Cant un block Netgear switch GUI

qu101 · Sep 9, 2016, 11:50 AM

Seem to be having problems attempting to view the gui on a netgear 108tv2 switch from inside my LAN
have got access to the modem gui on 192.168.2.1 and have duplicated the all rules for that device but its being blocked somewhere but cant seem to see where or how to get access to the gui when its ip is allowed on the lan.
Anyone got any ideas?

Edit

Seems It cant be accessed direct via cable to a port from its address 192.16.0.239 - but outside wan is fine as is the modem on 192.168.2.1

johnpoz · Sep 9, 2016, 1:26 PM

huh?? Draw you network.. So your wan of pfsense is 182.168.2.?? and you lan network what? 192.16??? Was that a typo and your lan network is 192.168.0/24 Where are you trying to access this web gui from?? The wan/internet? So you need to port forwar

qu101 · Sep 9, 2016, 5:17 PM

Just attempting to look at settings and have lost all connection to the web gui for the pfsense box and removing the las few changes has not helped

Can ping it on 10.0.0.10 but not get into it - any ideas other than clean install and redo from saved config?

Edit - after several restore config and a few reboots GUI is back

My WAN is 192.168.2.1 (ip of modem which is PPPoA) into WAN
LAN 10.0.0.10
LAN set to reject ISP provided IP address if OPENVPN goes down - no connection to outside when VPN is down

LAN enabled to pass modem GUI stats page to LAN (10.0.0.0/24)

Attempting to access switch GIU on 192.162.0.239

Am pretty much a networking novice so get confused easily :(

johnpoz · Sep 9, 2016, 4:14 PM

"LAN enabled to pass modem GUI stats page to LAN (10.0.0.0/24)
Attempting to access switch GIU on 192.162.0.239 "

192.162??? So that is your public IP??

inetnum: 192.162.0.0 - 192.162.3.255
netname: NEW-RUSSIA-CTV-NETWORK
country: RU

What is the actual IP of your switch? On your lan 10.0.0/24 network?? Why would you want to access your switch gui from the public internet?

"LAN enabled to pass modem GUI stats page to LAN (10.0.0.0/24)

What does that mean??? Please post up your firewall rules on your wan, lan and your port forwards you have created..

So your lan 10.0.0/24 lets say your PC your using is 10.0.0.100, and switch is 10.0.0.101 why would you go to some public IP 192.162 to get to your switch? Do you want say ME from the public internet to be able to access your switch web gui? That is a really really bad IDEA to be honest. If you want to manage your switch while your off your remote from your network you should vpn into your network and access it via its rfc1918 address 10.0.0.?

If you want to be access from the public internet then you would have to setup a forward to its private IP, it would have to have a gateway set to be pfsense which I assume is 10.0.0.10/24

If you want to use that public IP while your on your lan then you would have to setup nat reflection, which again bad idea. If your on your lan, just use switches lan IP to access its web gui. doing so requires no rules or settings in pfsense since pfsense is gateway OFF your lan, that is all. devices on the same lan network do not talk to pfsense to talk to each other, other than maybe to ask dns that is pointed to pfsense what the IP of some fqdn your using for that device, say switch.yourlocaldomain.tld

qu101 · Sep 9, 2016, 5:24 PM

As you can see I am confused!!
My public ip address is gotten by the modem and the modem local address is 192.16.2.1

I've attempted to set up rules to allow connect the LAN on 10.0.0.10/24

firewall allow connection from wan to lan

and LAN to 192.168.2.1 (modem GIU)

Plus a reject the public ip from the LAN (if that's the correct term -in order to reject all connection to the internet when the open VPN connection has failed)

I don't want to access any of my local addresses from outside of the LAN network

I'd like to be able to administer the switch/s which at the moment is connected to the LAN with a GUI address of 192.16.0.239

johnpoz · Sep 9, 2016, 5:42 PM

"192.16.0.239"

Well where did it get that IP? If its on your lan it should have a lan IP ie something in 10.0.0/24 if that is your lan - either from your dhcp server or that you set statically. Is that your public IP? When a computer on your lan goes to the internet, go to say whats my ip .org and what does it show you as your public IP.. Does it list that 192.16 address which I show is RU IP.. are you in RU?

Dude is your pfsense lan 10.0.0/24 its 192.168.0/24 ??? From you outbound nat shows your firewall lan is 192.168.0??

Where did that network come from and why do you have 10.0.0/24 in your outbound nats? Why do you have all those floating rules?? What are all these openvpn_vlan interfaces?

Why don't you post a drawing of your network and how things are connected.. I am confused at what your trying to accomplish.. So modems don't have 192.168.2 addresses.. A gateway would, or just a normal router. Typical management IP of say a cable "modem" would be 192.168.100.1

Post up the interface page of pfsense so we can see what your actually working with and try and understand the setup you have and what your wanting to accomplish exactly. So your using manual outbound nat?? Why? See my outbound nat for example, 2nd pic While I do have manual setup for my vpn connection outbound to one of my vps's that I use for testing now and then..

qu101 · Sep 9, 2016, 6:06 PM

What I'm trying to do is connect via a modem which has 192.168.2.1 as its address and provides an PPPoA connection to my isp That is connected to the WAN port

The pfsense lan is set to 10.0.0.10/24

I have one openvpn client running at the moment

I have tried to set rules to reject connection to the internet via the public address provided by the ISP when the vpn is down

I have being working on setting up 3 vlans on an other spare NIC but these are not connected to anything at the moment

It looks like the dhcp server has given th swtich an LAN net address as I can now see it on 10.0.0.27

I'll try an draw what I'm trying to do and post it. Sorry for the simpleton understanding!

johnpoz · Sep 9, 2016, 6:30 PM

I have no idea what your trying to do with the modem_sats interface?? at 192.168.2.12 ??? Which is the same as your pfsense WAN!!

So your wanting to access your isp device at 192.168.2.1 from behind pfsense from a 10.0.0.x address? What are you wanting to do with modem_sats? Completely confused at what would be the point of this?? So your isp device, not really a modem if doing nat which clearly it is provides your pfsense a wan IP via dhcp.. this great! And sure pfsense can work behind a nat, and then nat again to your lan address space. This will all work out of the box without any special config.

There is nothing in your lan configs that shows anything at allow using your vpn connection for devices behind pfsense.. And they are all just a mess. For example in what scenario would a public 82.x.x.x be a source IP into your lan interface??

If I were you I would start over!!! remove all those rules on floating, remove all those other interfaces. You should have 2 interfaces your pfsense wan and your lan.. Then sure you can create a client connection from pfsense to to your vpn and we can work how how to send your clients through your vpn either all of them or based upon policy based routing, etc

I would not play with all your other vlan stuff until you have the basic config working. Which is I assume your clients on 10.0.0/24 access your "modems" interface at 192.168.2.1 which out of the box would work..

We can then get your clients routing out to the internet via your vpn if that is what you want. And sure if your vpn is down they would not be able to go anywhere.. That is a simple rule on your lan using your vpn connection as its gateway..

See the disabled rule on my lan, this is a rule I play with users need help routing traffic out a vpn connection. Normally its disabled, but I can for sure use my setup to show you examples of how to route traffic out a vpn service with this rule, be it specific IPs on your lan only, or all of them – you can get as fancy as you want, etc. And then with adjustment of your rules you can for sure prevent same clients from using the internet if your vpn is down, etc.

You can see how I have a gateway setup for my vpn connection, and have this vpn assigned to an interface in pfsense.

qu101 · Sep 10, 2016, 11:18 AM

First of all thanks for taking the time to help me on this.

Due to my lack of knowledge here the main point of my original question was solved using a iPhone app Fing which shows all the network connected devices and their IPs – needless to say the switch was assigned a 10.0.0.0/24 address by pfsense and is addressable from within the LAN.

The rules for my modem (192.168.2.1) are to enable access to its GUI to enter PPPoE settings and keep track of what its doing and reconnect/disconnect – etc etc. Its an ADLS system which requires user-name/password and other settings on the modem – unlike DOCSIS which uses the MAC address for authentication.

They were derived from https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall And seem to work as needed

Correct me if I'm wrong but could this give a me a double NAT problem?

All the VLAN stuff is pretty much off (I've disabled all the bits) was trying to get the main part working first.

The 82...** address is my ISP provided fixed IP address – I had attempted to block access to/from that when the VPN is down (that seems to work as is) by using a LAN firewall rule the reject source 82...** destination 10.0.0.0/24 (LAN) Using LAN interface for the rule

(not sure if this is a bad use of rules)

I've now disabled the above rule an added a VPN interface rule to allow the VPN IP to the LAN.net which seems to block access to the Internet when the VPN is down.

So Thanks again for your help!!

johnpoz · Sep 10, 2016, 12:12 PM

Those instructions are for when pfsense has a public IP on its wan and your trying to get to rfc1918 IP of the device that is providing pfsense its public IP. Or you creating a pppoe interface directly on pfsense, etc.. That is not your case at all. Your isp device your trying to access is 192.168.2.1, pfsense wan is on the 192.168.2 network. You should not have to do anything at all to be able to access that.

For example my cable modem web page for logs and status is 192.168.100.1, but my pfsense wan is public 24.13.x.x So normally if I try and go to a 192.168.100 network from my lan of 192.168.9 where would it go, well pfsense would look and see hey I don't have any interfaces on 192.168.100, I have no routes to 192.168.100 so guess just send it to my default route.. Which would be my isp 24.13.something And would not be able to access my modems IP.

But in the case of atleast my cable modem it works without having to do anything since the traffic is sent out my wan.. But sure I can follow those instructions and create a vip say 192.168.100.2 on my wan interface and then edit my outbound nat to use that vip, etc..

I don't know what you were doing though - no where in those instructions does it say anything about using the same freaking IP as your wan IP ;)

"VPN interface rule to allow the VPN IP to the LAN.net "

That makes no sense at all.. Post up your rules and lets take a look.. Why would you think you need a rule for your vpn IP to your lan??

As to being behind a double nat, you may not have any issues at all. You may have lots comes down to what your doing exactly. No a double nat is not a optimal sort of setup at all. But as long as you understand that you are behind one, and that if you want to port forward anything to something behind pfsense that you would have to forward first on your isp device to pfsense wan IP, or put pfsense wan IP in the dmz host of your isp router you should be fine.

qu101 · Sep 10, 2016, 6:42 PM

Thanks again!

Ok so I have now removed all the rules apart from:

Rules
LAN rule: LAN antilockout and LAN default LAN to any rule

WAN rule: WAN – all to all

NAT Rules
modem stats interface allow 10.0.0.0/24 to 192.168.2.0/24 modemstats address (if this is disabled the modem is not accessible) with this enabled its ok

LAN any to any - LAN address

OPENVPN interface any to any - openvn address

The only reason I was messing with the basic settings in the first palace was 1, I couldn't see the modem gui and 2, I needed internet access to be blocked when the VPN went down to prevent the real IP being revealed.
I had believed that pfsense automatically reverted to the isp address when the vpn went down and that was what I was experiencing hence the need to find a way round it.

The above settings seem to provide what I need (several reboots done as a check)

Am I still missing something?

Derelict · Sep 10, 2016, 7:13 PM

WAN rule: WAN – all to all

Probably not what you want. Should probably be deleted immediately.

qu101 · Sep 10, 2016, 7:21 PM

Thanks for that.
excuse my lack of knowledge but do a need a WAN rule at all if so what sort of settings would be appropriate ?

johnpoz · Sep 11, 2016, 2:55 PM

Unless you are doing port forward you have no need for any wan rules. Unless you want to answer ping? etc. Out of the box for your clients behind pfsense to use the internet you need no wan rules. Pfsense is stateful.. So if client asks for http://www.pfsense.org it knows to allow the answer and send back to the client.

But if some random IP sends traffic to your public out of the blue, ie unsolicited then the default block drops that traffic. So the only time you would need wan rule is if you forward ports in to stuff behind pfsense, or you want to access something remotely to pfsense wan IP directly like web gui, ssh, etc. Which normally would be a bad idea!!