Wrong configuration, but it works partially
-
@johnpoz Yes indeed sorry I made a mistake.
I am not 100% confortable with network diagrams sometimes I make mistakes.
So the IP 192.168.0.50 is the ip of my web interface and LAN.
The DNS are outside of my network / control. They are managed by my school.
And the Gateway I got on my Hyper-V is 10.3.17.1.
I dont know if this answers to your question ?
-
But your not showing on your diagram where this 172.20 network is - from your diagram there would be no way to get to those NS.
Is pfsense using those - how does it get to them? Or is pfsense just resolving, which is default?
-
Your HyperV server is using a static IP. Was that given to you to use by the network admin? Because if not that will break too if some other device uses it via DHCP.
Steve
-
Sorry for the late reply. I talked with an ICT guy in my native language. and he explained to me that it could not work properly.
I received my Hyper-V IP from the network admin and I should work only on that IP. I didn't notice that i could not use other IP's in this range.
Actually it was working so I didn't realize my config was wrong.The DNS 172.20 is not under my control and don' event know where it is
. I just received a machine with Hyper-V installed on it and 1 NIC (see below) 
With that I had to build on a virtual network. And as I said, I only received IP 10.3.17.27. Buy when I installed Pfsense received IP 10.3.17.4 in my configuration. It was working so I didn't notice that IP was not attributed to me.
I don't know if there is any solution to use IP 10.3.17.4 and redirect all the trafic to 10.3.17.27 like using 10.3.17.27 as gateway or something like that ?
-
If you can't get an additional IP to use you have few choices:
NAT that traffic in Hyper-V so the pfSense WAN is using some other subnet.
Assign the interface directly to the pfSense WAN so it uses 10.3.17.27 dircetly and Hyper-V does not have an IP in that subnet (or uses dhcp)
Leave the pfSense WAN as DHCP and find some other way of addressing it so you can access it on that. You never said if the upstream DNS servers can resolve local hostnames.
Steve
-
@stephenw10 I can't get an additional IP. I am trying to find out how to NAT my trafic in Hyper-V with the WAN interface but i'm not sure about how it works so i'm still reading som tutorials and forums. But I think this is what i am going to do.
I cannot assing the interface to my pfsense. I think there is a MAC filter who not allows me to send the trafic. I tried once, and lost my connectivity with the machine. the IT admins had to put my initial configuration back.
Should it work if I add a new vNIC with a fix ip and route all the network from the new vNIC to my WAN and using my vNIC as pfsense "WAN"
Its a bit tricky I know and i'm sorry for that.
Thank you for your answers
-
Yeah hyper-V can for sure nat.. So pfsense wan would be behind that nat as well as any other nats upstream.
If your saying there is a mac address filter, you could always have pfsense wan use that mac.. And don't put an address on that hyper-v interface.
-
This should probably work, but i'm afraid do to this. And losing my connectivity with the servers. All of this is visualized, so i will choose for Hyper-V NAT, but I am not sure about how it works I am still searching how to do it correctly.
I have a Little more question. should I use the mac spoof method on pfsense when use the nat or is it not needed ?
-
...and devices behind pfSense are behind it's NAT. Are you up to quad NAT at that point?
-
@stephenw10 what do you mean with "to quad NAT" ?
-
You have 4 devices all NATing the traffic between the inner clients and the public internet.
-
Which is just insane ;)
-
Yo dawg.....
-
Yeah i know, ... but i have to make my virtual network work.
I couldn't make it. Still searching a solution about how to make it work with this configuration :/
-
It will probably work fine with 4 layers if NAT, it's just ugly. Any of the solutions I suggested above will work here.
-
I'm I missing a nat?
internet - 1 Nat (company) -- (hyperV 2nd nat) -- (pfsense 3rd Nat)
-
Nah, probably me double counting at 2am!
-
Thank you very much guys for replying !! Really big thanks !
I just hang up with IT of my school and it seems that exactly as you thought someone is using the same IP as me.
He uses DHCP IP 10.3.17.4. Thats why sometimes it was working for me and sometimes not.
I could not figure out it was used, because even if i tried to ping i didn't receive an answer.
The IT person checked the logs and saw someone else was using it on another VM.
What I did to solve the problem: easy... you know it, I changed my IP. I am now using 10.3.17.250 who is not used by nobody in the network and it seems to be working (hope it will work until Monday midnight cross fingers!)
So I think my problem is solved !
I just have a stupid question about firewall rules to be sure i did not misunderstand it
I got 3 networks LAN, Guest(WIFI) and DMZ.
The DMZ should have acces to internet or not ? Every connection is allowed to the DMZ but what is allowed to go outside the dmz ?
Thank you very very very much guys !!! (if you are coming to Brussels i'll offer you a beer !
) -
@Farisse said in Wrong configuration, but it works partially:
10.3.17.250
Is that IP outside the DHCP range? If not it may fail again.
Whether or not the DMZ gas access to the internet is up to you. What is in it? Do those hosts need top pull OS updates for example? They will need to access the internet for that then or maybe some local update server if you have that.
Steve
-
Its inside the DHCP range, but apparently the IT guy told me that this IP has never been used by anyone. So I have a lot more chance that nobody will use it (we are 10 working on this DHCP range but no communication). So it may fail again, but the chance for someone using the same ip as me right know is low (hope to keep it like this
)I only have an webserver running on port 80. So I could let it open to update my wordpress but otherwise there is no specific rule for a DMZ that cannot acces to internet right ?
