Connecting two SG-1100's for Production and Lab
-
@csfshore So you are able to ping IP addresses like 8.8.8.8 from hosts on your lab LAN?
-
@bobbenheim Yes, I am able to ping external ip addresses
numerically, and external sites by name (www.apple.com, etc.)When I try www.apple.com (any external site) in browser, it just hangs
-
@csfshore Only rules needed would be allow all to any on OPT and of course NAT, which should already be present at your LAB SG-1100 by default.
Assuming you are using Windows have you checked something isn't blocked in the Windows firewall? -
@bobbenheim On a Mac, but firewall is not turned on.
My thinking is that I need a static route, as the ICMP (ping) stuff goes through, but the higher level TCP/UDP doesn't
Does that make sense?
-
@csfshore If you can ping external addresses then you have a route outside your network, if you can resolve FQDN (DNS) then you got UDP working. How does your rules on OPT and on your LAB SG-1100 looks like?
-
@bobbenheim Only 1 rule on OPT (upstream SG-1100)
"Default allow OPT to any rule"Downstream LAB LAN "Anti-Lock out rule" and
"Default allow LAN to any rule"I DO have a gateway in the downstream LAB SG-1100
which is set to the address of the downstream WAN port -
@csfshore You can try and do a packet capture on OPT and WAN in your LAB and see if anything gets through when your trying to access the WWW.
-
@bobbenheim OK thanks, that might be above my skill level, but I have been working my way through this and learning a lot. Appreciate your help. I know I could just
plug in a switch. :-)Let me ask this another way, should this work?
Is what I am doing so bizarre and specialized that
I am pushing the boundaries of networking?Perhaps rather than trying to troubleshoot, how would
this be set up with two out of the boxes SG-1100s?I have no issue with starting "fresh"
-
@csfshore It should be possible and i have done it before, when i have tested some equipment, just not with two PFSense units but that shouldn't make a difference.
Doing double NAT is just another problem to deal with and is easier just to avoid. If you have connectivity on your Production LAN you could reset your LAB unit and connect it to LAN instead of OPT to rule out miss configuration on your Production unit. -
@bobbenheim OK let me try that. The fact that I can connect directly to OPT and browse, suggests to me
that the issue is within the LAB box.FWIW I did run packet trace and looked at logs, and
while I am not exactly clear what I am looking at I see nothing out of the ordinary but this:/interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_DHCP'
In looking through forums, that doesn't seem like a stopper
as it is not pervasive, just a few entries. -
@csfshore How are you configuring IP on WAN at LAB, static or DHCP?
-
@bobbenheim Static
-
@csfshore lol. Well while I can't help but think I have missed something very simple, and I appreciate the help, but I am out of ideas.
I dl the .iso and installed on a NUC. Same thing. I can ping
by name and numerically from the downstream LAN.I can browse externally using the upstream WAN cable (no connection to PfSense)
BUT when I am connected to downstream LAN, cannot
browse. Time for a switch! -
@csfshore Can you show a screenshot of your LAB WAN Static IPv4 Configuration
-
@bobbenheim Sure. However, as I biffed the drawing above, thought I would change IPs, just to ensure I'm on the right one.
To level set:
Upstream SG-1100 OPT (192.168.48.1) is connected to
NUC LAB WAN (192.168.48.2 OR DHCP) LAB LAN is 192.168.55.1When I use STATIC (as included) I am unable to ping EXTERNAL from LAB, when I use DHCP I am able to ping numerically and by name.
-
@csfshore As it says in the Static IPv4 Configuration field under IPv4 Upstream gateway you need to provide it with an upstream gateway, just enter 192.168.48.1.
-
@bobbenheim OK. I keep hearing about Static Routes.
Do I need a Static Route? -
@csfshore If you are using a static IP you need to provide a gateway, otherwise the LAB SG-1100 wouldn't know where the exit to the world is. If you add 192.168.48.1 as upstream gateway you should be set.
-
@bobbenheim :-(
No Luck.
Upstream OPT 192.168.48.1/24
Downstream WAN 192.168.48.2/24
iPv4 Upstream gateway (which I was prompted to create as there was none). 192.168.48.1 /24
Can (still) ping by name and numerically, browser just hangs
Plugged directly into OPT works -
@csfshore Have you tried using another DNS, e.g. 8.8.8.8, on your mac? Other than that you could try resetting the SG-1100.