No internet with surten user account (
-
Hello
I have an problem with PfSense and i'm not familiar with it so i'm stuck. I work in an school but i'm pretty new here (since couple months) .
I use VMWare with Windows Server 2008 and PfSense. The DNS goes true Windows Server.A while ago I had the same problem. When teachers login with their account they can connect to the internet without any problems. When students login and want to connect to the internet they get an Proxy-error in every internetbrowser, although they have connection with the server. Pinging both to an IP and domain is no problem (8.8.8.8 and www.google.com). When i first had this problem I rebooted pfsense and the problem was solved.
Now, two weeks ago I changed the IP range from the scope on Windows Server. (/24 tot /20). I've also updated pfSense. The LAN-interface in pfsense is still on subnet /24, when I change it there's no internet at all. Only by restoring an configuration file pfsense works again. In properties from the LAN interface on Windows Server itself it has the subnet /20. I wanted to change pfSense to the same subnet but like i've said: it doesn't work. To prevent IP-conflicts important IP's are excluded in the scope and the scope itself only begins from .5 while pfSense is .1
I thought that it would be better that the scope and LAN-interface from Windows Server had the same subnetmask as pfSense. But even just rebooting pfsense without making changes in the console or te gui results in no internet on the entire network. I'm an little desperate in getting it work without any problems.
I really hope someone can help me on the right track. Sorry in advance for my faulty English.
Greets and thanks in advance
Linton -
Not enough info to debug anything, plus starting with the /24 vs. /20 description, the entire setup would be best flushed down the drain. Start from scratch, instead of trying to work around FUBARed design. Also no idea about what login are you talking about here. If you are running a CP, then doing so on LAN (as opposed to a dedicated interface) is a really bad idea (TM) and huge PITA. Plus, the proxy errors - no real info about it. Proxies and Captive Portal do not get along.
-
Hi, thanks for your reply. :)
I didn't install pfsense or the Windows Server but the IP range was to limited so i was forced to resubnet the scope.
So doing an fresh install is something i would rather want to prevent knowing the school needs internet (not only the students and teachers but also the colleagues in the administration and the principal) :-)The IP-range in the past was 192.168.0.5/24 - 192.168.0.254/24.
Both Windows Server (properties LAN) as pfSense had the same subnetmask. (/24)The LAN-interface on pfSense has 192.168.0.1 as IP. And is for the moment still on subnetmask /24
The IP-range now is changed to 192.168.0.5/20 - 192.168.15.254/20
In properties from Windows Server-Lan the subnetmask is changed to 255.255.240.0 (/20) but on pfSense i couldn't make these changes because only rebooting alone results in no internet at all. Even without changing anything. I've first tried just rebooting pfSense because the last time (in March) it solved the Proxy error.The WAN-interface gets an IP from the router-DHCP and this is an reserved IP.
Users in the network login with an domainaccount. Students login with an other account then teachers do for example. When students login and want to browse the internet they get an error each time saying the proxy isn't responding or doesn't work.
Thanks in advance for your help and hopefully this information is enough. :)
EDIT: i've exclused IP's like the range 192.168.2.2 - ...14 and the scope begins from 192.168.0.5 while the LAN-interface on pfSense has ...1. This was also the configuration in the previous scope, ofcourse the exclusion of the range 192.168.2.2 - … wasn't possible back then.
-
In properties from Windows Server-Lan the subnetmask is changed to 255.255.240.0 (/24)
255.255.240.0 is NOT /24, for starters.
but on pfSense i couldn't make these changes because only rebooting alone results in no internet at all.
Yeah. Flush it down the drain. Sorry, you cannot have different subnets on your router's LAN and your LAN machines and expect things to work in a sane manner. This is a no go from the very start.
-
It was an type-error, indeed it is /20.
As i've said I wanted to change to subnetmask in pfSense but rebooting resolves in no internet at all.
- So reboot without making any changes doesn't work.
- Rebooting with changing the LAN-interface to subnet /20 doesn't work.
I assume that the subnetmask from the scope, properties LAN on the server as pfSense must be the same but when I want to change it on PfSense there's no internet at all.
Again: thanks for your reply.
-
So solve the real problem. This subnetting censored is absolutely NOT a solution to anything.
-
It wasn't meant to 'censor' Ip's :)
Here full tekst:
EDIT: i've exclused IP's like the range 192.168.2.2 - 192.168.2.14 and the scope begins from 192.168.0.5 while the LAN-interface on pfSense has 192.168.0.1. This was also the configuration in the previous scope, ofcourse the exclusion of the range 192.168.2.2 - … wasn't possible back then.So solve the real problem. This subnetting censored is absolutely NOT a solution to anything.
-
Dude. Your subnet on the firewall must match what's configured on the LAN machines. End of story. Stop fiddling with scopes and exclusions and fix the very basic problem.
-
Hi
Like i've said (or wrote): I tried that but when I do that there's no internet at all. Even rebooting without making any changes results in no internet. :)
Dude. Your subnet on the firewall must match what's configured on the LAN machines. End of story. Stop fiddling with scopes and exclusions and fix the very basic problem.
-
Yeah. And you need to fix that first. It works for everyone. If it does not work for you, then you are doing something badly wrong. When totally basic things don't work, there's no point in making things more complicated with CPs, proxies or whatever.
-
That's the part where i'm stuck :-)
Excuse me in advance for my questions but i'm not familiar with pfSense and because even only rebooting results in no internet its hard for me to find where the problem is. Especially the configuration isn't changed, the only change there was made was an update and so i'm not sure if it is an configuration error or an problem due the update.You would assume that when the LAN-interface in pfSense has the correct subnet everything would work but now its the opposite: there's internet but surten accounts (domain users with no install rights) have an proxy error, although they can ping to both an IP and URL.
Yeah. And you need to fix that first. If works for everyone. If it does not work for you, then you are doing something badly wrong.
-
There is no information here to debug anything. What does "no internet" mean? Can you ping the pfSense box from LAN by IP? Can you ping it by hostname? Can you ping say 8.8.8.8? Can you ping www.google.com? Once again, get all proxies and everything else out of the way until you have basic things working!
-
Hi
When i change the subnetmask in the LAN-interface from pfSense, it works until I reboot. In the console the subnetmask is only updated after reboot.
I'm able to ping to 8.8.8.8 (from the pfsense console)
Not to www.google.com for example (from the pfsense console)There is an DNS forward to 192.168.0.2 (Windows server) yet for one or other reason the server and every host can't ping (no ip, no url). Despite the fact this does work if the lan interface on pfsense has the previous subnet and without rebooting pfsense.
Thanks in advance for your efforts and patience :)
-
We have not moved an inch further since this thread started…
You need to get basic setup working properly before trying anything advanced.
Suggest to get a paid support - https://www.pfsense.org/get-support/
-
I'm sincerely trying to explain my case and being thankful for your efforts.
I really don't understand what you mean, maybe thats because English is not my native language(?).
The configuration worked more then a year without any problems. In march the same error occurred saying the proxy server doesn't respond or isn't active with the domain-account from the students. There was and is no proxy-server configured. When that error occurred just rebooting pfsense solved the problem, pinging to an url or ip does work though. The installation of pfsense was done by someone else with help that doesn't does this work anymore.Now, couple weeks later the current scope in Windows Server was erased and replaced by one with an bigger range and ofcourse other subnet. On pfSense everything worked fine at first but then the LAN hadn't any internet anymore (no pinging possible to url and ip from lan side and no pinging to url from pfsense console). Recovering an previous configuration from file solved the problem.
So my problem now is that when pfsense is rebooted there isn't internet at all (hosts on lan side can't ping to an url or ip) and pfsense can only ping to an IP. It has something to do with resolving DNS and the forwarding to the server i think but i can't find what specifiek setting it is. Besides: i have the impression that maybe the update i've first did before changing the IP range has caused an error or problem in pfsense although I can't determine if this has something to do with my problem.
Paid support is to expensive for our school, thanks for the advise though :)
Thanks for the efforts. -
I damn mean that your should reset your firewall to factory defaults, reconfigure WAN and LAN from scratch and should NOT move to anything else until you get absolutely basic barebones functionality working. Until you have either /20 or /24 or whatever else matching and working on your LAN and on your pfSense. Noone cares about what's your beef with Windows server. Why are you even forwarding any DNS there when the absolute basics stuff that works out of the box after 1 minute work on every other pfSense install does not work for you.
Ditch the current mess. Back to basics.
-
dude if you change pfsense lan mask, your clients have to have the same mask or no you won't be able to talk to pfsense to do anything.
If you want pfsense lan to be /20 – for the life of me I can not fathom needing such a large mask for a segment.. Do you really have plan on putting 4k some devices on the same segment?? Really?
What I would suggest you do is do a clean install, let pfsense come up with its defaults.. Then if you change your mask on pfsense, then reboot. Your machine either needs to get this new mask from pfsense dhcp or you have to set it on your machine your wanting to use pfsense from.
But your lan segment and your machine on the lan segments masks have to match or your going to have a hard time!!
-
I see that there is an error with opening 'Proxy Server'.
Probably something went wrong while updating.
I will search a way to fix this and look if the problem still occurs.I'm sincerely trying to explain my case and being thankful for your efforts.
I really don't understand what you mean, maybe thats because English is not my native language(?).
The configuration worked more then a year without any problems. In march the same error occurred saying the proxy server doesn't respond or isn't active with the domain-account from the students. There was and is no proxy-server configured. When that error occurred just rebooting pfsense solved the problem, pinging to an url or ip does work though. The installation of pfsense was done by someone else with help that doesn't does this work anymore.Now, couple weeks later the current scope in Windows Server was erased and replaced by one with an bigger range and ofcourse other subnet. On pfSense everything worked fine at first but then the LAN hadn't any internet anymore (no pinging possible to url and ip from lan side and no pinging to url from pfsense console). Recovering an previous configuration from file solved the problem.
So my problem now is that when pfsense is rebooted there isn't internet at all (hosts on lan side can't ping to an url or ip) and pfsense can only ping to an IP. It has something to do with resolving DNS and the forwarding to the server i think but i can't find what specifiek setting it is. Besides: i have the impression that maybe the update i've first did before changing the IP range has caused an error or problem in pfsense although I can't determine if this has something to do with my problem.
Paid support is to expensive for our school, thanks for the advise though :)
Thanks for the efforts. -
Ok. Which part of get the fsckin' basics working is sooooooooooooo hard to get?!?!
Noone cares about your proxy. Fix your /20 first!!! It's like having a house without roof, with foundation floating on sand and caring about wall decorations. WTF!!! >:( >:( >:( >:( >:(
-
If that doesn't work i will follow your advise and start from scratch, i wanted to avoid this because it worked more then an year without problems.
Thanks for the advice.