No internet access, but webgui works

johnpoz

Why would you want to access esxi from WAN?? And did you create a port forward for your vmkern?? Are you trying it from outside your network?

Lets get it straight what is what and what is not working… Your wifi router is WRONG setup.. So clients connected to it would ask it for dns, which it would forward to pfsense.. Your saying that works.

But xp doesn't work?? What are the firewall rules?? Your saying it can ping pfsense..

Lets forget about websites and IP address. For all we know your browser is is setup to use a proxy?? You do not have pfsense setup to do any proxy or squidguard or blocker, etc.. Just plain jane pfsense install.

Please post up your rules for both lan and opt. Post up your xp machine ipconfig /all and it pinging pfsense and then a simple nslookup

see example attached

exampleinfo.png_thumb

itsignas

@johnpoz:

Why would you want to access esxi from WAN?? And did you create a port forward for your vmkern?? Are you trying it from outside your network?

Lets get it straight what is what and what is not working… Your wifi router is WRONG setup.. So clients connected to it would ask it for dns, which it would forward to pfsense.. Your saying that works.

But xp doesn't work?? What are the firewall rules?? Your saying it can ping pfsense..

Maybe you misunderstood, I just want to access ESXi from my desktop pc which is at my AP point, that's the problem, that i can't. Yes, it works…

Screenshot_2.png_thumb

Screenshot_3.png_thumb

Screenshot_4.png_thumb

johnpoz

"I CAN'T access ESXi from my wan let's say 99.99.99.99 and enter root"

Well that is what you said!!

Dude how is your client every going to look up anything if its pointing to itself for dns 127.0.0.1

As to accessing your vmkern from where? And why would you ever in a million years think you could get their from your wan?? Your vmkern is port group connect to your lan vswitch.. Which is what network 192.168.1.0/24

But that is the SAME network that is behind your wifi router… so no shit those people would never be able to connect to 192.168.1.100 vmkern since they think that network is local..

Where are you firewall rules? And why does that client point to loopback for dns???

itsignas

@johnpoz:

"I CAN'T access ESXi from my wan let's say 99.99.99.99 and enter root"

Well that is what you said!!

Okay… I need to have connection on windows xp machine, and access ESXi remotely somehow...

johnpoz

dude you never setup dns in XP machine so it points to itself.. never in a million years going to work!! Ever..

You will be able to access esxi from either network, once you FIX your problems and allow it in pfsense.

You having both machines on 192.168.1.0/24 network one behind your nat router is just confusing the whole thing… Set it up like I described and posted a picture of and all your problems will be gone.. And you will be able to access esxi just fine from where ever you want to access it from, if you allow the rules in pfsense firewall, etc.. if coming from a different network than the vmkern is on..

itsignas

@johnpoz:

dude you never setup dns in XP machine so it points to itself.. never in a million years going to work!! Ever..

You will be able to access esxi from either network, once you FIX your problems and allow it in pfsense.

You having both machines on 192.168.1.0/24 network one behind your nat router is just confusing the whole thing… Set it up like I described and posted a picture of and all your problems will be gone.. And you will be able to access esxi just fine from where ever you want to access it from, if you allow the rules in pfsense firewall, etc.. if coming from a different network than the vmkern is on..

Alright, rules in pfSense for esxi? There isn't any info much google. If this just could work …

johnpoz

dude it will work just fine if you set it up correctly.

you have 2 networks, should be 192.168.1.0/24 LAN, 192.168.2.0/24 OPT

vmkern sits on your lan with 192.168.1.100/24. So all devices on LAN would be able to talk to it directly. Devices on OPT 192.168.2.0/24 would have to route through pfsense to get to the vmkern address on your lan network. So the firewall rules in OPT would have to allow that.

Again this is how you should have it setup.

pfsense
wan: public IP
lan: 192.168.1.1/24
opt: 192.168.2.1/24
dhcp running on both them them, say scopes 192.168.1.100-200, 192.168.2.100-200… This will point all dhcp clients to its interface in each network as dns and gateway.
For starters lets start with simple rules allow any any in both lan and opt.

Once everything is working then you can get more restrictive with rules.

Esxi vmkern 192.168.1.100 with gateway and dns pointing to pfsense 192.168.1.1

There you go all working! You have to make sure you setup your old wifi router as Access point only. Turn off its dhcp server, give its "lan" IP 192.168.2.2/24 with gateway of 192.168.2.1 and dns if you want to 192.168.2.1 Connect it to the pfsense opt network.

You can reverse the lan and opt networks if you want.. Doesn't really matter.. But we need to be clear what is in what network and how its connected. Clients in both lan and opt should get an IP from the dhcp server running on pfsense.

Then ask pfsense for dns, ie when looking for www.pfsense.org they will ask pfsense. Pfsense will then either forward this (dnsmasq "forwarder) to your isp dns, or whatever else you setup in pfsense general settings for dns, say 8.8.8.8 Or look them up directly via the (resolver "unbound"). Pfsense defaults to using the resolver.

You really should have another switch if you want to connect more than 1 device (other than vm) to your lan network 192.168.1.0/24

itsignas

@johnpoz:

dude it will work just fine if you set it up correctly.

you have 2 networks, should be 192.168.1.0/24 LAN, 192.168.2.0/24 OPT

vmkern sits on your lan with 192.168.1.100/24. So all devices on LAN would be able to talk to it directly. Devices on OPT 192.168.2.0/24 would have to route through pfsense to get to the vmkern address on your lan network. So the firewall rules in OPT would have to allow that.

Again this is how you should have it setup.

pfsense
wan: public IP
lan: 192.168.1.1/24
opt: 192.168.2.1/24
dhcp running on both them them, say scopes 192.168.1.100-200, 192.168.2.100-200… This will point all dhcp clients to its interface in each network as dns and gateway.
For starters lets start with simple rules allow any any in both lan and opt.

Once everything is working then you can get more restrictive with rules.

Esxi vmkern 192.168.1.100 with gateway and dns pointing to pfsense 192.168.1.1

There you go all working! You have to make sure you setup your old wifi router as Access point only. Turn off its dhcp server, give its "lan" IP 192.168.2.2/24 with gateway of 192.168.2.1 and dns if you want to 192.168.2.1 Connect it to the pfsense opt network.

You can reverse the lan and opt networks if you want.. Doesn't really matter.. But we need to be clear what is in what network and how its connected. Clients in both lan and opt should get an IP from the dhcp server running on pfsense.

Then ask pfsense for dns, ie when looking for www.pfsense.org they will ask pfsense. Pfsense will then either forward this (dnsmasq "forwarder) to your isp dns, or whatever else you setup in pfsense general settings for dns, say 8.8.8.8 Or look them up directly via the (resolver "unbound"). Pfsense defaults to using the resolver.

You really should have another switch if you want to connect more than 1 device (other than vm) to your lan network 192.168.1.0/24

Alright, this too much as for me to do, seriously, maybe something start with something easier? I'm just beginner with networking and pfSense…

There is no option to disable NAT on that router, so the only way access ESXi is from my public IP, and somehow connect to it. But for now pfSense is overriding ESXi.

Screenshot_1.png_thumb

johnpoz

2 much?? Your setting up 2 networks… This very very very BASIC setup...

Who said anything about disabling nat on the router?? Dude your just not going to use its nat function because your going to connect it to your network via one of the LAN PORTS!! Just turn off its dhcp server, and assign its IP to something on your network your going to connect it too. If that takes you more than 30 seconds you must of taken a coffee break during the time ;)

What is confusing you??

If 2 networks is confusing to you.. Then start with just 1.. Your LAN in pfsense.. Connect your wifi router to that esxi nic that is on your lan switch, that your vmkern port group is on. But again just connect it via one of the wifi router LAN ports.. Disable the dhcp server on the wifi router and make sure its IP is on your lan segment say 192.168.1.2/24

Now all your devices be they plugged into other lan ports on your wifi router or wireless will all be on the lan network.. Getting dhcp from pfsense.

Once you get that working, then you can move to having 2 networks behind pfsense.

Anything on this lan network will be able to access your esxi vmkern via its IP 192.168.1.100

Why do you keep trying to hit the vmkern of esxi on some public IP??? It should NOT have a public IP.. The port group of vmkern is on your lan vswitch per your posted image.. The only thing that should have a public IP is the wan vnic in pfsense. That esxi physical nic would be directly connected to your modem.

itsignas

@johnpoz:

2 much?? Your setting up 2 networks… This very very very BASIC setup...

Who said anything about disabling nat on the router?? Dude your just not going to use its nat function because your going to connect it to your network via one of the LAN PORTS!! Just turn off its dhcp server, and assign its IP to something on your network your going to connect it too. If that takes you more than 30 seconds you must of taken a coffee break during the time ;)

What is confusing you??

If 2 networks is confusing to you.. Then start with just 1.. Your LAN in pfsense.. Connect your wifi router to that esxi nic that is on your lan switch, that your vmkern port group is on. But again just connect it via one of the wifi router LAN ports.. Disable the dhcp server on the wifi router and make sure its IP is on your lan segment say 192.168.1.2/24

Now all your devices be they plugged into other lan ports on your wifi router or wireless will all be on the lan network.. Getting dhcp from pfsense.

Once you get that working, then you can move to having 2 networks behind pfsense.

Anything on this lan network will be able to access your esxi vmkern via its IP 192.168.1.100

Alright, here are the results when i plug my AP to that LAN port, somehow I can access pfsense from 192.168.2.1, but 192.168.1.1 don't work. And sadly, I cannot access ESXi 192.168.1.100.

Screenshot_1.png_thumb

johnpoz

ARggghhh DUDE your dhcp server is STILL enabled!!!!

And you have your WAN plugged in on the same network!!!

What part are you confused about connecting it to your network with a LAN port and turning off its dhcp!!!

Why are you trying to access pfsense on 192.168.2.1???

Does the attached help??

setup1network.png_thumb

wifiroutersetings.png_thumb

itsignas

@johnpoz:

ARggghhh DUDE your dhcp server is STILL enabled!!!!

And you have your WAN plugged in on the same network!!!

What part are you confused about connecting it to your network with a LAN port and turning off its dhcp!!!

Why are you trying to access pfsense on 192.168.2.1???

Does the attached help??

Okay, small update. (This time for real)
I can access pfSense at 192.168.2.1, being connected to 192.168.1.0 subnet

Screenshot_3.png_thumb

johnpoz

update of what???? Dude your just showing shit not working but not showing how you fixed the BROKEN setup!!!

Show your router setting - see my 2nd attachment!!! And what is connected to what???

default gateway 192.168.1.254 is what was your wifi router lan was setup as..

Take a breath – look at my drawing! This is so freaking basic!!

itsignas

Okay, made quite few photos…

1.png_thumb

2.png_thumb

3.png_thumb

4.png_thumb

5.png_thumb

6.png_thumb

7.png_thumb

johnpoz

And looking at first one its STILL WRONG!!!!

What is so freaking difficult to understand… UNPLUG the cable from the wifi router WAN port!!! There should BE NOTHING plugged in there - NOTHING!!! If you want to leave its lan on 192.168.1.254 that is fine..

Now a client wired to one of the other lan ports or wireless set for dhcp gets what??? Show its ipconfig /all

STILLWAN.png_thumb

johnpoz

Outside world for what????

Dude your using it as a SWITCH/AP to connect to pfsense, which has your internet connection!

itsignas

OH GOD, now i saw your scheme, that it connect's to LAN port, oh god.. So sorry I was so dumb…

Now I connect to pfSense and ESXi no problem, but we came back to DNS problem..

Screenshot_1.png_thumb

johnpoz

what is your client showing for dns?? Lets see ipconfig /all if your client is talking to 127.0.0.1 no then it would never work.

What are you using forwarder or resolver in pfsense?

Can pfsense look up stuff.. And I would assume so since it shows a new version.

To be honest I don't think you should be running 2.3 since your really new to this stuff… 2.3 can still be buggy.. I would suggest you use the stable 2.2.6 until you feel more comfortable with how this all works.

pfsensednslookup.png_thumb

itsignas

Here it is

Screenshot_2.png_thumb

Screenshot_4.png_thumb

johnpoz

And your pointing dns to your wifi router IP address 192.168.1.254… So NO dns is never going to work from that client..

And your dhcp server is still listed as your wifi router 192.168.1.254.... Did you not renew your lease?? Once you turned off the dhcp sever in your wifi router? Reboot the client so it gets dhcp from pfsense.