Help (Initial installation, initial configuration and basic firewall config)

JohnSCarter

Hello. I've recently set up pfSense on an old computer I'm not using. I'm currently having some problems.

Here's what I currently have set up:
1x Basic computer (HP Pavillion 500)
2x RealTek 8168/8111 PCIe Gigab Ethernet card
BT Home-hub 6

Here's how it's currently set up:
BTHub 6 <-> Computer (pfSense)
Computer (pfSense) <-> Computer (main computer, connected via ethernet)

Here's the problem that I'm having:

1. My pfSense computer is being given a private IP address (192.168.1.x) in place of a public one (that all the guides / installation "walkthroughs" seem to be automatically given)
2. My pfSense machine and my regular machine can't access the internet (unless, on the pfSense machine, I remove the LAN connection to the regular PC and have 2 connections to the router)

Sorry for the possibly "nooby" post but I've tried nearly everything else am running out of options, any help is greatly appreciated, thanks in advance.

KOM

1.  Realtek are mediocre at best but will do.  One for WAN, one for LAN.

2.  You can define WAN as a static IP address.  If you're being served up private addresses, you will want to make sure your WAN is set to not block private addresses via Interfaces - WAN.

You know, you haven't really described the actual problem you're having.

JohnSCarter

Thanks for the quick reply.

I've checked and I'm not blocking private networks or loopback addresses.

My problem is that I can't access the internet although I've allowed all IPV4+6 on the firewall and also can't ping 8.8.8.8 from the pfSense command line either.

Edit:
I've updated the thread to be more visually pleasing and to contain the correct problem and information.

dotdash

If you are getting 192.168.1.x on the WAN, you need to change your LAN to something other than 192.168.1.1. Maybe 192.168.10.1, or something. It's easy to do this from the menu, you can do it via the webgui, but you have to change the dhcp pool before you apply, and release and renew the ip on the workstation.

JohnSCarter

@dotdash:

If you are getting 192.168.1.x on the WAN, you need to change your LAN to something other than 192.168.1.1. Maybe 192.168.10.1, or something. It's easy to do this from the menu, you can do it via the webgui, but you have to change the dhcp pool before you apply, and release and renew the ip on the workstation.

Ok, thanks for the reply  :)

I've changed the IP address of the pfSense device from 192.168.1.1 to 192.168.10.1 and I've changed the pool under Services -> DHCP Server from 192.168.1.2 - 192.168.1.254 to 192.168.10.2 - 192.168.10.254

And just to check, you mean do (in the case of my windows machine that's connected to the pfSense device) ipconfig /release and then ipconfig /renew right?

Edit: I guess that was what you meant because I just did everything above however it's still assigning me the same private IP in the WAN interface (192.168.1.190) and my pfSense connected device still doesn't have an internet connection.

stephenw10

As long as both WAN and LAN are using /24 subnets that should be OK. The default settings should allow it to connect.

That is assuming the HH6 is not blocking it in some way.

Can you access the webgui now from a client behind pfSense?

If you go to Diagnostics > Ping and try to ping 8.8.8.8 what is exact error you see?

Steve

JohnSCarter

@stephenw10:

As long as both WAN and LAN are using /24 subnets that should be OK. The default settings should allow it to connect.

That is assuming the HH6 is not blocking it in some way.

Can you access the webgui now from a client behind pfSense?

If you go to Diagnostics > Ping and try to ping 8.8.8.8 what is exact error you see?

Steve

Thanks for the reply Stephen.

Yes, I believe that they're both on /24 subnets however the default settings aren't working for me.

I can access the WebGUI from the client currently however there's 100% packet loss when I attempt to ping google DNS [8.8.8.8].

John

stephenw10

Hmm, if it shows packet loss then it has a route and is trying to send….

Can you ping the HH6 IP from either Diag > Ping or from the client behind pfSense? I assume that's at 192.168.1.254 if it follow the same pattern as previous HHs.

Steve

JohnSCarter

@stephenw10:

Hmm, if it shows packet loss then it has a route and is trying to send….

Can you ping the HH6 IP from either Diag > Ping or from the client behind pfSense? I assume that's at 192.168.1.254 if it follow the same pattern as previous HHs.

Steve

Yes, Both the client and the pfSense device can both ping the HH6.

stephenw10

Hmm, well it's possible it still has no default route somehow.

Try going to Diag > Routes and make sure there is an entry that shows something like:

IPv4 Routes
Destination	Gateway	Flags	Use	Mtu	Netif	Expire
default	192.168.1.254	UGS	476794	1500	re0

If there is not go to Interfaces > WAN and click save without changing anything to re-apply the settings.
Since you initially had a subnet conflict it may have come up with something invalid. You could also try rebooting pfSense now that the conflict has been resolved.

Steve

JohnSCarter

@stephenw10:

Hmm, well it's possible it still has no default route somehow.

Try going to Diag > Routes and make sure there is an entry that shows something like:

IPv4 Routes
Destination	Gateway	Flags	Use	Mtu	Netif	Expire
default	192.168.1.254	UGS	476794	1500	re0

If there is not go to Interfaces > WAN and click save without changing anything to re-apply the settings.
Since you initially had a subnet conflict it may have come up with something invalid. You could also try rebooting pfSense now that the conflict has been resolved.

Steve

Ok, great. That seems to be working in that I now have internet access on my pfSense connected device and the device itself can both ping out to google now.

Is there any way now to test that it's 100% working. I've tried resetting the firewall to block all traffic just to test but it doesn't have an impact.

stephenw10

The default settings will allow all traffic fro the LAN interface out to the WAN so that's expected.

You can add your own pass rule above the default rule on LAN and if you have logging enabled you will then see everything that is passed in the firewall logs in Status > System Logs > Firewall.

You could add another rule above that, say, block ICMP (all types) from LAN subnet to 8.8.8.8. Enable logging.

That should stop your LAN side client pinging 8.8.8.8 and log it.

It looks like there is no way to put the HH6 in bridge mode where is passes your pubic IP to pfSense. If you want that (and you should IMO  ;)) you would need to use a different modem device. I use an Openreach modem for that exact purpose.

Steve

JohnSCarter

@stephenw10:

The default settings will allow all traffic fro the LAN interface out to the WAN so that's expected.

You can add your own pass rule above the default rule on LAN and if you have logging enabled you will then see everything that is passed in the firewall logs in Status > System Logs > Firewall.

You could add another rule above that, say, block ICMP (all types) from LAN subnet to 8.8.8.8. Enable logging.

That should stop your LAN side client pinging 8.8.8.8 and log it.

It looks like there is no way to put the HH6 in bridge mode where is passes your pubic IP to pfSense. If you want that (and you should IMO  ;)) you would need to use a different modem device. I use an Openreach modem for that exact purpose.

Steve

It appears not to be working (unless I'm doing it wrong). Here's a screenshot of my firewall rule that should block outgoing ICMP to 8.8.8.8:
https://gyazo.com/e585c81d5521b81cecce22d0b32b39bd

stephenw10

Firewall rules apply to traffic coming into the interface. So that rule needs to be on the LAN and above the default allow all rule.

That applies to all firewall rules except floating rules which can be defined as OUT. But don't worry about that yet!  ;)

After you make the rule change you may have to wait for the existing firewall state to timeout or clear the state(s) if you have run a ping from the client recently.

Steve

JohnSCarter

@stephenw10:

Firewall rules apply to traffic coming into the interface. So that rule needs to be on the LAN and above the default allow all rule.

That applies to all firewall rules except floating rules which can be defined as OUT. But don't worry about that yet!  ;)

After you make the rule change you may have to wait for the existing firewall state to timeout or clear the state(s) if you have run a ping from the client recently.

Steve

Ok awesome, I disabled all traffic but checked the system logs and it blocked this website for a bit so I guess it is working fine.

Last question (for now at least) is there an order to the firewall rules. For example if I wanted to block all traffic by default but I wanted to allow one IP /Protocol /application through it could I have 2 conflicting rules but place one before the other?

Just want to say how honestly thankful I am for your support. Utter legend :D Have an honestly brilliant day.

Grimson

Read through here: https://doc.pfsense.org/index.php/Main_Page

JohnSCarter

Thanks man, this is exactly what I was looking for.

This entire forum is great. Thanks all