New install - no browser menu or internet communication
-
This is the first time I've tried to set up a firewall box, and after several days of efforts I'm finally ready to ask for help. I've tried to search the forum and the answer is probably in here somewhere - just point me in the right direction, please. The firewall box is an old P4 with 2 NICs that have been verified working with a live CD browser. I've got a Verizon DSL modem and will only be using one non-networked machine with the firewall for now.
The problem is that I can't get to the pfSense browser menu or any online access when the firewall is hooked up. I used the auto sensing function to identify the LAN and WAN ports, and their assignments are WAN - vr0- None (DHCP) and LAN - r10 - 192.168.1.1. If I'm reading the instructions correctly, the firewall WAN goes to the modem and the LAN goes to the computer. The modem was assigned to 192.168.1.1 so I changed the firewall LAN to 192.168.1.2/24, without result. The firewall LAN was reverted to 192.168.1.1/24, and the modem switched to 192.168.1.2, again without result. I've also swapped the firewall NIC cables on the chance I had the LAN and WAN reversed.
I'm sure I'm making a simple noob mistake and you'll be able to correct it easily. Thanks in advance for the assistance.
-
Hi, never be afraid to ask for help. :)
Just a quick point of information, you've written r10 for the LAN interface but it's actually rl0. Could just be a typo but could confuse things later. It refers to the first adapter using the rl driver. This is widely regarded as a poor network card but that's not your problem.
You cannot have the WAN and LAN interfaces in the same subnet as it breaks pfSense's routing ability.
You have changed the IP addresses to avoid duplicates but they are still in the same subnet. You could use these for example:
WAN receives it's IP from the modem via DHCP so leave the modem in it's default config: 192.168.1.1/24
LAN - 192.168.2.1/24.That may fix you problems however even with that subnet issue I would still have expected your client machine to reach the pfSense webgui. If you are connecting directly from the client to the pfSense box (no switch or hub) you may need a cross over cable with older NICs like this. You should be able to diagnose that via the LEDs on the networks cards, is a link established?
Steve
-
Thanks for the reply. Modem's back to 192.168.1.1 and firewall LAN is 192.168.2.1/24, still unable to get the browser menu or online in this configuration. The firewall WAN now says 192.168.1.67 (DHCP).
As far as seeing a link established - what am I looking for? The lights on both cards come on, if that's any indication, and I used the [a] option when setting up pfSense so I assume they were recognized and communicating.
There aren't any switches or hubs, but there is a connector to lengthen the LAN cable which could be eliminated with a little rearranging.
If it matters, I can ping both Google and my computer from the firewall box.
rI0 is a Realtek, and vr0 is a D-Link using Via drivers.
I probably should get a crossover cable just to have one handy, and was planning to get better NICs to improve throughput anyway. If you've got any recommendations for some budget cards, great.
Thanks again.
-
Ah Ok. If you can ping both the client and Google from the pfSense console then both NICs are clearly connected correctly.
How is the IP address of the client configured? Is it assigned via dhcp from pfSense?
I take it you can't ping the pfSense box from the client?If you don't need gigabit speeds it's hard to beat second hand Intel pro100 cards.
Steve
-
Is the Client IP configured through pfSense? I don't remember seeing any settings for that. I can go to the modem settings @ 192.168.1.1 and set LAN and WAN, but everything there is back to default values now.
Is there somewhere I was supposed to set that up and missed it somehow?
Just for fun I reinstalled pfSense and reversed the roles of the NICs. Didn't help.
Can't ping anything from Client when the firewall's hooked up.
Going to look for some cards now…
-
The modem setup appears to be correct since it is giving an address to the pfSense WAN address and pfSense can ping google.com.
The pfSense LAN interface will usually hand out addresses to anything that is connected to it via DHCP. It's been a while since I did an initial install but I believe you are given a choice something like 'enable dhcp on LAN?'. If you chose not to run dhcp on the LAN interface and have instead configured the client computer manaully there may be a mistake. If you have enabled DHCP on LAN and the cleint is correctly receiving it's address from pfSense then that shows some communication is taking place.
Steve
-
The console menu, option 2, is "Set Interface IP address"
[Enter IPv$ address]
[Subnet Mask]
[Enable DHCP?] –->I've been saying "n"<---
If "y" then it wants a start address of the client address rangeCourse, I've got almost no idea of what all that means. ;)
-
Ah, this is good!
So what is the client computers IP address currently? I assume you entered that directly?At that prompt enter 'y' and then set a range of addresses you want to use for clients. Since you only have one client this is not important. Assuming the LAN is still 192.168.2.1/24 you could use:
Start address: 192.168.2.11
End address: 192.168.2.20This allows for up to 10 clients, you can change that at any time later though.
Now in order for this to make any difference you need to set the cleint computer to obtain it's IP address automatically via DHCP. Is it a Windows box?
Steve
-
Yes, Win7 box.
I'm unsure about how to answer your question of setting the client IP address. As far as I know, that was automatic. I didn't set anything.
The LAN is still 192.168.2.1
I can get to the modem configuration via 192.168.1.1 and it lets me set address and submask. No DHCP.
-
Found the client DHCP settings through 192.168.1.1
DHCP: On
Beginning IP Address: 192.168.1.64
Ending IP Address: 192.168.1.254
Subnet Mask:255.255.255.0
Lease Time: 86400
Domain Name: domain_not_set.ir
DNS Dynamic or Static (Dynamic selected)
DNS Server 1: Blank
DNS Server 2: Blank -
Windows by default is set to obtain an IP address via dhcp so if you haven't changed that and manually configured an address it should get an address from pfSense in the specified range. You may have to trigger it to ask for an address though by disconnecting/reconnecting the cable or rebooting. If it fails to find a dhcp server Windows will assign itself an address in the form 169.254.X.X. This is bad!
The modem is working fine, handing an address to pfSense, so don't change anything there. An interesting point though is where are you accessing the modem from? If it's from the Win7 machine through pfSense then you should be good to go.
Steve
-
I've set the pfSense address range per your directions. Should I reboot both boxes now?
-
You shouldn't need to reboot the pfSense box (almost ever!) but if you do make sure it's up and running before the windows box tries to get it's address.
You said you could ping the client computer earlier. What address were you pinging it on?
Steve
-
xxx.13.128.32
Not that I don't trust the folks here. Just policy. ;)
-
Hmm, now I'm confused. :-
I assume that is a public IP which is why you have sensibly redacted part of it. How did your Win7 machine get that address?Steve
-
How did your Win7 machine get that address?
Maybe it didn't. Maybe xtek was pinging that address and thought the response was coming from the windows machine.
-
When I hook up the firewall cables to the modem and Win box, I don't have any internet. So to post here, I have to disconnect from the firewall LAN and plug back into the modem. Then I can post here and determine my IP.
Hope that's not a problem.
-
I'm running a Firefox addon that shows my windows box IP, and I verified it through a online tool too.
-
I'm looking at getting 2 of these cards from eBay to replace the antique ones I'm using now. Any thoughts?
Intel PRO/100 S PCI RJ-45 Fast Ethernet Network Adapter LAN Like New PILA8460C3
And - is a crossover adapter as functional as buying a crossover cable? It's a lot cheaper and I've got extra Cat5e cables.
-
I'm running a Firefox addon that shows my windows box IP, and I verified it through a online tool too.
That might show the user's view of your IP (the public IP of your modem) rather than the actual IP of your computer. Because of the limited number of IPv4 addresses most home users access the Internet through a NAT (Network Address Translation) box so the private IP addresses space (192.168.0.0 to 192.168.255.255 among others) can be reused.
In Windows start a command prompt window and give the command```
ipconfig -
Sorry about that. All this IP/WAN/LAN stuff is mostly new to me. Ipconfig says 192.168.1.64.
It sounds like we're back to a problem with one or both of the cards I'm using. I'm going to order a couple replacements tonight and we'll try again when they come in. wallabybob, I do appreciate the input you and stephenw10 have given me.
Xavier
-
Sorry about that. All this IP/WAN/LAN stuff is mostly new to me. Ipconfig says 192.168.1.64.
Is that with the Win7 box connected to the modem?
It sounds like we're back to a problem with one or both of the cards I'm using. I'm going to order a couple replacements tonight and we'll try again when they come in.
Lets get your pfSense configuration right first. There are a few important details that are unclear to me. Have you changed your pfSense LAN interface to 192.168.2.1/24 with DHCP enabled? Did you reboot after that change? (It has been my experience a reboot is sometimes necessary for a "major" configuration change to take effect.) If you then connect your Win7 box to the pFsense LAN interface does it get an IP address in the DHCP range you configured? If not, what address does it get?
-
Ah! This is making a lot more sense this morning. :)
Steve
-
Is that with the Win7 box connected to the modem?
Yes
Have you changed your pfSense LAN interface to 192.168.2.1/24 with DHCP enabled?
Yes
Did you reboot after that change?
Yes
If you then connect your Win7 box to the pFsense LAN interface does it get an IP address in the DHCP range you configured?
Yes, 192.168.2.11
-
If you then connect your Win7 box to the pFsense LAN interface does it get an IP address in the DHCP range you configured?
Yes, 192.168.2.11
Good. You must have physical communication between your Win7 box and the pfSense box.
On the Win7 box, in a command prompt window, please type the following commands in turn and report if you get a ping response. If there is no ping reponse please report what ping reports:```
ping 192.168.2.1
ping 8.8.8.8
ping www.google.comThese will help determine if you have basic connectivity to the Internet and if you have a correctly configured Name Server.
-
I just refreshed all the LAN/WAN settings we've discussed, rebooted, and… success! pfSense is running and I'm able to access the browser menu and have internet access.
-
Now that I can access the browser menu, do you guys have any recommendations on a setup guide? I've watched a couple YouTube videos but they seemed more oriented toward networked systems.
Thanks a bunch. I'd never have figured all that stuff out.
-
I'm glad you have it working now.
There is a variety of setup guides, how-tos and faq at http://doc.pfsense.org
Can you be more specific about what your looking for in a setup guide. What level of knowledge should the setup guide assume?
-
Nice. :)
So just to clarify this I read back through the thread and it looks to me as though it should have started working once you had enabled DHCP on the pfSense LAN interface. The only thing that has happened since is that you rebooted the box, something that I said shouldn't be necessary but Wallabybob recommended. Does that sound right?
Also I can see that I made some assumptions early on that turned out to be wrong. A lesson for me there I think.Now that I can access the browser menu, do you guys have any recommendations on a setup guide?
I'm not quite sure what you are asking for here. The first time you access the webgui you are presented with a wizard for setting up all the basic requirements for a firewall/router. The default setup is to allow all traffic from the LAN side out onto the internet and to block any new connections from the internet to your internal machines. You can change this by adding appropriate firewall rules if or when you need to.
There are two things I would recommend you change.
In the web interface go to Interfaces: WAN: Because your WAN interface has a private IP address, 192.168.1.X, you should un-check the setting 'Block private networks' at the bottom of that page.
Go to System: Advanced: In the 'Secure shell' section, check 'Enable Secure Shell'. This will take a few moments. Doing this will allow you connect to the pfSense console via SSH using, for example, Putty in Windows. This means you can access the box from another room etc and also copy and paste from the console window which can be very useful.A further change would be to try to move your public IP address from the modem WAN interface to the pfSense WAN interface. This can be achieved by putting the modem in bridge mode and connecting via PPPoE directly from pfSense. It makes things like port forwarding far easier and avoids double NAT. I wouldn't recommend you try this straight away though! ;)
Steve
-
I'm comfortable with Windows, command line, and most hardware but the whole networking area is new to me. So for our purposes here, I'd say a novice guide would be appropriate.
@stephenw10 - sorry about that confusion, my blunder on the IP.
Thanks again to wallabybob and stephenw10 for the assistance. I'm very happy pfSense is functional and looking forward to learning how to set it up.
-
No need to apologise. Like I said I made some incorrect assumptions that came back to bite me. ;)
It would be nice to know if you think that rebooting the pfSense box was the only further change required though.
Steve
-
I think that when we set the proper LAN address range and enabled DHCP it would have worked. This morning I simply went back through the steps you and I had previously discussed to be sure I hadn't made a mistake, and the rebooted the console. So yes, I believe rebooting made the difference. The tip off was when the console boot didn't hang for a couple minutes trying to reach the time server.
-
The only thing that has happened since is that you rebooted the box, something that I said shouldn't be necessary but Wallabybob recommended.
My experience has been that things like moving a subnet from one interface to another and deleting a conflicting subnet from an interface seem to require a reboot to take effect. They are probably not things experienced users do regularly.
Also I can see that I made some assumptions early on that turned out to be wrong. A lesson for me there I think.
Often problems are reported with inadequate information so it is necessary to make some assumptions to get started. After a few request/reply exchanges with nothing conflicting with the assumptions its easy to forget that the starting point was assumptions.