, and make sure that it is secure from people using my router, and hackers. And I wanted to know the best way to go about setting up my firewall rules so they will be safe. I wish I had the option to just use my router as an AP, would make life so much easier.
If you have anymore input, please feel free to advise, thanks so much!
To do this you should add a firewall rule to LAN: Action: Block (Source) LAN Subnet (Destination) Opt subnet.
Note that firewall rules are processed for incoming traffic on a interface and rule processing goes "down" the rule list until the incoming packet matches a rule for the interface on which the packet was received. Hence my suggested additional rule for LAN should probably be the first rule on LAN. (I don't know what rules you already have for LAN.)
After you have setup your rules you should probably reset firewall states (from web GUI, Diagnostics -> States, click on Reset states tab then click on the Reset button) then test the rules block everything you want blocked and allow everything you want allowed.
-
-
Correct, I just want to use pfsense as my DHCP/DNS and use my router as an AP pretty much. I want to maintain security from hackers and people messing with my wireless, thats why I wanted to get my OPT with my LAN subnet because I know the LAN subnet is one of the most heavily locked down security features. Just dont know how to do it, going crazy :P
-
It seems of all the OPT systems you want to allow only your laptop to access the LAN. I guess that the laptop connects to the Wireless router through a wired port or as a wireless client.
Here's how I would do it (assuming you can configure the wireless router to act as a bridge):
-
Find the MAC address of the laptop.
-
Configure pfSense to assign a fixed (static) IP address to that MAC address.
-
Add following firewall rules to OPT interface before existing rules:
Action: Pass Source: Laptop IP address Destination: Any
Action: Block Source: OPT subnet Destination: LAN subnet
You should probably look elsewhere for instructions on securing your wireless router.
-
-
I don't even have the router plugged in right now. I've been plugging direct ethernet into the opt interface to try and get online. I'm working on that first though, any suggestions? I'm not hooking up
Wireless to opt untill I can get online hardwired first.Thanks for your reply and time
-
Anyone?