Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some quick help

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 4 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wallabybob
      last edited by

      As has already been pointed out, you need to change addresses OR masks or both on your interfaces so they are all in different networks. Because you have a broken configuration some things will not work. You need to fix the configuration then retest to see if you still have the same issues.

      @The:

      Ive heard that pfSense has NAT set up to allow all the interfaces access to the internet and to each other

      No so: default configuration allows ALL access attempts FROM computers on LAN and BLOCKS all access attempts FROM computers on other interfaces.

      @The:

      Ive tried allowing things and it never seems to work (IE allowing LAN to access DMZ so I can manage my DMZ boxes through LAN without allowing DMZ access to the LAN). So I'm not sure if i have a backwards idea of what I need to do or if I'm just crazy

      Default rules allow this. However it depends what you mean by "manage my DMZ". If that means JUST web access from LAN to DMZ it should work (after you have fixed your broken configuration). However if "manage my DMZ" means you have to allow a system on the DMZ to initiate a connection to a computer on the LAN (for example, to email a report) then you will need rule(s) on the DMZ interface to allow that particular access to LAN.

      1 Reply Last reply Reply Quote 0
      • T Offline
        The Sorrow
        last edited by

        You need to change addresses OR masks or both on your interfaces so they are all in different networks.

        Again, lots of numbers floating around and /16 came out. they are all /24 networks. 10.10.x.y

        No so: default configuration allows ALL access attempts FROM computers on LAN and BLOCKS all access attempts FROM computers on other interfaces.

        So all interfaces ALLOW their networks access to the internet but DO NOT allow access to each other's networks?

        edit: after reading that a little slower im understanding that LAN can access everyone on the network (WAP and DMZ) but the other interfaces cannot access LAN. Please correct me if I'm wrong.

        Default rules allow this. However it depends what you mean by "manage my DMZ". If that means JUST web access from LAN to DMZ it should work (after you have fixed your broken configuration). However if "manage my DMZ" means you have to allow a system on the DMZ to initiate a connection to a computer on the LAN (for example, to email a report) then you will need rule(s) on the DMZ interface to allow that particular access to LAN.

        My definition of manage my DMZ is accessing the servers over SSH or RDP if i use windows later on. Same goes for my WAP interface so i can access the AP and configure it from the LAN interface.

        1 Reply Last reply Reply Quote 0
        • W Offline
          wallabybob
          last edited by

          @The:

          No so: default configuration allows ALL access attempts FROM computers on LAN and BLOCKS all access attempts FROM computers on other interfaces.

          So all interfaces ALLOW their networks access to the internet but DO NOT allow access to each other's networks?

          edit: after reading that a little slower im understanding that LAN can access everyone on the network (WAP and DMZ) but the other interfaces cannot access LAN. Please correct me if I'm wrong.

          Your interpretation after the slower reading is almost correct: it should read … but the other interfaces cannot access any other networks. Take a look at the hint on the Firewall -> Rules page: Everything that isn't explicitly passed is blocked by default.

          @The:

          My definition of manage my DMZ is accessing the servers over SSH or RDP if i use windows later on. Same goes for my WAP interface so i can access the AP and configure it from the LAN interface.

          If I recall correctly, SSH servers can require some tweaking to allow access. Your AP may require some tweaking to allow management access from your LAN.

          1 Reply Last reply Reply Quote 0
          • T Offline
            The Sorrow
            last edited by

            Your interpretation after the slower reading is almost correct: it should read … but the other interfaces cannot access any other networks. Take a look at the hint on the Firewall -> Rules page: Everything that isn't explicitly passed is blocked by default.

            Thank you for the clarification. This helps IMMENSELY.

            If I recall correctly, SSH servers can require some tweaking to allow access. Your AP may require some tweaking to allow management access from your LAN.

            I was figuring it would be difficult to manage an AP from the WAN. SSH should go through if i can just ping the server i have on the DMZ.

            1 Reply Last reply Reply Quote 0
            • W Offline
              wallabybob
              last edited by

              @The:

              I was figuring it would be difficult to manage an AP from the WAN.

              The couple of standalone APs I have configured have had configuration options to allow management from WAN interface. It is normally recommended to connect pfSense to one of the LAN ports on a standalone AP: see http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

              1 Reply Last reply Reply Quote 0
              • M Offline
                Metu69salemi
                last edited by

                Some higher end AP's don't take a point from where those are configured, if you have gave those a knowledge of GW. without it http traffic doesn't know route to outside of it's own subnet.

                though ssh connection is still possible to use from different lan/wan.

                1 Reply Last reply Reply Quote 0
                • T Offline
                  The Sorrow
                  last edited by

                  Thanks for the link. It'll come in handy for sure. Another issue. On my DMZ i have one box with IP 10.10.2.100. The Interface IP is 10.10.2.254. i can ping the box with the pfSense ping tool, but i cannot ping the box from my LAN interface and my DMZ box cannot ping the pfSense box. Im guessing the initial ping request goes out but the reply is blocked from returning. Is this correct?

                  1 Reply Last reply Reply Quote 0
                  • W Offline
                    wallabybob
                    last edited by

                    @The:

                    On my DMZ i have one box with IP 10.10.2.100. The Interface IP is 10.10.2.254. i can ping the box with the pfSense ping tool, but i cannot ping the box from my LAN interface

                    The ping from pfSense will have a source address on the DMZ. When the server replies the reply goes back to a system on the same network.
                    When you ping the DMZ server the reply needs to go to a different network (the pfSense LAN network). Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?

                    @The:

                    my DMZ box cannot ping the pfSense box.

                    As discussed earlier, this access will be blocked unless you have added a rule on the DMZ interface to allow it. The pfSense box has multiple IP addresses. Does the DMZ box have a route to get to the ping target IP address?

                    The Firewall log is often a useful source of trouble shooting information (See Status -> System Logs, click on the Firewall tab.) Another useful troubleshooting tool is packet capture: For both these problems packet capture can be used to see if packets arrive on a particular interface or leave a particular interface.

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      The Sorrow
                      last edited by

                      Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?

                      It's Gateway is the DMZ interface IP (10.10.2.254). As far as routes thats something i am not sure how to check. there are no inter-network routes in the Diagnostic -> routes table.

                      The firewall log does show the ICMP broadcast is being blocked. Would allowing ICMP to pass through to the LAN be a large security hole?

                      1 Reply Last reply Reply Quote 0
                      • W Offline
                        wallabybob
                        last edited by

                        @The:

                        Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?

                        It's Gateway is the DMZ interface IP (10.10.2.254). As far as routes thats something i am not sure how to check. there are no inter-network routes in the Diagnostic -> routes table.

                        If the DMZ server has a valid default gateway (and that sounds valid) then it doesn't need a route.

                        @The:

                        The firewall log does show the ICMP broadcast is being blocked. Would allowing ICMP to pass through to the LAN be a large security hole?

                        Blocked on what interface and under what circumstances? (If the ping is initiated from LAN the the firewall should create a "temporary rule" to allow the ping responses. This is true of all "connections" not just pings.) As to whether ICMP would be a large security hole I wouldn't think so for my home network but I don't have security responsibility for your network. Perhaps you could allow it for a little while for your own testing then block it and see who complains.

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          The Sorrow
                          last edited by

                          Ok so i reset everything to default, added the DMZ interface and changed nothing in the firewall rules. still cant ping 10.10.2.100 from 10.10.1.100 on the LAN. It doesnt have any entries in the firewall logs, it just says host unreachable.

                          1 Reply Last reply Reply Quote 0
                          • W Offline
                            wallabybob
                            last edited by

                            Host unreachable in this case probably means the link from the LAN system to pfSense is down OR the LAN system doesn't have a default gateway (hence it doesn't know where to send something destined for a system which isn't on its own network).

                            Does your LAN system have the correct IP address, gateway DNS server?

                            1 Reply Last reply Reply Quote 0
                            • T Offline
                              The Sorrow
                              last edited by

                              /etc/network/interfaces

                              iface eth0 inet static
                                  address 10.10.2.100
                                  network 10.10.2.0
                                  netmask 255.255.255.0
                                  broadcast 10.10.2.255
                                  gateway 10.10.2.254

                              Unless im wrong then it does have a good IP setup. Im getting a timeout. Host unreachable was my mistake.

                              1 Reply Last reply Reply Quote 0
                              • W Offline
                                wallabybob
                                last edited by

                                @The:

                                Im getting a timeout.

                                Configuration looks OK. What is timing out?

                                1 Reply Last reply Reply Quote 0
                                • T Offline
                                  The Sorrow
                                  last edited by

                                  Ill be more specific.

                                  here is my setup

                                  10.10.1.0\24
                                  Internet –-> pfSense (LAN INT 10.10.1.254\24)------>LAN --------> Home PC (10.10.1.200\24)
                                                          |
                                       DMZ INT (10.10.2.254\24)
                                                          |
                                                          |
                                            DMZ (10.10.2.0\24)
                                                          |
                                                     Web Server (10.10.2.100\24)

                                  When i try to ping from Home PC to Web Server:

                                  Pinging 10.10.2.100 with 32 bytes of data:
                                  Request timed out.
                                  Request timed out.
                                  Request timed out.
                                  Request timed out.
                                  
                                  Ping statistics for 10.10.2.100:
                                      Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
                                  

                                  However when i ping using the pfSense ping tool

                                  Ping output:
                                  
                                  PING 10.10.2.100 (10.10.2.100) from 10.10.2.254: 56 data bytes
                                  64 bytes from 10.10.2.100: icmp_seq=0 ttl=64 time=0.689 ms
                                  64 bytes from 10.10.2.100: icmp_seq=1 ttl=64 time=0.372 ms
                                  64 bytes from 10.10.2.100: icmp_seq=2 ttl=64 time=0.307 ms
                                  
                                  --- 10.10.2.100 ping statistics ---
                                  3 packets transmitted, 3 packets received, 0.0% packet loss
                                  round-trip min/avg/max/stddev = 0.307/0.456/0.689/0.167 ms
                                  

                                  same story for pinging pfsense on my Home PC:

                                  
                                  Pinging 10.10.1.254 with 32 bytes of data:
                                  Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                                  Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                                  Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                                  Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                                  
                                  Ping statistics for 10.10.1.254:
                                      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
                                  Approximate round trip times in milli-seconds:
                                      Minimum = 0ms, Maximum = 0ms, Average = 0ms
                                  

                                  And for pinging my Home PC from pfSense:

                                  Ping output:
                                  
                                  PING 10.10.1.200 (10.10.1.200) from 10.10.1.254: 56 data bytes
                                  64 bytes from 10.10.1.200: icmp_seq=0 ttl=128 time=0.446 ms
                                  64 bytes from 10.10.1.200: icmp_seq=1 ttl=128 time=0.309 ms
                                  64 bytes from 10.10.1.200: icmp_seq=2 ttl=128 time=0.316 ms
                                  
                                  --- 10.10.1.200 ping statistics ---
                                  3 packets transmitted, 3 packets received, 0.0% packet loss
                                  round-trip min/avg/max/stddev = 0.309/0.357/0.446/0.063 ms
                                  

                                  I can also ping pfSense from my ubuntu Web Server

                                  PING 10.10.2.254 (10.10.1.254) 56(84) bytes of data.
                                  64 bytes from 10.10.2.254: icmp_req=1 ttl=64 time=0.261 ms
                                  64 bytes from 10.10.2.254: icmp_req=2 ttl=64 time=0.209 ms
                                  
                                  

                                  This is a base pfSense install with the default Lan -> any rule being untouched.

                                  Insert foot in mouth

                                  Was on static IP with no gateway. Figured it would work for some reason. Set it to DHCP and it works.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.