Run pfSense on a watchguard firebox x700

ninjamick

so i assume the crossover cable goes in that port and the router goes in the external port

stephenw10

Yes.

Actually the sequence is slightly different from a factory reset:


Valid interfaces are:

re0   00:90:7f:2e:90:d2   (up) RealTek 8139C+ 10/100BaseTX
re1   00:90:7f:2e:90:d3   (up) RealTek 8139C+ 10/100BaseTX
re2   00:90:7f:2e:90:d4   (up) RealTek 8139C+ 10/100BaseTX
re3   00:90:7f:2e:90:d5   (up) RealTek 8139C+ 10/100BaseTX
re4   00:90:7f:2e:90:d6   (up) RealTek 8139C+ 10/100BaseTX
re5   00:90:7f:2e:90:d7   (up) RealTek 8139C+ 10/100BaseTX

Do you want to set up VLANs first?

If you are not going to use VLANs, or only for optional interfaces, you should
say no here and use the webConfigurator to configure VLANs later, if required.

Do you want to set up VLANs now [y|n]? n

*NOTE*  pfSense requires *AT LEAST* 1 assigned interface(s) to function.
        If you do not have *AT LEAST* 1 interfaces you CANNOT continue.

        If you do not have at least 1 *REAL* network interface card(s)
        or one interface with multiple VLANs then pfSense
        *WILL NOT* function correctly.

If you do not know the names of your interfaces, you may choose to use
auto-detection. In that case, disconnect all interfaces now before
hitting 'a' to initiate auto detection.

Enter the WAN interface name or 'a' for auto-detection: re0

Enter the LAN interface name or 'a' for auto-detection
NOTE: this enables full Firewalling/NAT mode.
(or nothing if finished): re1

Enter the Optional 1 interface name or 'a' for auto-detection
(or nothing if finished): re2

Enter the Optional 2 interface name or 'a' for auto-detection
(or nothing if finished):

The interfaces will be assigned as follows:

WAN  -> re0
LAN  -> re1
OPT1 -> re2

Do you want to proceed [y|n]?y

Writing configuration........done.
Updating configuration...done.
Cleaning backup cache...done.
Setting up extended sysctls...done.
Setting timezone...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configuring WAN interface...done.
Configuring LAN interface...done.
Syncing OpenVPN settings...done.
Starting syslog...done.
Configuring firewall......done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting NTP time client...Starting DHCP service...done.
Starting DNS forwarder...done.
Configuring firewall......done.
Generating RRD graphs...done.
Starting CRON... done.
Bootup complete
(pfSense.localdomain) (console)

*** Welcome to pfSense 2.0.2-RELEASE-nanobsd (i386) on pfSense ***

  WAN (wan)                 -> re0        -> 192.168.111.15 (DHCP)
  LAN (lan)                 -> re1        -> 192.168.1.1
  OPT1 (opt1)               -> re2        -> NONE

 0) Logout (SSH only)                  8) Shell
 1) Assign Interfaces                  9) pfTop
 2) Set interface(s) IP address       10) Filter Logs
 3) Reset webConfigurator password    11) Restart webConfigurator
 4) Reset to factory defaults         12) pfSense Developer Shell
 5) Reboot system                     13) Upgrade from console
 6) Halt system                       14) Enable Secure Shell (sshd)
 7) Ping host

The only difference is that LAN is automatically assigned 192.168.1.1

Steve

ninjamick

thank you steve still unable to get webgui dont know what the heck is going on get the green lights ive checked the ip config thats correct as in default gateway 192.168.1.1 but still cant webgui ive tried typing 192.168 in internet explorer adress bar nothing says problom dont know what the hell im doing wrong think i must admit defeat on this go to the basics software firewalls for windows :'(

ninjamick

well i got into the webgui however system froze and i lost it so start again

stephenw10

Ooops! Any idea why?
Nearly there. :)

Steve

ninjamick

no i dont know focused more on getting pfsense working first then i will sort out bugs on system what i refer to as the server is just a storage machine so dont really use it that much but need pfsense on wg x700 as i store everything on there wedding photos etc and i use wireless access points so i will have too sort them out after too infact i will have too redo my entire network as i had a diffrent ip adress so will have to reconfigure that after but thats not too much of a problom

stephenw10

I don't want to complicate things any further but you would probably be better connecting your main client machine to the LAN interface and the server to OPT1. It doesn't make much difference in the long term but initially the LAN firewall rules are relatively relaxed where as OPT1 will block everything.

Steve

ninjamick

yeah i know what you mean just i have another box and another internet supply for that machine as i have 2 inertent supplys and 8 computers to link up too 2 watchguards in my home 4 of the computers are wireless so that wont be too hard just need to get the main 2 sortted and the firewalls

stephenw10

Ok, following on from your PM, best to keep this on the forum where others can benefit or contribute.
Yes you will need to change one of those subnets as they are conflicting. There is no point in trying anything else until you do because the conflict will cause meaningless results only confusing matters further.
I suggest you change the pfSense LAN address rather than the modem because if you ever have to reset the modem it would re-create the conflict.

At this point I am assuming you do not have access to the console menu via the X700 serial port. It is very useful to have that because you can always get back into the box that way if you accidentally lock yourself out of the webgui but it isn't necessary. To workaround the serial port quirk from the webgui do this:
Go to Diagnostics: Command Prompt: and type in the Command: box

echo 'console="comconsole"' >> /boot/loader.conf.local

Click 'Execute' then type

echo 'comconsole_speed="115200"' >> /boot/loader.conf.local

Click 'Execute'.
Reboot the X700 and change your serial terminal baud rate to 115200bps. You should now see the console menu. :)

As I say you don't have to do that but may help later.

To change the LAN subnet in the webgui go to Interfaces: LAN:
In the section marked 'Static IPv4 configuration' change the IP address to something other than 192.168.1.1/24. For example you could use 192.168.100.1/24. Leave everything else as is. Click 'save' but DO NOT click 'Apply changes'. As the message says you have to change the DHCP range to agree with your new LAN settings.
Go to Services: DHCP Sever: LAN: (there may only be one tab at this point and LAN will be first anyway)
Change the 'Range' fields so they are inside your new LAN subnet, so for example 192.168.100.10 to 192.168.100.50.
Click 'save'.
Go back to Interfaces: LAN: and click 'Apply changes'.

You should now be able to connect on the new IP address once you have told your Windows box on LAN to request a new IP (or rebooted it). Sometimes with big changes like this it's necessary to reboot the pfSense box for the changes to fully apply so try that if it's not working.

Now you can connect your modem and you should have internet access.

Since your modem is using PPPoE you may be able to put it in bridge mode and use pfSense to connect directly. This removes any limitations the modem may be introducing and puts your public IP on the pfSense WAN interface. Who is the ISP(s)?

Also since you have two DSL connections you could put both of them on the X700 and do load-balancing or fail-over. Just a thought for the future. ;)

Steve

ninjamick

thank you for your reply i have changed the lan ip adress however i see the diagnostic icon on the top righthand side of the webgui but i cant click on it the same with all them only one i can click on is system thats it very strange indeed

ninjamick

oooh i forgot too mention the isp provider is a company called talktalk.net in the united kingdom

stephenw10

Hmm, that is strange. The webgui uses javascript for the menus, they should appear beneath the titles when you mouse-over them, perhaps you have that disabled in your browser?

I am familiar with TalkTalk. I've spent hours on hold waiting for their legendarily terribly customer support! ::) Perhaps I was just unlucky.
I take it you have their fibre option if you're using PPPoE? With the separate Openreach modem?

Steve

ninjamick

im on the 16mb im using talktalk on 1 internet but 100mb on virgin on the other but for the firebox im using 16mb as thats just for updating thats all and the tv till my contract runs out diabolical customer service and there level 2 techys couldnt solve a problom if they had the answers in front of them

stephenw10

:D Perhaps I wasn't just unlucky then.

So your Virgin connection is PPPoE?

It doesn't matter at this point really. Just thinking ahead.

Steve

ninjamick

i think so yes however im only focusing on getting the talktalk on the fbox at the moment
ive checked the javascript and made sure it was enabled in i.explorer and it is on so im lost at this point

stephenw10

Try Firefox or Chrome.

If you can click on System you can go to General Setup and change the theme. If you choose the theme 'pfsense' it has fixed menus down the side.

Steve

ninjamick

i cant seem to get on the webgui again think i will start from scratch >:(

ninjamick

i got the console working right via google so now im ready to try and sort this out

ninjamick

hi all i got the iternet on then it went off i got the console working finally just rebooting it now just a bit stuck as too why the internet went off any ideas ??

ninjamick

oooh i forgot too mention i got ssh enabled now and im tring too get the screen working also