With CP enable the following stop working

Gertjan

Hi,

WhatsApp, qbittorrent , whatever : these are programs running on devices that are hookup up to a LAN on pfSense, right ?
If so, the NAT has nothing to do with your issue. NAT is a functionality used for connections, originated from WAN (probably the Internet) to some device hooked up into your LAN - or one of your LAN'S. Like a web server yo have on a LAN, that has to be reached from the Internet.

When you authenticity against the Captive portal, the "internal firewall" 'ipfw) becomes completely transparent.
The only rules that matter are the firewall rules you have placed on the Captive Portal Interface, in the pfSense GUI.
What are these ?

kramtw

Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
3 /19.55 MiB * * * LAN Address 443
80 * * Anti-Lockout Rule
0 /0 B IPv4 TCP * * LAN address 53 (DNS) * none dns
basic setup rules
0 /0 B IPv4 TCP * * LAN address 80 (HTTP) * none
0 /0 B IPv4 ICMP
any * * LAN address * * none
0 /0 B IPv4 TCP * * LAN address 25 (SMTP) * none
0 /0 B IPv4 TCP * * LAN address 21 (FTP) * none ftp
0 /0 B IPv4 TCP * * LAN address 110 (POP3) * none
0 /0 B IPv4 TCP * * LAN address 143 (IMAP) * none
freerdcp
0 /0 B IPv4 TCP/UDP * * LAN address 1812 (RADIUS) * none
0 /0 B IPv4 TCP/UDP * * LAN address 1813 (RADIUS accounting) * none
whatsapp
0 /0 B IPv4 TCP/UDP LAN net * * 5060 (SIP) * none whatsapp
0 /0 B IPv4 TCP/UDP * * * 5222 * none whatsapp
0 /0 B IPv4 TCP LAN net * * 4244 * none whatsapp
0 /0 B IPv4 TCP/UDP LAN net * * 5242 * none whatsapp
0 /0 B IPv4 TCP LAN net * * 5228 * none whatsapp
0 /0 B IPv4 TCP/UDP * * * 5223 * none whatsapp
0 /0 B IPv4 TCP/UDP LAN net * * 59581 * none Whatsapp
0 /0 B IPv4 TCP/UDP LAN net * * 59437 * none Whatsapp
default lan rules
0 /0 B IPv4 * LAN net * * * * none Default allow LAN to any rule
0 /0 B IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
0 /0 B IPv4 TCP * * LAN address 1194 (OpenVPN) * none OpenVPN wizard
0 /0 B IPv4 TCP/UDP * 8000 * 8000 * none winamp
Add

Gertjan

Hi,

Could you post something more readable like :

Btw : look at your "Status" colon.
All these "0 /0 B" mean that the rule did never apply - is used.

Put in place a (default !) pass all rule, and your troubles will be over in a split second.
Also : if possible : consider activating the Captive Portal on a dedicated interface like OPTx.

kramtw

@gertjan hi
thanks for all your help. I am using 172.16.100.1/16 as the lan address and 172.16.10.1/16 as the wan address and these addresses the cp page dose not popup unless i go to the page url how ever if i were to change the wan ip to 173.16.10.1/16 the page will auto popup could this be part of what it is that i am doing wrong? what would be the correct ip to use
i will try to setup an opt1 interface for the cp

thanks again for all your help

Gertjan

@kramtw said in With CP enable the following stop working:

I am using 172.16.10.1/16 as the wan address ......
... how ever if i were to change the wan ip to 173.16.10.1/16 the page will auto popup

Normally, you should stick to a default LAN of 192.168.1.1 mask 24
The WAN IP is normally assigned by a DHCP server up stream, or WAN really becomes a WAN IP, assigned by your ISP.
Choosing yourself a WAN IP like "173.16.10.1/16" doesn't seem a normal thing to me.
And if your really need to enter a static IP, it must be a /32 one. I don't understand your /16 WAN IP.

Again : go for the OPT1 interface for your portal interface.
Remember : when creating and activating an OPTx interface, no firewall rules will be present, so nothing comes in - nothing goes out (well ... not 100 % true, DHCP 'LAN' traffic will pass through).

Btw : do not re invent the wheel. Chose OPT1 to be 192.168.2.1 mask 24.

Pass rule :

kramtw

@gertjan ok the modems lan ip address is 172.16.1.22/16 and that is what i ve been using for the longest the whole lan network is on /16 are you saying that i should change the modems ip to one that is 192.168.1.1 and stop it from doing all the port forwarding that is it doing and let the pfsense take that over? i've got a large net with ip cams, ip switches, along with servers and client pc and macs on the network i also have a very large wifi network client base so the /16 would gave me a lot of ip addresses to play with.
so let me see if i get what you are saying
set the modem to 192.168.1.1/32
set the wan ip of pfs 192.168.1.2/32
set the lan ip too ??
set the opt ip to be 172.16.0.0/16 enable the cp and dhcp on that interface and set all the firewall rules to work with it

Gertjan

Don't touch the modem LAN Ip. I was taking about the LAN of pfSense 192.168.1.1/24 or 254 devices. If you want, make that a /16 and you'll be having place for 65535 devices
Btw : if your modem is really (only) a modem then the WAN interface of pfSense would be set to your 'real' Internet IP.

How is your interface WAN on pfSEnse set up ? Static ? DHCP ? Other ?

kramtw

@gertjan the lan on the pfs is set to 172.16.100.1/16
the wan is static and set to 172.16.10.1/16
the modems ip address is set to 172.16.1.22/16

GruensFroeschli

This can not work because you have the same subnet on the WAN and the LAN.
You need to have different subnets.
Are you sure you need a /16?
It looks to me as if you'd want a /24.

kramtw

Ok could you gave me an example of what it should look like as you would have seen from my comments above all of the equipment and users I have on the network I would need a large amount of IP address

Thanks

GruensFroeschli

Well the WAN and the LAN just need to be in different subnets.
Doesn't really matter which.
e.g. keep the LAN on 172.16/16 and move the WAN and Modem to 172.17/16.