Can't get pass VLAN /WAN setup
-
I've just installed pfSense and trying to start it up for the first time, but I can't get passed VLAN and WAN setup. I don't know much about VLANs but from what I can understand of what I have read, is that VLAN is used on networks with a lot of traffic. All I want is to use pfSense as an additional security measure because my NAS is getting mass hits day and night and my only security to the outside world is the router that came with my Internet connection. Do I need to set up a VLAN for that?
As for WAN, my pfsense box will be hooked up to the cable modem, so that would be a LAN connection right, so how do I skip WAN setup?I've tried to read the documentation on this, but can't seem to find any that fit my setup. I just need a good firewall setup to stop all these attacks on my NAS.
UPDATE:
Error I am getting:
VLAN Capable interfaces:
No interfaces found!
No VLAN capable interfaces detected.
NOTE pfSense requires AT LEAST 1 assigned in….
..WILL NOT function correctly.If you do not know the names of your interfaces, you may choose to use auto-detection. In that case, disconnect all interfaces now before hitting 'a' to initiate auto detection.
Enter the WAN interface name or 'a' for auto-detection:
If I hit a,
Connect the WAN interface now and make sure that the link is up.
Then press ENTER to continue.I get:
Warning: Invalid argument supplied for foreach() in /etc/inc/config.console.inc on line 447
No link-up detected.Enter the WAN in….
I don't know the WAN or LAN name, so is there a place I can look this up or do I just make it up, if so, what is normal to call them?
or, is this happening because pfSense can't detect my NICs? (the comouter have 2 x GBit NICs on motherboard).
Any help is appreciated! :)
-
If you want to protect your NAS, the setup would be:
Internet - (WAN) router (LAN) - (WAN) pfSense (LAN) - NAS
But then your NAS would be on a different network. You probably want a bridge firewall setup:
http://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used%3FWhich is a bit harder again.
-
Is your NAS running any services that are supposed to be accessible from the internet?
Where are these attacks coming from and how are they reaching your NAS if you haven't allowed it specifically?
pfSense certainly offers a much greater level of control than standard soho routers but they shouldn't allow random attacks. :-\Please give us as much information as possible.
Steve
-
Is your NAS running any services that are supposed to be accessible from the internet?
Where are these attacks coming from and how are they reaching your NAS if you haven't allowed it specifically?
pfSense certainly offers a much greater level of control than standard soho routers but they shouldn't allow random attacks. :-\Please give us as much information as possible.
Steve
Thanks for the reply. I was not accurate enough, the attempts to connect to units inside my network are also to other computers, but mainly to my NAS. I have a QNAP NAS setup to be accessible from outside using dyn.com service, since I don't have an static IP from my ISP. Through the NAS' own services I have access to the admin panel, music station (stream music), file server, web hosting and FTP. Last week I got VPN working, but it isn't very stable, but I'm guessing that would be a more secure way to set it up?
My setup is like this: Internet > Netgear router WNDR3800 > NAS
Both the router and the NAS is set up to log connections and on the router I see this warning day and night:
"[LAN access from remote] from 80.202.184.128:36659 to xxx.xxx.x.107:18937, Sunday, May 05,2013 23:34:02"
and
"[DoS Attack: RST Scan] from source: 193.66.251.212, port 80, Sunday, May 05,2013 22:18:32"from random IPs, mostly China and eastern Europe (I have traced a bunch of the IPs but there are too many to manually block them all).
Now, how serious these "attacks" are I don't know, I've tried to find out what software could be using port like 18937, but most of the time I can't figure it out. I've seen a lot of traffic for Skype on high port numbers, but they vary.
For the NAS the log is filled with these warnings:
[Security] Access Violation from 141.212.121.10 with TCP (port=443)
2013-05-02 10:07:18 root 117.79.91.214 –- SSH --- Login Fail
(these IPs and port numbers change all the time)The login attempts through SSH was so massive I had to shut that service off. FTP has some log in attempts, but not as many as is was through SSH.
When the server has access violation, it blocks the IP for 5 minutes, but that just means they keep trying after 5 minutes.I have not done much to the setup of the router except set the DHCP range, domain, new password, and WiFi access code. The NAS has an autosetup through UPnP which handles the router. I find the routers firewall setup a bit odd and hard to set up port forwarding manually. Since I don't know too much about what all ports should be open for every application, I figured using UPnP was the best solution, but I have recently read on pfsense.org that UPnP got some security issues too?
-
If you want to protect your NAS, the setup would be:
Internet - (WAN) router (LAN) - (WAN) pfSense (LAN) - NAS
But then your NAS would be on a different network. You probably want a bridge firewall setup:
http://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used%3FWhich is a bit harder again.
Thanks for the reply.
The NAS is the one that gets the most attacks, but there are other computers on the network that also have a lot of strange access attempts. I was hoping to place the pfSense between the cable modem and the router, but from what you say I should maybe have another router after the pfSense, so I can have the other computers on the same network as the NAS? -
I don't understand why you need to have another router as well as pfSense. Normally you would have:
Internet - cable modem - (WAN) pfSense (LAN) - internal network
The internal network has your NAS and the rest of your computing devices, just like normal. Then all the devices on your internal LAN network can interact with each other as normal. Assuming a medium-sized home network, everything would be on 1 LAN and there is no need for VLANs. The pfSense does both firewall and routing.
To start with, all incoming attempts at access from the internet are blocked by pfSense. On pfSense you port forward whatever you want to open up from the public WAN IP and port, to an internal LAN IP and port (e.g. some NAS functions).
Not long after you open up a port, some port scanner out in internet land will find it, try to see what service is on it and try to hack in. That's the nature of these people who have nothing better to do than find things to hack into. You have discovered this already.
If you really want to be able to access the NAS remotely from wherever you are in the world (from any weird and wonderful country you may travel to on a whim) then you can't put in place blocks on particular groups of remote IP addresses, because one day you might be accessing from any of them. But usually this is not the case - you really only want to access your NAS remotely from your own country, or a handful of countries that you travel to. So you can use a pfSense package like pfBlocker to cut out access from loads of remote places or a list of know nasty IPs. That should severely reduce the number of random port scanners that you are hit with.I've tried to find out what software could be using port like 18937, but most of the time I can't figure it out. I've seen a lot of traffic for Skype on high port numbers, but they vary.
The incoming connect will always have a destination port number of the port that your NAS is listening on. But the source port number at the other end is just a "random" port number allocated from what is called the "ephemeral port range" on the remote computer - http://en.wikipedia.org/wiki/Ephemeral_port - so you can't usually make any useful sense of those port numbers.
-
I don't understand why you need to have another router as well as pfSense. Normally you would have:
Internet - cable modem - (WAN) pfSense (LAN) - internal network
The internal network has your NAS and the rest of your computing devices, just like normal. Then all the devices on your internal LAN network can interact with each other as normal. Assuming a medium-sized home network, everything would be on 1 LAN and there is no need for VLANs. The pfSense does both firewall and routing.
To start with, all incoming attempts at access from the internet are blocked by pfSense. On pfSense you port forward whatever you want to open up from the public WAN IP and port, to an internal LAN IP and port (e.g. some NAS functions).
Not long after you open up a port, some port scanner out in internet land will find it, try to see what service is on it and try to hack in. That's the nature of these people who have nothing better to do than find things to hack into. You have discovered this already.
If you really want to be able to access the NAS remotely from wherever you are in the world (from any weird and wonderful country you may travel to on a whim) then you can't put in place blocks on particular groups of remote IP addresses, because one day you might be accessing from any of them. But usually this is not the case - you really only want to access your NAS remotely from your own country, or a handful of countries that you travel to. So you can use a pfSense package like pfBlocker to cut out access from loads of remote places or a list of know nasty IPs. That should severely reduce the number of random port scanners that you are hit with.I've tried to find out what software could be using port like 18937, but most of the time I can't figure it out. I've seen a lot of traffic for Skype on high port numbers, but they vary.
The incoming connect will always have a destination port number of the port that your NAS is listening on. But the source port number at the other end is just a "random" port number allocated from what is called the "ephemeral port range" on the remote computer - http://en.wikipedia.org/wiki/Ephemeral_port - so you can't usually make any useful sense of those port numbers.
Thank you for your reply. I didn't mean I had to have another router, it was a question to SeventhSon after he said "If you want to protect your NAS, the setup would be:
Internet - (WAN) router (LAN) - (WAN) pfSense (LAN) - NAS"
because I need a WiFi and regular access-point, but I guess that could be a switch then?As for your suggestion to setup, I don't need two sets of firewalls then, just set up the pfSense and then use the Netgear as a switch and WiFi access-point on the LAN?
And from what you say, I don't see why I should need a VLAN either, which is was my initial though. But then, how do I get pass the VLAN / WAN setup as it will not allow me past that. Both VLAN and WAN fails on startup. I tried place the pfSense box between the cable modem but still fails to auto-detect WAN name. (see error i first post).
Also, I would really only need to have access to my NAS inside my country for 99% of time so to use pfBlocker to block out pretty much everything else would be nice!
Thanks.
-
OK, you have two separate issues here:
1. Your (probably) Realtek NICs are too new to be recognised by pfSense 2.0.X. If you look carefully at the boot messages you'll probably see "re1: Unknown H/W revision: 0x2c800000" or something similar.
Try using 2.1 instead: http://snapshots.pfsense.org/2. You have a large number of services on your NAS open to the internet. pfSense can only help you here by blocking those services. Your existing router can do that anyway or you could just turn them off on the NAS. Do you really need all those open services? You are trusting the NAS firmware not to have any bugs which is not something I would do.
You can block, say, all of China in pfSense or setup a VPN instead which would be much better. ;)Steve
-
ok, issue one is what I have started to realize after reading other posts - so I will try the 2.1 snapshot.
As for issue 2 - a good VPN connection would be a better way to go yes, but up to now, the Netgear router isn't very happy with VPN or it seems, as the VPN connection is very unstable. A switch to my new pfSense box here could probably make VPN a stable solution. (As for the security risk - just why I realized I needed to look for a better solution).
Thanks for the reply. :)
-
Internet - (WAN) router (LAN) - (WAN) pfSense (LAN) - NAS"
because I need a WiFi and regular access-point, but I guess that could be a switch then?As for your suggestion to setup, I don't need two sets of firewalls then, just set up the pfSense and then use the Netgear as a switch and WiFi access-point on the LAN?
Yes, connect your Netgear switch to the pfSense LAN port. Connect the NAS, WiFi access point and any other cabled devices to the switch. Just 1 ordinary LAN behind pfSense should be fine for your needs.
OpenVPN works well on pfSense (I am using the latest pfSense 2.1 at multiple sites with OpenVPN). That will allow you to access your LAN remotely, and just have the single OpenVPN server port open on pfSense. The default OpenVPN server port number is 1194. I suggest you pick another port number when you set it up, as external hackers know that 1194 is OpenVPN and will likely make annoying attempts to break in (which will be unsuccessful unless they get your keys). I pick a number in the 4000's - the list of officially allocated ports is at http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml - and I just pick one that is unassigned. (Actually that doesn't matter unless you are also needing to use the assigned service) -
Thanks for the replies!
Finally got it up and running. Using the 2.1 snapshot fixed it. :)I now have the router up in bridge mode, and I can access the network and the pfSense box through the network but I can not get outside. The internet is not available, but I know it works as I'm using it now after hooking my PC straight into the modem. When I go through the setup of the WAN and the LAN, straight from the box, both the WAN and the LAN get their IP, but when I check the Webgui, it says WAN IP is blank. When I check the IP straight from the box again, the WAN is blank as well. If I set up the interfaces again, same things happen. WAN IP that shows up after the setup is the ISP IP, so I know it is getting it from the ISP, but why does it disappear? i have tried to reset the pfSense installation and only use the default settings but same things happen. Any idea what could be causing this?
My setup is now:
Cable Modem > WAN pfSense (DHCP server) > LAN out > LAN in router box (bridge mode)
Thanks!
-
What sort of WAN connection do you have, PPPoE, DHCP?
Are you initially getting the correct IP?Check the system logs for clues as to why your IP is dropped.
Steve
-
What sort of WAN connection do you have, PPPoE, DHCP?
Are you initially getting the correct IP?Check the system logs for clues as to why your IP is dropped.
Steve
DHCP WAN connection
Yes, initially getting the correct IP
I don't understand all that's in the log, but this had the correct WAN IP in it: (swapted the IP with xxs)php: /interfaces.php: Clearing states to old gateway xx.x.xxx.x
php: /interfaces.php: ROUTING: setting default route to xx.x.xxx.x
php: /interfaces.php: The command '/sbin/route change -inet default xx.xx.xx.x'' returned exit code '1', the output was 'route: writing to routing socket: No such process route: writing to routing socket: Network is unreachable change net default: gateway xx.x.xxx.x: Network is unreachable'Thanks!
-
Ok, is your test PC that you connected to the modem directly running Windows?
The problem here is that you can't use a gateway that is outside your subnet when using DHCP. My understanding is that it's against the rules and FreeBSD doesn't allow it. Windows bends those rules. ;)
Does that sound right, is the gateway outside the WAN subnet?
Steve
The problem and a possible solution are described here: http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet
-
Ok, is your test PC that you connected to the modem directly running Windows?
The problem here is that you can't use a gateway that is outside your subnet when using DHCP. My understanding is that it's against the rules and FreeBSD doesn't allow it. Windows bends those rules. ;)
Does that sound right, is the gateway outside the WAN subnet?
Steve
The problem and a possible solution are described here: http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet
thanks for the reply.
ouch. This went a bit above my head and I don't understand much of this. Previusly I had the netgear router just hooked up to get ip from isp and that was that. I'm guessing the netgear box then did this automatically but now I have to set it up manually doing the same job? Is there no way for pfsense to handle the wan and the lan as two individual networks in the same way? what i could understand of the turorial, i have to set wan ip to static but how can that work when i don't have static ip?
I've used my mac book pro to connect to the cable modem so I guess it those the same thing as windows?
-
The fact that it worked with the Netgear router, which is probably running Linux, implies it might be nothing to do with my previous suggestion. Only you can know for sure because only you know what the WAN IP settings are/were. If the gateway supplied via dhcp is outside the subnet of the supplied WAN IP then this is certainly an issue. It looks like it might be because your log shows pfSense trying to set a default gateway that is unreachable. :-.
Steve
-
The fact that it worked with the Netgear router, which is probably running Linux, implies it might be nothing to do with my previous suggestion. Only you can know for sure because only you know what the WAN IP settings are/were. If the gateway supplied via dhcp is outside the subnet of the supplied WAN IP then this is certainly an issue. It looks like it might be because your log shows pfSense trying to set a default gateway that is unreachable. :-.
Steve
This is what I get when I hook my Mac up to the Cable TV modem:
As for the Netgear router, all the options I have are to heck of for Get IP Dynamically from ISP:
-
The assume the redacted part is the same for both your IP and the gateway?
In that case it's not the problem I described, the gateway is in the subnet.
More likely it's some issue with the modem or ISP not accepting the MAC address. Have you tried rebooting the modem? Or spoofing the MAC in pfSense?
It could also be a compatibility problem between the two ethernet devices. I was dealing with some hardware yesterday which would negotiate a connection for about a minute and then fail, at the ethernet level. It happens more often than you think, but it's still quite rare. ;) You can usually see if that's the case as the connection shows as down (or flaps up - down) in ifconfig.
Steve
-
Did you connect the Netgear's WAN port to the pfSense LAN?
If so and you can spare a LAN port, try connecting one of the Netgear's LAN ports instead - leaving the Netgear's WAN port empty.As Steve might have been suggesting, some ISPs will limit the number of MAC addresses to which they will give IP addresses through the same cable modem. My ISP only allows two different MAC addresses - supposedly one for the tech to set it up for you with his PC and one for your PC or router. In your case, your Netgear could have taken one IP and your Mac the other. It depends on your ISP's DHCP policies. Steve's suggestion of spoofing the MAC address of pfSense (so it looks like your Mac or the Netgear's MAC) should get around that limitation. Strange that an IP address appears and then disappears though.
-
The assume the redacted part is the same for both your IP and the gateway?
In that case it's not the problem I described, the gateway is in the subnet.
More likely it's some issue with the modem or ISP not accepting the MAC address. Have you tried rebooting the modem? Or spoofing the MAC in pfSense?
It could also be a compatibility problem between the two ethernet devices. I was dealing with some hardware yesterday which would negotiate a connection for about a minute and then fail, at the ethernet level. It happens more often than you think, but it's still quite rare. ;) You can usually see if that's the case as the connection shows as down (or flaps up - down) in ifconfig.
Steve
Sorry, forgot to mention that, yes they are the same.
I actually have not tried to reboot the modem, that's pretty silly, but since the connection have worked with the Mac I haven't thought of that. On the other hand, while I've been at work posting this, my wife has been home trying to use the Internet on her Windows PC the same way I did with my Mac, and she couldn't get it to work, until, she rebooted the modem. So when I get back home, I will hook the pfSense box back up and see how that goes, even reboot the modem again while the box is connected. Will also check ifconfig.Thanks!
