LAN GUI not accessible!
-
pfsense is making me cry! :'(
I have pfsense running in a virtual box as a WAN firewall and its all setup securely, although when I try to access it through my LAN settings (via a different virtual box), I am unable to access the GUI via the LAN.
However, upon running a diagnostic, windows tells me that the server is online but cant be accessed. I've tried pinging my pfsense through my other virtual machines and the ping is not reachable even though the server is online!
My Disable webConfigurator anti-lockout rule is disabled so by all accounts, according to the settings, it should be working.
When this is unchecked, access to the webConfigurator on the LAN interface is always permitted, regardless of the user-defined firewall rule set. Check this box to disable this automatically added rule, so access to the webConfigurator is controlled by the user-defined firewall rules (ensure you have a firewall rule in place that allows you in, or you will lock yourself out!) Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well.
I know this is limited information but if anybody has any ideas I would greatly appreciate them as I'm about to tear my eye balls out!
-
You can check the firewall logs via the console to see if your requests are being blocked.
clog /var/log/filter.log
Are you able to access the webgui via the WAN though? It looks like you must be able to to check the anti-lockout rule status.
Otherwise I'd be looking for a routing problem such as an incorrect subnet mask or a bad gateway.
Steve
-
I'm confused as how it can be a firewall rule problem since I can access the webgui via the wan without any issues at all and as for my subnets, they are all running on 24.
-
There are different firewall rules for WAN and LAN. You may have blocked access to the webgui from LAN. Without seeing your rules I have no idea.
By default anything connected to the LAN interface should be able to access the webgui so if you haven't made huge changes to the rules then it's probably not the firewall. That said by default you should not be able to access the webgui from WAN so you must have made some changes. The only exception to that is if only one interface is assigned. I'm assuming you have at least two interfaces though.
Are running static IPs or DHCP? If it's static then are you sure the clients are actually connected to the pfSense LAN. Since you're running virtual it's an easy enough mistake to choose the wrong virtual switch.
More info please. ;) Screenshots are always useful.
Steve
-
I wasnt at a location I was able to access the information to get screenshots untill now.
From the screenshots attached you can see that Anti Lockout and GUI Redirect are disabled so it should be permitted and via any port since its allowed access to port 80.
My LAN firewall rules include LAN –> ANY and ANY --> LAN.
189/24 is my DHCP WAN setup and the rest are rules through a static ip virtual box system
Confused! :o
-
It seems strange that all your special rules, on LAN and WAN are about 192.168.1.0/24 addresses.
What is your LAN IP/mask and WAN IP/mask?
Maybe you are using the same (or overlapping) subnet on both LAN and WAN? That does not woork. -
Your firewall rules are confusing. Do you have pfSense setup as a transparent firewall?
You seem to have the same subnet on wan and lan.Edit: typed too slow. What Phil said. ::)
Steve
-
My WAN is 192.168.1.189 and my LAN is 192.168.1.1
Is the issue because both the WAN and LAN ip are running from the same school of IPs?
-
Yes, every interface must use a completely separate IP subnet, e.g.
WAN keep 192.168.1.n/24
LAN use 192.168.2.n/24This problem happens a bit when you sit pfSense WAN on an existing private LAN - the existing private LAN is often already 192.168.1.n/24 and then the pfSense LAN defaults to the same subnet.
-
Yes. In the normal configuration, routing or NATing, the WAN and LAN must be in different subnets. The only way they can be in the same subnet is if they are bridged, a transparent firewall setup.
With both in the same subnet the replies to your lan side clients are probably going out the wan since their IPs appear to reachable there.Steve
Ah, too slow again!
-
So now I've changed the IPs too
WAN is still 192.168.1.n/24
LAN is now set to 192.168.2.10/24Changed my LAN interface IP to 192.168.2.10 within the WAN webgui and now if i ping 192.168.2.10 - I get transmit failed, general failure 100% loss
-
Where are you pinging from?
Are you using DHCP?Steve
-
Where are you pingjng from?
Are you using DHCP?Steve
I have Windows 7, Windows 8.1, Kali Linux and Backtrack Linux running in virtual boxes linked together with an internal adapter through my universities physical network.
The aim is to setup pfsense so it can be run by the WAN (the physical university network) which I have done, and ALL the virtual boxes via LAN, which is what I am struggling to get working.
So if i load any of my virtual boxes and try to ping the LAN IP address of pfsense, it either gives me request timed out or transmit failed, general failure both with all 4 packets lost and thus 100% loss.
My WAN is running through the universities DHCP setup and the LAN is running via a static IP address
-
You will have to change the IP of all the VMs in LAN to be in 192.168.2.0/24 also - or if they are using DHCP from pfSense LAN then make sure the DHCP settings have a new range in 102.168.2.0/24 and then get each VM to release/renew its lease.
-
Are you confident you have the virtual box setup correct?
Steve
-
Are you confident you have the virtual box setup correct?
Steve
Yes my virtualboxes are all setup correctly, I am just about to head to where the system is based and try changing the IPs of all the virtual boxes
-
Apologies for not getting the time to respond to this until now.
As of right now I have updated my LAN IPs so they are on a seperate subnet to the WAN and the webgui now works both via LAN and WAN which is the problem I was having.
However, I still have no internet access within my virtual network.
Although if i attempt to ping out from my virtual box to any system within my universities physical network it works perfectly fine, but when I try to ping into my virtualbox from the physical network I get nothing.
So my outbound rules seem to be working, but for some reason I have nothing incoming which I am fairly sure is the reason for having no internet.
I have no gateway setup, I've checked that WAN is my default option and I have my NAT set to automatic, although its not generating the rules for me, the table is empty
-
I have no gateway setup, I've checked that WAN is my default option and I have my NAT set to automatic, although its not generating the rules for me, the table is empty
You must have at least one gateway setup. When outbound NAT is set to automatic it sets rules (that don't appear in the table) to nat between internal interfaces and external interfaces but it needs to see gateways set to determine which interfaces are 'WANs'.
Steve
-
The problem is in his reply…
"I tried to access it via a different virtual box and couldn't"
He doesn't understand networking yet. Miuch less networking with VMs.
Seems like he doesn't understand VM nets, bridged nets and why a vm running in an entirely seperate instance of virtual box cant access the lan of his virtualized pfsense.
-
The problem is in his reply…
"I tried to access it via a different virtual box and couldn't"
He doesn't understand networking yet. Miuch less networking with VMs.
Seems like he doesn't understand VM nets, bridged nets and why a vm running in an entirely seperate instance of virtual box cant access the lan of his virtualized pfsense.
Thanks for the extremely useful response!.
As it happens I am well aware of how VMs, bridged nets and WANS work and that Virtual Boxs are all completely seperate from each other. I simply meant that I had tested it on multiple VMs to make sure it wasnt just something really obvious like a shell command or firewall rule I had allocated to one IP address and forgotten to allocate to another one.
Its people like you that give these places a bad name, if ur not gonna respond with useful information, just dont bother to respond at all
–--------------------------------------------------------------------------------------------------------------------------------
@stephennw10
I am heading into Uni in roughly 3 hours from the time of this post, I will get screenshots of my LAN, NAT and such for you and attach them to a post