Opt interface cannot access internet
-
I tried changing the rule to Opt1 Subnet to any, and nothing changed. If I switch outbound NAT to manual, what impact would that have on the rest of my outbound traffic (from LAN)?
When you switch to manual, the automatic outbound NAT rules will be put in the manual list. So you don't lose any existing settings, and you get to see what the automatic thinks it was doing. I expect you will see Opt1-WiFi rules when you click on "manual", because pfSense should think that OPT1 is a LAN-style interface and be NATing it.
-
Hey Phil,
I switched it to manual and don't see a single Opt1-Wifi rule. I attached a screenshot. This is so frustrating… >:(
-
Your optwifi is same network as your lan? 10.0.0.0/24?
And looks like your opt2 is also on this 10.0.0.0/24 network?
Yeah thats not going to work!!
-
Johnpoz,
I didn't realize OPT2 was setup on the same network. That's fixed now.
What do you suggest the network for the optwifi interface should be, if this is causing the problem?
-
What do you want your network segments to be - that is up to you..
if your using 10.0.0.0/24 for your lan, how does 10.0.1.0/24 sound for opt1 and then 10.0.2.0/24 for opt2, etc.. Keeps it easy.
I personally use
192.168.1.0/24 lan
192.168.2.0/24 wifi
192.168.3.0/24 dmzwhere the pfsense interfaces are .253 in each segment.. I use .253 because .254 and .1 are common default IPs for many different types of hardware.. So I don't have to worry about conflicts if I plug something in. On my wifi segment my 2 APs are at .252 and .251
-
John,
Everything was working correctly, until the server realized that the wireless interface was setup to handle DHCP requests, even though I had the firewall rule setup to deny any access to the LAN subnet. I don't have DHCP enabled on the LAN interface, it's handled through windows SBS 2011. Is there any way around this?
-
Anyone know a way so the server connected to the LAN, responsible for handling DHCP requests, won't see the Opt1 interface as a DHCP server? As soon as the server realizes the opt interface isn't authorized as a DHCP server, it stops the service and kicks everyone connected to the LAN offline. I have a firewall rule on the opt interface to block any traffic from entering the LAN, but that didn't help.
-
Ya lost me.. So you have a dhcp server on lan that is not pfsense? And you want or don't want to serve up dhcp on optX of pfsense?
You can leverage your 1 dhcp server on lan to serve up dhcp to all your pfsense segments via dhcp relay in pfsense. Or you could use lan dhcp server to serve up dhcp on lan, and then pfsense or other dhcp servers to serve up dhcp on your other segments.
There should be no reason that a dhcp server should be seeing broadcasts for dhcp from your other segments unless you have bridging enabled on your pfsense interfaces or have enabled dhcp relay.
Can you draw out your network and placement of your dhcp server(s) and what exactly you want to accomplish.
-
Sorry Johnpoz,
That is correct. I'm running Windows SBS 2011, with Active Directory and DHCP server amongst other roles. The only way the OptX interface will work if I isolate it from the LAN, is if I enable that interface as a DHCP server. Otherwise, it won't get an IP address that can connect to the internet. I setup a rule on the Optx interface to pass any packets with a destination that is NOT the LAN subnet. However, SBS saw the 10.0.1.0 subnet and shutdown DHCP server service on the server even with that rule in place (Since pfSense is not an "authorized" dhcp server). I don't have bridging enabled or dhcp relay enabled.
DHCP is disabled on all interfaces, and my switch is NOT vlan capable (if that matters).
Here's the network, placement of my DHCP server, and what I want to accomplish…
-
What?? What is the error you got on your dchp server exactly.. Can you post the info from your event log on why it shutdown?
If you have a rule on your optx interface to not pass traffic to lan.. How would it see anything from the lan, let alone broadcast packets for dhcp?
Does not seem logical to shutdown dhcp services because you see a non authorized dhcp server?? That makes no sense at all..
-
The error i got on the DHCP server was event 1053. The DHCP service encountered another server on this network with IP address 10.0.1.0.
I think I may have just found the problem, let me know if this sounds right. Before I started this, there were 2 access points, configured as a bridge. The first one, which I changed the IP to 10.0.1.254, is directly connected to the opt interface. I configured the second one with an IP of 10.0.1.253, and is configured as the child access point. However, that access point is connected to one of the LAN ports on the switch. I'm guessing that's the issue right there… if it is, i just realized it, and i want to jump off the building haha
-
Yeah that sounds more likely than a dhcp server on pfsense that should not have anything to do with your addresses on your lan.
So your using
10.0.1.0/24 as Lan
10.0.2.0/24 as ?
10.0.?.0/24 as ?
etc..An AccessPoint should NOT run dhcp in the first place.. Now if you connected some wireless router and forgot to turn off its dhcp server than ok that could be a problem of duplication of services on the same segment or even duplicate IP even if not configured correctly.
edit: when you say configured as a bridge for your AP.. What devices are you using exactly. Any wireless router can be used as AP.. It already is a bridge between its lan ports and its wireless ports. You just need to disable its dhcp and connect it via one of its lan ports to be used as AP. Some devices allow you to bridge the wan interface into the bridge between the wireless and lan ports so you don't loose a port when used as AP, etc. Is that what you did? Otherwise I don't quite get the use of bridge term for your APs.
-
I'll have to try after business hours to make sure that was what the problem was.
10.0.0.0/24 as LAN
10.0.1.0/24 as OPT-WiFiI'm using two netgear access points. One WAG102 and one WG302. In each access point, you can enable "Wireless bridging and repeating", then select the option to setup a "Wireless point-to-point bridge", specifying the MAC address of the other access point. Just need to make sure you use the same SSID/Channel/Security.
Oh, and I just realized, LAN is bridged with OPT3. This configuration was copied from a Juniper SSG5. I don't even remember setting that up, that's why I said it wasn't enabled. However, the OPT3 interface has no IP assigned and is just connected to one of the ports on the back of the DHCP server in the 10.0.0.0/24 Subnet.
-
Johnpoz,
With only one access point hooked up directly to the WiFi interface, and a rule set on that interface to pass any traffic except to the LAN subnet, the server still stopped the DHCP service. I attached a screenshot of the error. Also, in the system log, in the DHCP tab there were several requests logged, such as this one:
Oct 10 18:31:51 dhcpd: DHCPINFORM from 10.0.0.51 via em0: unknown subnet for client address 10.0.0.51
em0 is the Opt interface. The client, in this case 10.0.0.51, is wired directly to the LAN. I connected a laptop to the access point connected to the opt interface and it assigned the correct IP (in the 10.0.1.0 subnet).
Any ideas?
-
" OPT3 interface has no IP assigned and is just connected to one of the ports on the back of the DHCP server in the 10.0.0.0/24 Subnet."
What – so how many interfaces do you have connected to pfsense from 1 server? And this is bridged with your lan interface??
Dude it really sounds like you one messed up configuration.. It should not be possible for em0 to be seeing packets from a device on the 10.0.0 network if its on the 10.0.1 network.. So either your running different address space over the same wires or you have something bridged that should not be.
I have concerns if you have multiple interfaces in this dchp server connected to multiple ports on pfsense and then you have opt3 bridged to lan??
As to your dhcp error?? Does your dhcp server have address 10.0.1.0 ?? That is not a valid IP if using a /24 mask.. Now if you were using say 10.0.0.0/23 as your network than 10.0.1.0 is a valid address.
You stated your addresses are
10.0.0.0/24 as LAN
10.0.1.0/24 as OPT-WiFiIf that is the case than 10.0.1.0 is not a valid IP to be used by a host.
If you don't mind I would be happy to team viewer in and take a look.. You got something wrong!!
-
I double checked the bridge interfaces and as soon as I enabled OPT1 interface it was automatically assigning it to the bridge between LAN/OPT3. I took that OPT1 interface off and so far DHCP on the server is good. I don't know why it would automatically assign it as bridged, unless I did that a long time ago playing around with pfSense.
There are only 2 interfaces connected to pfSense from the server. LAN (from the switch), and OPT3. The OPT3 interface is for VMWare. It has the IP for management traffic and has rules to only allow LAN traffic.
I really think this whole problem had to do with that bridge I didn't see. The DHCP server is in the 10.0.0.0/24 subnet, the opt-wifi is 10.0.1.0/24.
I'd love for you to take a look. Is tomorrow ok? What timezone are you in?
-
Again you have this dhcp server with 2 connections? You most likely have rouge detection on with the MS dhcp server.. And it can yes shut stuff down.
Why does your server have multiple connection on different networks?
http://technet.microsoft.com/en-us/library/cc958931.aspx
Preventing Rogue DHCP ServersI am in Central, Chicagoland – Sunday is Football, so prob not have any time.. Monday should work.. Most likely anytime 9-5 works, send me a PM and we can take a closer look.