Solved - No access to WebGUI after setting interface addresses

coreybrett

Your LAN and OPT1 should be in different subnets.

For example...
LAN could be 192.168.10.1/255.255.255.0

and OPT1 could be 192.168.20.1/255.255.255.0

Having them both in the 192.168.1.0/24 net, will not work.

Gertjan

Extra detail :

@coreybrett proposed for LAN
192.168.10.1/24 (and not 192.168.1.1/24)
because your WAN (upstream router) already occupies
192.168.1.0/24

Having all or any interfaces on the same subnet ... won't work and is world's fastest way to "break the (local) net".

coreybrett

MEgearhead used the term "downstream" to describe the other router. I interpreted that to mean he has another router (perhaps WiFi) connected to the LAN of pfSense.

@MEgearhead Please clarify your configuration.

Is it...

MODEM -> pfSense -> Other Router

or...

MODEM -> Other Router -> pfSense ?

MEgearhead

Thanks for all the replies.

Downstream is correct

FiOS-->pfsense-->G1100 router

I also tried for OPT1
192.168.3.1/24; DHCP; Range 192.168.3.2 to 192.168.3.50

Either way, as soon as I assign the addresses from the console I cannot access the WebGUI.

Just in case it matters:
WAN is an Intel EXPI9301CT
LAN is a D-Link DGE 530-T
OPT1 is an Intel on board interface

Also, all existing devices connected to the downstream router (wired or wireless) access the internet and work correctly.

If I connect my laptop to OPT1 I can get an IP after ipconfig /release, ipconfig /renew, but don't have internet access.

Thanks again!

coreybrett

What is your end goal for the network design?

What are you connecting to the OPT1 interface?

Why do you have the G1100 router in the mix?

What address is the WAN of pfSense getting?

MEgearhead

What is your end goal for the network design?
For right now to run access logging at the head. Ultimately I might segregate my system for home automation, kids, normal.

What are you connecting to the OPT1 interface?
Nothing is normally connected to OPT1. For now I was just going to use it to periodically access WebGUI since the LAN adapter has only one port.

Why do you have the G1100 router in the mix?
I'm using it for wireless.

What address is the WAN of pfSense getting?
I'll have to get that later. It's 96.241.something if I remember correctly.

I tried to set the G1100 up as LAN/LAN and WAP but could not get that to work. The current configuration works with performance at least as good as the G1100 alone. I just can't access the WebGUI.

Maybe, I should also mention I'm using Google DNS servers on both pfsense and the G1100. Also, since LAN is only one port, I have to unplug the G1100 from LAN to attempt to access the WebGUI on LAN. I could go buy a switch, but I was trying to get something working (proof of concept) before I started spending too much.

Thanks again!

coreybrett

If you are serious about this, I would get yourself a few switches and an AP.

Cheap options...
Link: http://a.co/d/0opWq3K
Link: http://a.co/d/2hYxLf9

You can spend a lot more (and prob should), but these will get you started.

Remove the G1100 from the mix. (You don't want double NAT)

Reset the pfSense box to defaults.

Then set the LAN for 192.168.10.1/24

Set the OPT1 for 192.168.20.1/24

You can actually use any RFC1918 addresses, but the above will work fine.

I would recommend using the on-board NIC for the WAN.

You will need to connect to the GUI from the LAN interface, and create a Pass rule on the OPT1 interface. Until you do that, OPT1 will not have Internet access. You can copy the default Pass rule on the LAN for the OPT1.

I'm jealous that you have FIOS. ;-)

MEgearhead

I wondered if the G1100 might be part of the problem. I will try to set it up again with the G1100 unplugged, and see if that fixes it. It's just the internet and wireless are working so well.

So I'll try:
WAN DHCP
LAN 192.168.1.1/24; DHCP; Range 192.168.1.2 to 192.168.1.50
OPT1 192.168.10.1/24; DHCP; Range 192.168.10.2 to 192.168.10.50

I couldn't figure out how to set DHCP and the range up for LAN and OPT1 in the WebGUI the first time through so I assigned LAN 192.168.1.1/24 and left the rest default. Then I used selection 2 on the console to reassign both to include DHCP and the range. After this no more access to WebGUI.

I'll reset factory defaults and try again using the above and report back my. If it works I can always plug the G1100 back in and see if I lose WebGUI.

Other than my current WebGUI issue is there another reason for no double NAT? I've read it might slow things down, but I don't see that. It actually seems a little faster. I did change to Google DNS from whatever Verizon had set up in the G1100.

I was using the Intel PCIe card for the WAN because it should have the highest performance. The on board is only 100 not Gigabit.

Thanks again for all your help!

coreybrett

Is your FIOS tier higher than 100Mbits? If so, than use the on-board for OPT1 instead.

Double NAT can cause issues with a number of protocols, so best to just not go there.

You could use the G1100 as an AP by only connecting it to the network with it's LAN port. And making sure you disable it's DHCP server. However, that's not the cleanest solution and fraught with peril.

On another note, you might want to find a box with a newer CPU. The P4 is a pretty dated CPU. Is it 64bit? How much RAM? It will be stuck on the 2.4.x series of pfS.

MEgearhead

I have not had much time to look into this too much.
However, I was able to disconnect the G1100, reset factory defaults, and reconfigure the interfaces.

I now have access to the internet and WebGUI on LAN, and was able to enable OPT1 and copy two of the firewall rules from LAN to OPT1. I just copied them and changed LAN to OPT1 and LANnet to OPT1net. The port 80 and 443 rule at the top doesn't have a copy icon, and I couldn't figure out how to create a new rule similar to it.

When I connect my laptop to OPT1 I get an IP address (192.168.3.100), but I don't have internet access. If I ping the address for OPT1 (192.168.3.1) there is no response.

I wonder if the on-board interface just doesn't play well with pfsense.

I guess I should mention that everything is working fine through LAN now.

Hopefully I will have time this weekend to step through your suggestions in a little more methodical process.

Thanks again!

coreybrett

send screenshots of firewall rules

MEgearhead

I just remembered that I never answered your hardware question.

The CPU is a Pentium 4 HT 2.8GHz 64 bit.
2GB of memory
750 GB SATA II Hard drive.

I know the hardware isn't optimal, but from what I've read it should be sufficient to run what I need so I can decide if I can manage a DIY open source router, or if it's just too much for me, and I should just go for commercially available products or services.

Thanks!

MEgearhead

I'll send them when I can get back to it. I apologize, but unfortunately other things are getting in the way.

Thanks again for all your help!

MEgearhead

So It's now all working after a reboot. I don't know exactly what change made the difference. What I did was disconnect the downstream router, reset factory defaults, set up the interfaces using autodetect, and then configured the interfaces through WebGUI. After configuring the interfaces, I copied the two default rules from LAN to OPT1. I made an error first then corrected it. At this point LAN worked fine but I had no internet on OPT1.

Just so the family would have internet, I reconnected the downstream router since I ran out of time to work on it. When I came back to it later, I rebooted pfsense and everything now works. I thought I had tried that the night before, but I may not have after correcting errors in the copied firewall rules from LAN. (When I copied the rules I changed the interface from LAN to OPT1, but I forgot to also change the destination from LANnet to OPT1net.)

Thanks so much for all your help!

Here are the settings in case it helps someone else:
(Anything related to IPv6 or DHCPv6 is likely irrelevant for me as I don't think my connection supports it)

Interfaces/WAN:
IPv4 - DHCP
IPv6 - DHCP6

Interfaces/LAN:
General Configuration:
IPv4 Type - Static IPv4
IPv6 Type - Track Interface
Static IPv4 Configuration:
IPv4 Address - 192.168.1.1/24
IPv4 Upstream Gateway - None
IPv6 Configuration:
IPv6 Interface - WAN
IPv6 Prefix - 0

Interfaces/OPT1
General Configuration:
IPv4 Type - Static IPv4
IPv6 Type - None
Static IPv4 Configuration:
IPv4 Address - 192.168.3.1/24
IPv4 Upstream Gateway - None

Services/DHCP Server/LAN:
Enable - checked
Range - 192.168.1.100 to 192.168.1.199

Services/DHCP Server/OPT1:
Enable - checked
Range - 192.168.3.100 to 192.168.3.199

Services/DHCPv6 Server&RA/LAN/DHCPv6 Server
Enable - checked
Range - ::1000 to ::2000
Prefix Delegation Size - 48

Firewall/Rules/OPT1:
Edit Firewall Rule: (for first rule)
Action - Pass
Interface - OPT1
Address Family - IPv6
Protocol - Any
Source - OPT1net
Destination - any

Edit Firewall Rule: (for second rule)
Action - Pass
Interface - OPT1
Address Family - IPv4
Protocol - Any
Source - OPT1net
Destination - any

Settings for Verizon G1100 router:

My Network/Network Connections/Broadband Connection/Settings
Internet Protocol - Use the Following IP Address
IP Address - 192.168.1.200
Subnet Mask - 255.255.255.0
Default Gateway - 192.168.1.1

My Network/Network Connections/Network/Settings
Internet Protocol - Use the Following IP Address
IP Address - 192.168.2.1
Subnet Mask - 255.255.255.0
IP Address Distribution - DHCP Server
Start IP Address - 192.168.2.2
End IP Address - 192.168.2.199