USB to Ethernet Adapter NOT working
-
I always warn people away from USB ethernet with pfsense.
I'll fix it for you: I always warn people away from USB ethernet**.**
-
In fact, thats more true.
-
I agree with the above comments (mostly) ;) There are some people using usb ethernet without issues though.
What about it isn't working?
What is reported in the system log when you attach it?Steve
-
Most people eventually install some sort of hypervisor, install the usb ethernet fob and declare "victory" with their bastardized solution.
I mean yeah - it works… But not as well. Its probably going to nag them with poor performance for the next 5 years or so...
But hey, whatever saves $30.
-
when i plug it in i get
-
And you don't have a ue0 available for assignment in Interfaces > Assign??
-
i have my wan set to ue0.
so hours later of total stress and wanting to blow my brains out, comparing to a similar machine and set up now i can ping like 216.58.216.32 but i cannot ping google.com
also ive tried going into a web browser and putting 216.58.216.32 into it but nothing found. why can i ping it the IP but not go to it? -
Check your DNS. Don't blow your brains out.
-
ueX usually means USB ethernet adaptor
emX usually means motherboard/onboard ethernet adaptor.
X is the adaptor number, probably following hungarian notation ie starting from 0.
Do you want people on the internet accessing your pfsense login page to get access to your firewall?
Default rule AFAIK is, no access to the pfsense login page from the Wan side.
There is a default anti-lock out rule for the Lan interface, so you shouldnt lock yourself out of pfsense when you start editing your access rules.
Do you know what your lan ip address is, and have you tried that ip address in your browser from your lan?
-
are you talking about this?
ive got everything set up, i actually restored these settings from a fully functional, fully working machine. just changed the ip address
i still dont really get internet though. i can ping the IP but even with a DNS issue, shouldnt i be able to put 216.58.216.32 into a browser and pull up google.com?
im so confused.
-
You have a lot of VLAN interfaces. What is the WAN (ue0) interface connected to? How is it's IP set?
Steve
-
The VLANs are all what we have set up at another site. Each VLAN being their own suite in a business. But for now that's not the problem. Those VLANs are all working on the new machine, I have it hooked up to a switch and each port is getting its appropriate IP addresses and I've tested each port and I can ping websites IP addresses, but not their http addresses. Like I said I can ping 216.58.216.32 but not google.com, as far as the WAN goes I'll remote into one of the computers at the office and screen shot the WAN interface. Better yet, if you could send me an example of what your asking for then I can make sure I can screen shot the right stuff.
BTW, before anyone asks, the computer I am remoting into I have connected to the switch by ethernet, and have wifi connected to the router, that way I can remote into the system and take screenshots and make changes, only problem is, I can't check the changes, until I get back to the office in the morning
-
Where are you running the test pings from? Have you tried from the pfSense box itself? The dashboard screenshot shows the box is still obtaining the update status, does it ever go to 'you are on the latest version'?
Have you considered just running the WAN as a VLAN interface?
Steve
-
ok ive included a pic here of it saying that it cant check for updates.
and im guessing that what your saying is that i should open up shell on the box that im using and ping google.com and the IP address.
on my way home after having some time not working on it, my mind was able to clear up enough that icame to that idea, plus a couple other ideas, as well.
I also called someone to help me out with this and they suggested the same things.One of which being the fact that if some people were able to get usb to ethernet adapters to work, then i should find out what adapters they used, who knows. Just because im able to ping googles IP using the one i have doesnt mean its fully compatible.
Additionally i should basically say f*** the switch right now and connect straight to the box until i get everything working correctly on there, minimizing the variables.
So tomorrow im going to try pinging straight from the box, if that doesnt work im going to swap the interfaces on the box so the WAN will be re0, and then ill try pinging google.com.
im sure ill have to change some settings though, but ill cross that bridge when it comes. but if im able to ping google.com from the box when WAN is set to re0 then i know DNS is not the issue.I dont like this trial and error.
But til the morning i guess the only things that maybe you guys can help me out with right now, is
1-if you know of a USB to ethernet adapter that works then that information will be helpful. Im going to go through this forum and try to see if i can get that on my own as well but any help is appreciated.2-any other ideas on what to try will be great too. i already have a backup so anything i do, i can just simply revert it back if it doesnt work, its all trial and error at this point.
sorry for the long post, but wanted to make sure i didnt miss anything
-
Nice collection of VLAN interfaces.
You declared them all ?
If yes ….. pffff complicated network.
If not: remove all no-standard (recognized) hardware - reinstall - throw away current settings. -
i still dont really get internet though. i can ping the IP but even with a DNS issue, shouldnt i be able to put 216.58.216.32 into a browser and pull up google.com?
Not necessarily. If the first thing you get when you connect to http://216.58.216.32/ is a redirect to https://www.google.com/ it's not going to work unless DNS works.
DNS has to work. Until you verify it does, nothing you do will make any difference.
If you can ping 216.58.216.32 but can't ping by name, fix that.
-
I dont like this trial and error.
That's how you debug networks, but you can do it in a methodical fashion. You don't have to guess. Start at layer 1 (the physical link itself) and work your way up.
Is there link? Is the interface up/up?
Can you ping the other end of the link? No? Does it allow pings? Do you get an ARP entry for the destination IP?
Can you ping outside the network? say ping 8.8.8.8?
Can you resolve DNS names? Use proper tools for this like dig/drill or nslookup if you have nothing else.
If all that works, you are generally good to go. I, personally, think your USB ethernet is working and you have a DNS problem.
What are the DNS servers for the windows host in that screenshot (ipconfig /all)
-
I just got done doing 125 VLANs and I'm waiting for another machine to be delivered to set that one up as well. I'm on my way to the office right now. So i will try those things when I get there. All the VLANs I have on this machine I just need to change their names, I need about 75 for this one and about 150 for the next. Which is why I'm trying to learn this stuff now. Because I also know that in like 4 months there are 4 more that I will have to do. And as far as the time in between, who knows.
-
so when i got into the office this morning, i swapped the wires on the machine, so the the ethernet port was going to the router, and i pinged google.com and it worked perfectly, but i wasnt getting a response from the LAN side of it (at that moment i had LAN set up as ue0, the USB ethernet). So to ME, that says that it isnt a DNS problem, that its gotta be the adapter.
Anyone else agree?
-
OK. This is why I don't use USB ethernet.
-
The mcahine im setting up only has one ethernet port, so its the only option i really have, i cant run both WAN and LAN through the same because there would just be way to much traffic for that.
Trust me, if i had the option to pick the machine im setting up, it wouldnt be this one. but this is what my boss has me setting up, and that is why im here, for support on my problem, not to hear that this is why they dont use usb to ethernet adapters.
So any HELP with my current situation would be greatly appreciated.
Sorry if im coming off as a jerk, but it seems as though im getting nowhere on this project.
-
So, I just picked up a Belkin F4U047BT, i plugged it in and rebooted the machine, and everything works.
OMG so excited. -
Nice! :)
That's really the problem with USB ethernet adapters, with FreeBSD at least. One adapter gives endless trouble but looks like it should work. Another just works first time. There's no way to know in advance what an adapter might do. Manufacturers change chipset or fimrware versions frequently and don't label anything.
Don't think you're out of the woods yet though. Give it a few days/gigabytes to crash. ::)
How much traffic are you putting through it that you can't put the WAN on a VLAN but can use USB?
Steve
-
Just wondering - How much did that USB NIC cost you?
-
Im not exactly sure how much traffic will be on it, like i said earlier, my boss says do this, and i do it.
It costed $30 at BestBuy, i know that they are cheaper online, but its something i needed ASAP -
Tell your boss USB ethernet adapters suck. It you want to be a multi-tenant ISP, be one. If not, don't.
-
Derelict is right. USB Ethernet adapters suck. Even when you get them to "work" they still suck USB solution isn't cost effective.
Even after you have gotten this up and running, it still would be best to scrap it and make a proper pfsense than to use this one.
If you lived in a hut somewhere on the Serengeti Desert and only made $100ish a month, then I'd say its ok because its all you can manage.
A cheap old computer with a free PCI port + a Gigabit NIC to put in it cost about what you paid for the NIC.
It doesn't even matter if you get a USB solution functioning, its rarely if ever the right way to go.
-
I see USB's command some negativity, but I've yet to establish anything susbstansive and upto date regarding them.
Of the pfsense threads I read, most appear to be relevant to USB1 and the introduction of USB2, namely the USB2 doesnt provide the 480Mbps speeds, but with USB3 and continued development since USB2 was introduced, I'm not seeing any new complaints as various chips on the motherboards as well as usb nic have improved.
I've managed to find just one bug related to the USB/Ethernet I use (ax88772), which consisted of a script which constantly enabled/disabled the usb adapt until it eventually stopped responding, but eventually this came down to a fault elsewhere in the network with a different manufacturers card nic, in effect the USB nic was the recipient of someone else's bug.
That type of bug/situation is quite common in software development & hardware support, usually down to standards not being adhered to properly, which means in some instances some hw configs will just never work and/or some sw / hw configs will never work.
I'm just trying to be as informed as possible about the hw I'm already using as my mileage has been good since pfsense v2.1, sure I had problems with pfsense 1.2 and usb adaptors but that was freebsd8 (iirc) which is some time ago interms of development.
So what are the problems which are supposed to affect usb nic's?
TIA.
-
The biggest bug that all the USB NICs have is that they are not Intel PCIe NICs (-:
I'd say that Intel PCIe NICs are the best and USB is the worst.
USB is what you use when you have no other choice and are out of money, in which case, I'd say its better than nothing.
In your case, I'd recommend using your 1 built in NIC and a cheap VLAN switch.
-
OP must already have a VLAN switch since he has many VLAN interfaces defined. Just make one more for WAN and move on.
Now that that's solved, speaking of all these VLAN interfaces, are all these tenants really going to trust you to do their firewalling for them (I know I wouldn't. Nothing personal, it's just a "no way" no matter who it is) or are they going to all have firewalls of their own?
-
I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations.
A usb nic often has no fancy remote access/management/whatever so should be less to worry about.
I'm happy with the speed but I cant get fibre where I am for another few years.
However I could use usb nics to control access to the pfsense box like a physical key.
I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way.
I could have a second usb nic and repeat the above steps for a backup measure.
Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication.
I couldnt do that with intel nics or any other pci-e nic could I? ;)
Edit.
Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist.
-
I could use usb nics to control access to the pfsense box like a physical key
If you mean you could remove the USB NIC and only connect it when required then no, no you can't.
If you remove a NIC that is configured and assigned in the config file then the next time you reboot you will be dumped at the initial interface assign prompt. That is a problem with any easily removable NIC, if it's accidentally removed then the result can be very bad.Steve
-
USB NIC as a security dongle. Now I've seen everything.
-
I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations.
That's what management VLANs and firewall rules are for.
A usb nic often has no fancy remote access/management/whatever so should be less to worry about.
Neither do "real" NICs.
However I could use usb nics to control access to the pfsense box like a physical key.
I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way.
Except that anyone who wants in can get in by spoofing that MAC.
I could have a second usb nic and repeat the above steps for a backup measure.
You'd probably need one.
Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication.
I couldnt do that with intel nics or any other pci-e nic could I? ;)
Edit.
Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist.
With proper network design and firewall rules this is all a non-issue. My users cannot get at my pfSense interface, switch management interfaces, AP management interfaces, etc. And, no, I don't have any USB NICs on my network.
-
Ah, wait I see, you mean use the USB NIC at the client end to provide a different MAC?
As Derelict points out, probably easier to just spoof the MAC to something else when you want access. But no real additional security anyone could read the MAC and spoof it. If you're concerned about access from internal networks then setup a VPN server and put rules in to only allow access to the webgui from VPN connected clients.
Steve
-
I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations.
That's what management VLANs and firewall rules are for.
A usb nic often has no fancy remote access/management/whatever so should be less to worry about.
Neither do "real" NICs.
However I could use usb nics to control access to the pfsense box like a physical key.
I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way.
Except that anyone who wants in can get in by spoofing that MAC.
I could have a second usb nic and repeat the above steps for a backup measure.
You'd probably need one.
Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication.
I couldnt do that with intel nics or any other pci-e nic could I? ;)
Edit.
Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist.
With proper network design and firewall rules this is all a non-issue. My users cannot get at my pfSense interface, switch management interfaces, AP management interfaces, etc. And, no, I don't have any USB NICs on my network.
Intel nics have had forms of remote access in their nics since the 1990's.
http://en.wikipedia.org/wiki/Wired_for_ManagementIt might be obsolete but the functionality still ships in their nic chips, hence a security risk. Lets not forget rootkits were just old dos viruses, that the youngsters forgot about.
http://www.intel.com/design/archives/wfm/"WfM has been replaced by the Intelligent Platform Management Interface standard for servers and Intel Active Management Technology for PCs."
Intel AMT (vpro) is considered a back door into systems as this works out of band, and the
IPMI is aimed more at the servers.
http://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface#Security
"On 2 July 2013, Rapid 7 published a guide to security penetration testing of the latest IPMI 2.0 protocol and implementations by various vendors.[6]Vendors have provided patches that remediate most of the vulnerabilities, but the "IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval" vulnerability has not yet been addressed. This arises from the difficulty that the IPMI 2.0 specification is flawed in that it reveals the password hash and salt to anonymous remote clients. This allows for offline brute force attacks. Complete remediation will require a change to the IPMI specification.[7]
Some sources are even advising against using IPMI at all,[8] due to security concerns related to the design and vulnerabilities of actual Baseboard Management Controllers (BMCs).[9][10] However, like for any other management interface, good security practices dictate the placement of the IPMI management port on a dedicated management LAN or VLAN."
"The development of this interface specification was led by Intel Corporation and is supported by more than 200 computer systems vendors, such as Cisco, Dell, Hewlett-Packard, Intel, NEC Corporation, SuperMicro and Tyan."
On the point of using vlans, heres a paper which discuss the weaknesses of it. Its worth noting the conclusion as the biggest risk of vlans is not configuring them properly. Considering most people here asking about vlans probably have little to no experience of them, the suggested use would render some users of vlans more vulnerable than if they did not attempt to use it.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39054
I used to be a big fan of remote access for system support, but I'm finding increasingly as more functionality is added, so the risks of bugs which could be your next undiscovered zero day increases and so more things get hacked.
On the point of spoofing, thats fine, in fact it would probably be spoofed so that serial numbers cant be traced back to arp/mac id's and then be logged somewhere in the supply chain. They still need to guess what it is, just like a password, but if its also the only management channel and the only device that connects to it, never goes online and/or doesnt have any remote access built into it, then it should be quite secure if not as secure as pf itself.
Arp/mac id's are just another identifier, just like a username and password combined is an identifier for a system. How the system is set up to react to these unique identifiers is down to the user.
Windows uses a usb device to store the key if you encrypt the hard driver, how is that any different to a usb nic if not more obvious if someone were to pick up the usb stick due to it being known as a device for storing sensitive info. A usb nic is a less obvious place to store info whilst being in plain sight.
@ Stephenw10
"If you mean you could remove the USB NIC and only connect it when required then no, no you can't."
It does work in 2.2 rc, I've tried it. -
So let's not talk about "Bad USB."
-
wow, i go away for a day and then i come back and its all trash talk on USB NIC.
that was my only option, because the machine i was working with didnt have any expansion slots and only the one Ethernet port.
but now that its done, im now working on 2 separate machines that each have 3 Ethernet ports. and im not having any issues with them.
all i know is that the USB to Ethernet is working just fine, and yes all the VLANs are for separate tenants and the business i work for controlling their firewall ,
well we arent controlling yours so it really doesnt matter then, does it Derelict -
Its not so much "trash talk" as attempting to point you in a better direction.
As pointed out earlier, if you already had a vlan capable switch you didn't need the usb dongle at all.
If you were in the mood to buy something and had no free slots, vlan switch would have been the way to go. -
So let's not talk about "Bad USB."
All I'm asking for is some 3rd party source to quantify how good is good and how bad is bad?
With out this knowledge, people cant make that much of an informed choice, can they?
In my case, I need to work with the lowest common denominators which means old hw possibly a laptop as it has things like wifi, various usb sockets, a nic, serial port, battery (for ups), already rolled into one handy portable device, cheap usb nics and a basic adsl connection with a variable ip, ie the typical cash strapped consumer market.
In windows, we can assign some drivers to work with specific usb configurations, usb printers tend to be a good example of this in windows, who has ever unplugged a usb printer from a windows pc, then plugged it into a different usb port and find it doesnt print until you change the usb port in the printer driver config?
If it were possible in freebsd/pfsense to fix fw rules to specific usb hw configs, ie hub1, port3, hub2, port1, you get to introduce a physical element to the puzzle of getting into a fw, when you consider the different combinations a couple usb hubs can plug together before you plug the usb nic into the last hub which is another element of the physical size of the puzzle. Its a fairly lost cost low tech way to introduce a bit of physical security on the cheap, thats all.
Likewise the right mac id at the device which will connect into the initial usb nic on the fw, can also trigger the right rule which gives access to pfsense. So two mac id's to guess introduces two unique physical identifiers before you've even got to try the right username and password.