Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wrong configuration, but it works partially

    Scheduled Pinned Locked Moved General pfSense Questions
    29 Posts 3 Posters 2.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      Farisse @johnpoz
      last edited by

      @johnpoz Yes indeed sorry I made a mistake.

      I am not 100% confortable with network diagrams sometimes I make mistakes.

      So the IP 192.168.0.50 is the ip of my web interface and LAN. beff10b9-6669-4542-be5c-876c5ea03fd5-image.png

      The DNS are outside of my network / control. They are managed by my school.

      And the Gateway I got on my Hyper-V is 10.3.17.1.
      49374092-9b7f-49bd-aee6-35ebb6a54276-image.png

      I dont know if this answers to your question ?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        But your not showing on your diagram where this 172.20 network is - from your diagram there would be no way to get to those NS.

        Is pfsense using those - how does it get to them? Or is pfsense just resolving, which is default?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        F 1 Reply Last reply Reply Quote 1
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by stephenw10

          Your HyperV server is using a static IP. Was that given to you to use by the network admin? Because if not that will break too if some other device uses it via DHCP.

          Steve

          1 Reply Last reply Reply Quote 1
          • F Offline
            Farisse @johnpoz
            last edited by

            @johnpoz & @stephenw10

            Sorry for the late reply. I talked with an ICT guy in my native language. and he explained to me that it could not work properly.

            I received my Hyper-V IP from the network admin and I should work only on that IP. I didn't notice that i could not use other IP's in this range.
            Actually it was working so I didn't realize my config was wrong.

            The DNS 172.20 is not under my control and don' event know where it is๐Ÿ˜ž . I just received a machine with Hyper-V installed on it and 1 NIC (see below) 18e6af8a-5f0e-467d-8b49-adcd1ec56f6d-image.png

            With that I had to build on a virtual network. And as I said, I only received IP 10.3.17.27. Buy when I installed Pfsense received IP 10.3.17.4 in my configuration. It was working so I didn't notice that IP was not attributed to me.

            I don't know if there is any solution to use IP 10.3.17.4 and redirect all the trafic to 10.3.17.27 like using 10.3.17.27 as gateway or something like that ?

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              If you can't get an additional IP to use you have few choices:

              NAT that traffic in Hyper-V so the pfSense WAN is using some other subnet.

              Assign the interface directly to the pfSense WAN so it uses 10.3.17.27 dircetly and Hyper-V does not have an IP in that subnet (or uses dhcp)

              Leave the pfSense WAN as DHCP and find some other way of addressing it so you can access it on that. You never said if the upstream DNS servers can resolve local hostnames.

              Steve

              F 1 Reply Last reply Reply Quote 1
              • F Offline
                Farisse @stephenw10
                last edited by

                @stephenw10 I can't get an additional IP. I am trying to find out how to NAT my trafic in Hyper-V with the WAN interface but i'm not sure about how it works so i'm still reading som tutorials and forums. But I think this is what i am going to do.

                I cannot assing the interface to my pfsense. I think there is a MAC filter who not allows me to send the trafic. I tried once, and lost my connectivity with the machine. the IT admins had to put my initial configuration back.

                Should it work if I add a new vNIC with a fix ip and route all the network from the new vNIC to my WAN and using my vNIC as pfsense "WAN"

                Its a bit tricky I know and i'm sorry for that.

                Thank you for your answers

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Yeah hyper-V can for sure nat.. So pfsense wan would be behind that nat as well as any other nats upstream.

                  If your saying there is a mac address filter, you could always have pfsense wan use that mac.. And don't put an address on that hyper-v interface.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07 | Lab VMs 2.8, 25.07

                  1 Reply Last reply Reply Quote 1
                  • F Offline
                    Farisse
                    last edited by

                    This should probably work, but i'm afraid do to this. And losing my connectivity with the servers. All of this is visualized, so i will choose for Hyper-V NAT, but I am not sure about how it works I am still searching how to do it correctly.

                    I have a Little more question. should I use the mac spoof method on pfsense when use the nat or is it not needed ?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by stephenw10

                      ...and devices behind pfSense are behind it's NAT. Are you up to quad NAT at that point? ๐Ÿ˜ฌ

                      F 1 Reply Last reply Reply Quote 0
                      • F Offline
                        Farisse @stephenw10
                        last edited by

                        @stephenw10 what do you mean with "to quad NAT" ?

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          You have 4 devices all NATing the traffic between the inner clients and the public internet.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Online
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Which is just insane ;)

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              Yo dawg.....

                              1 Reply Last reply Reply Quote 0
                              • F Offline
                                Farisse
                                last edited by

                                Yeah i know, ... but i have to make my virtual network work.

                                I couldn't make it. Still searching a solution about how to make it work with this configuration :/

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  It will probably work fine with 4 layers if NAT, it's just ugly. Any of the solutions I suggested above will work here.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Online
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    I'm I missing a nat?

                                    internet - 1 Nat (company) -- (hyperV 2nd nat) -- (pfsense 3rd Nat)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Nah, probably me double counting at 2am!

                                      1 Reply Last reply Reply Quote 0
                                      • F Offline
                                        Farisse
                                        last edited by

                                        Thank you very much guys for replying !! Really big thanks !

                                        I just hang up with IT of my school and it seems that exactly as you thought someone is using the same IP as me.

                                        He uses DHCP IP 10.3.17.4. Thats why sometimes it was working for me and sometimes not.

                                        I could not figure out it was used, because even if i tried to ping i didn't receive an answer.

                                        The IT person checked the logs and saw someone else was using it on another VM.

                                        What I did to solve the problem: easy... you know it, I changed my IP. I am now using 10.3.17.250 who is not used by nobody in the network and it seems to be working (hope it will work until Monday midnight cross fingers!)

                                        So I think my problem is solved !

                                        I just have a stupid question about firewall rules to be sure i did not misunderstand it

                                        I got 3 networks LAN, Guest(WIFI) and DMZ.

                                        The DMZ should have acces to internet or not ? Every connection is allowed to the DMZ but what is allowed to go outside the dmz ?

                                        Thank you very very very much guys !!! (if you are coming to Brussels i'll offer you a beer ! โ™ฅ)

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          @Farisse said in Wrong configuration, but it works partially:

                                          10.3.17.250

                                          Is that IP outside the DHCP range? If not it may fail again.

                                          Whether or not the DMZ gas access to the internet is up to you. What is in it? Do those hosts need top pull OS updates for example? They will need to access the internet for that then or maybe some local update server if you have that.

                                          Steve

                                          1 Reply Last reply Reply Quote 1
                                          • F Offline
                                            Farisse
                                            last edited by

                                            Its inside the DHCP range, but apparently the IT guy told me that this IP has never been used by anyone. So I have a lot more chance that nobody will use it (we are 10 working on this DHCP range but no communication). So it may fail again, but the chance for someone using the same ip as me right know is low (hope to keep it like this๐Ÿ˜…)

                                            I only have an webserver running on port 80. So I could let it open to update my wordpress but otherwise there is no specific rule for a DMZ that cannot acces to internet right ?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.