Install help for a nanobsd system
-
I ended up getting it to work, by repeatedly doing (what I thought was) the same thing over and over. At first I thought maybe I shouldn't set the LAN IP address at all, based on someone's tutorial on the 'net, so I deleted the LAN interface and tried with just a WAN interface but that didn't work either. In the end I went with the same setting I had before:
WAN -> em0 -> 192.168.0.1/24
LAN -> em2 -> 192.168.2.1/24and for whatever reason pfSense could suddenly connect to the webGUI via the LAN's IP address.
Now I can play with the webGUI but my next issue is that the WAN interface isn't connecting to the internet. I've set the modem up in bridge mode following the settings other people have used with that particular modem. But no 'net connection. I don't have time to figure it out now but I'll revisit it on the weekend and maybe update this thread or start a new one if I have no luck. Back to the old factory modem/router for now.
-
I would guess the Draytek Vigor120 is a xDSL modem in which case (since you say you have set it in bridge mode) you almost certainly should have your WAN interface configured as PPPoE on em0.
-
Yeah, that's what I had. Maybe I need to do some more research into what settings I need to have for the WAN to pass-through to iinet correctly. Fortunately there's a bunch of people that've done similar on e.g. whirlpool so there's plenty of material to investigate.
-
The default setting of the v120 is as a pppoe/pppoa bridge. So if you've not changed anything you simply need to change your WAN to pppoe and enter your details.
Steve
-
Hmm, I'm still stuck.
I set up the Vigor120 according to Draytek's instructions. I stayed with the default settings, i.e. modem IP == 192.168.1.1/24
I reset pfSense (5,000 times) and ended up with:
WAN -> em0 -> 192.168.1.10/24 (as per Draytek's page)
LAN -> em2 -> 192.168.2.1/24 with DHCP addresses between 192.168.2.100 and 192.168.2.200In the webGUI it's all good, both interfaces are connected. WAN is set to PPPoE with my username and password. Nothing unusual or special. WAN gets a different public IP according to the info logs, presumably from my ISP. However, I can't ping out or see anything except 192.168.1.10 or the LAN subnet range (apart from some random dynamic public IPs that various log screens give me - again, presumably ISP-assigned). Any ideas? I can post screenshots etc to give you guys more info if that helps.
Sorry for the noob questions but I've got no idea. Not afraid to learn though.
-
Hmm, I don't know about the Australian firmware version but all the versions I've tried (quite a few) are set up in bridge mode by default. In fact you can only make it into a 'router' using the CLI.
Are you in Australia? Using Aus firmware version?Steve
-
Yes, I'm in Australia. I did do a search last night and found quite a few links where people talked about needing latest firmware on the modem. I'll double check what it has and possibly upgrade. It's brand new so I would hope it's recent but you never know how long it's been gathering dust with an uncommon item like this.
By default (I think) it wasn't in bridge mode. It was (I think) in PPPoE mode. I can factory reset it and check.
Also, there are a whole heap of links where people got the 120 up and running in PPPoE pass-through mode (in conjunction with pfSense and also with other routers). However I wanted full bridge mode and let pfSense take care of everything and have the 120 in dumb modem mode. I never tried to set it to PPPoE pass-through mode but I guess I could just to confirm if I can get a ping out.
Possibly a stupid question but I presume that pfSense doesn't default setup with any built-in rules to block all external traffic on the WAN?
-
By default pfSense blocks all incoming traffic on WAN (as you would expect in a firewall) and allows all outgoing traffic.
I am using a V120 to send this message. The UK firmware comes preconfigured as a bridge. I simply plugged it in and configured pfSense to connect via PPPoE and it worked. Later I messed about with some other settings but it wasn't necessary.
Your firmware is clearly different but it shouldn't be hard to do.
The PPPoE pass-through mode looks to be the same as mine.
Steve
-
However, I can't ping out or see anything except 192.168.1.10 or the LAN subnet range (apart from some random dynamic public IPs that various log screens give me - again, presumably ISP-assigned).
Posting the system response to a ping command is almost always more informative than "can't ping". Please post the output of the pfSense shell commands```
ping -c 3 8.8.8.8
ping -c 3 www.google.comPlease also post output of pfSense shell commands:``` /etc/rc.banner netstat -r -n ifconfig ```to give more complete statement of system configuration and state. -
Thanks guys. As I said, no idea when it comes to network stuff.
I'll get back to you with that info when I get home and have a play with the setup again, in about 7 hours.
-
OK, setup was reset to factory defaults (modem + I reassigned the interfaces on pfSense and reset their IP addresses via the shell):
Draytek Vigor 120 in full bridge mode w/ IP 192.168.1.1, latest firmware (3.2.4.4).
pfSense:
Wan → em0 → 192.168.1.10
Lan → em2 → 192.168.2.1From pfSense shell:
$ ping -c 3 8.8.8.8
ping: sendto: No route to host$ ping -c 3 www.google.com
ping: cannot resolve www.google.com: Host name lookup failureCan succesfully ping stuff that I've directly assigned, e.g. 192.168.1.1, 192.168.1.10, 192.168.2.1, 192.168.2.xxx if I setup dhcp on the LAN and ping within its start → end range.
From the Windows box, all the ping command outputs are the same except I can't get to 192.168.1.1 (the modem).
Back to pfSense shell:
/etc/rc.banner:
*** Welcome to pfSense 2.0.2-RELEASE-nanobsd (i386) on pfSense ***
WAN (wan) → em0 → 192.168.1.10
LAN (lan) → em2 → 192.168.2.1netstat -r -n gives something pretty much the same as:
ifconfig gives pretty much:
Obviously those last two are webGUI screenshots. There was too much info to manually copy from the pfSense shell to the Windows box but if you need me to double check it's equivalent I can do it (or I could try to cat the files somewhere writeable on the pfSense install, if it exists).
-
Ok, that looks to be what I would expect.
With the V120 in bridge mode it should not have dhcp enabled so it won't hand out an IP address to the pfSense WAN as you've found. You have assigned it statically instead but that is not the correct setup. In bridge mode the V120 is not connected to the internet and will not route packets directly.
Instead you should change your WAN interface to PPPoE and enter your ISP login details. When pfSense tries to connect the V120 will bridge the connection to your incoming PPPoA line and it should connect. I am also using 3.2.4.4 but using ADSL Firmware Version: 332201_A Hardware: Annex A
The only thing to check is that your DSL line settings are correct. This varies by ISP and more so by country so I can't help your there. However the UK firmware selects the most common UK settings by default.Once you have changed your WAN to PPPoE you will no longer be able to connect to the V120 webgui. This can make things a bit tedious! If you need to check the settings it is usually easiest to connect to directly with a laptop statically configured in the 192.168.1.1 subnet.
Once you have things working you can make some adjustments to pfSense to allow access, see:
http://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN#For_2.0Obviously those last two are webGUI screenshots. There was too much info to manually copy from the pfSense shell to the Windows box
You can connect to the pfSense CLI via SSH using a suitable Windows program such as putty. Then you can easily copy and paste output. Just enable Secure Shell in the webgui in System: Advanced: Admin Access.
Steve
-
Thanks Steve. I had set up PPPoE interfaces before, but for the purposes of that post I started from scratch and only did console interface/IP assignment (I didn't see if you could setup a PPPoE interface via the console?).
Anyway, I've still had no luck. I went ahead, started from scratch again today. One thing I noticed was if I set up the LAN IP as 192.168.2.1 I need to set DHCP on its subnet (and I've been assigning the start -> end range as 192.168.2.100 -> 200, just because). Otherwise I couldn't ping 192.168.2.1 or anything from the Windows box. I set up a WAN interface with DHCP today in combo with the aforementioned LAN settings (couldn't seem to ping 192.168.2.1 until I did that to the WAN).
And here are my results:
$ /etc/rc.banner
*** Welcome to pfSense 2.0.2-RELEASE-nanobsd (i386) on pfSense ***
WAN (wan) → pppoe0 → 58.7.78.54 (PPPoE)
LAN (lan) → em2 → 192.168.2.1$ ping -c 3 8.8.8.8
successful ping$ ping -c 3 www.google.com
ping: cannot resolve www.google.com: Host name lookup failure$ netstat -n -r
$ ifconfig
–----------------------------------- Windows box (cygwin “shell”) -------------------------------
$ ping 8.8.8.8
successful ping$ ping www.google.com
Ping request could not find host www.google.com. Please check the name and try again.$ netstat -n -r
$ ipconfig /all
I've snipped some things here and there, obviously. I wish I knew what I was missing, because it can't be this hard, surely. I will check the DSL line settings but I'd be surprised if my ISP is doing anything unusual. It's a pretty big ISP and they're pretty progressive and flexible. I'll do a search for more info.
-
DSL settings from old modem:
Those were the settings I had on the Vigor120. I didn't really touch any of the pfSense settings and would be surprised if they didn't match.
-
Ah, I think you have fallen foul of a pfSense bug in 2.0.2:
http://redmine.pfsense.org/issues/2728I completely forgot about that because I am not using my ISP provided DNS servers.
You can either enter the DNS servers manually like I do, either your ISPs or something else (I use Google's DNS servers at 8.8.8.8 and 8.8.4.4).
This is done in System: General Setup: in the webgui. Uncheck the box that allows the settings to be overridden.Or you can use one of the 2.0.3 snapshots which have fixed that bug:
http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_RELENG_2_0/Steve
-
Cool! Thanks for the diagnosis. I tried setting up my ISPs DNS server as you said, with google's as backup. Didn't work, couldn't "see" outside the LAN. So I tried the snapshot advice and went with a 2.1 nightly build (pfSense-2.1-BETA1-4g-i386-nanobsd_vga-20130223-1639.img). At least I'm getting somewhere, but still can barely "see" out.
Some random screens:
At least some traffic is flowing via pppoe0, whereas before your help there was none. However, the only external ping that succeeds (out of the handful I've tried) is to google's DNS server at 8.8.8.8. That must be the server that's helping me resolve names, because my ISP's IP name is resolving now. But curiously I can't ping the ISP's main website address directly. I should've tried pinging my ISP's DNS server. I'll try after this post, but swapping connections between my old modem and the new pfSense box is annoying and time consuming while the Windows box brings up the connections.
I did setup a dyndns update service. That worked, whereas it didn't with the 2.0 setup. Light on the webGUI is green and it says it's updated.
I wasn't sure what to do with some of the new interface IP settings via the pfSense console - ipv4 gateways on the LAN and WAN, ipv6 addresses (I left those alone). Hopefully that's all alright.
-
For some reason the pfSense default route points to the IP address of your LAN interface. I can't imagine a circumsance in which that would be a useful thing to do.For some reason you have routes to particular individual web sites, perhaps trying to correct an earlier mistake. I suspect you have done more to your system than you have owned up to!
When pppoe starts up on WAN the default route is normally set to the IP address of the other end of the PPPoE connection.
-
It looks like you have some non-default settings in System->Routing Gateways:
- WAN (probably called WAN_DHCP or similar) - monitor IP set to 8.8.8.8 - that will add a specific route to your routing table sending 8.8.8.8 out WAN (your pppoe) - this is a good thing and the reason you can ping 8.8.8.8
- GW_LAN in your screen shots - there seems to be a (default) gateway set on LAN - normally LAN should have no gateway, and almost never is the default gateway.
Suggestion: change the default gateway to WAN and then delete GW_LAN. (edits/deletes in System->Routing Gateways tab)
-
Thank you very much, wallabybob and Steve (and phil, as I was typing my reply)! Posting from pfSense now, before I take it down again and lock it down. No doubt many more questions to come.
wallabybob, it was a case of Hanlon's Razor I think.
I don't remember configuring it, but I ended up with two gateways on here:
with the LAN being the default and probably pointing to 192.168.2.1 (i.e. itself). Maybe I did that from the pfSense CLI when setting interface IP addresses?
Deleting the default LAN one and setting the default to WAN did the trick.
Also, if I manually set DNS servers (my ISP and the two google ones) as Steve suggested with my 2.0.2 build, they appear in the routing table like this:
Clearing out those settings (obviously the bug's fixed in 2.1), I end up with a table that looks like this:
which "feels" more like it should now that I have a vague clue what to look for.
Now that I've gotten the system up and running, be prepared for 1000 more dumb questions as I delve into the world of pfSense. Next steps, WLAN interface, VPN access to the webGUI, certificate or time-based rules for three restricted users w/ unlimited access for two other users, locking everything up based on MAC addresses, setting up a guest WLAN interface (virtual?) for visitors. Then, trying to get 802.11n working (with 2.2, I guess). I've spent $$$ on hardware, so giving up is not an option.
Interestingly, one other thing I still need to do with 2.1 is the kern.cam.boot_delay=10000 setting for my USB system. Won't boot without it.
-
OK, another hiccup. I went back this afternoon to set up a wifi interface. Similar to before I could instantly connect within the local net but not "see" out. In the process of changing some settings (bit like the doc.pfsense tutorial), the webGUI hung, the pfSense box died with a page fault or something. I tried rebooting, but I get a series of messages and can't proceed. Some of the messages are like the seemingly well-worn one where I should specify "set vfs.root.mountfrom.options=rw" at the loader prompt. That's obviously irrelevant to my ro USB installation, but I tried anyway.
The place where it crashes every time is on configuring the OPT1 interface. I'm guessing since that's where the webGUI hung some settings got corrupted.
I tried booting in safe mode, single user mode, USB mode, setting a few things at the loader prompt (e.g. "if_ath_load=NO") but nothing worked.
The most common place it dies indicates that there's a problem with ath0, and it's usually right after trying to load OPT1 (gets a few more lines of boot output then dies).
My question is, is there a setting I can set that will prevent the kernel trying to load OPT1? I'd prefer to try to repair my semi-working install than reinstall from scratch, but if it's irrepairable I will do that.
