Windows 10 login not working



  • Hi

    I'm running a pfSense in Transparent Mode in my Network. Now I have problems logging me in on my surface 2 Pro. I'm always getting the message: You must be online the first time to complete your account setup.

    When I unplug the pfSense and connect the modem directly to my Cisco Switch, it's working without any problem. In the Status - System Logs - Firewall, I can't see anything that is blocking my login attempt.

    Can you please help me.

    Thanks


  • LAYER 8 Global Moderator

    Can we help you with that amount of info - NO..

    Other than your doing something wrong.. What else would you like us to go over?  So if your running in transparent mode?  What is doing the nat?  Do you have multiple public IPs?

    Why do you want to run pfsense in transparent mode?  How exactly did you verify your connection was a working setup before you try and log into some wifi?  If your wifi router is in front of pfsense - what would that that to do with anying.

    More than happy to help but your going to need to provide more info.



  • Hi

    I have an ADSL Modem with one public IP (NAT is done by this modem).
    The Modem is connected on the WAN Port of the pfSense. The LAN Port of the pfSense is connected to my cisco switch, where all the devices are connected to.

    When I remove the pfSense and connect the ADSL Modem directly to the Cisco Switch, I can login into Windows 10 without any problem. So my assumption is, that pfSense is blocking some traffic. But when I check the log, I can't see any blocking traffic from this device.

    What else I can check on the pfSense to find the root-cause of the problem? Maybe someone of you had similar issues with logins to microsoft (live.com)



  • Packet Trace shows:
    17:17:13.537522 IP 192.168.1.131.50030 > 131.253.61.80.443: tcp 0
    17:17:13.707694 IP 131.253.61.80.443 > 192.168.1.131.50030: tcp 0
    17:17:16.548574 IP 192.168.1.131.50030 > 131.253.61.80.443: tcp 0
    17:17:16.718489 IP 131.253.61.80.443 > 192.168.1.131.50030: tcp 0
    17:17:20.086588 IP 192.168.1.131.54495 > 94.245.121.253.3544: UDP, length 61
    17:17:20.139370 IP 94.245.121.253.3544 > 192.168.1.131.54495: UDP, length 109
    17:17:22.556470 IP 192.168.1.131.50030 > 131.253.61.80.443: tcp 0
    17:17:22.726707 IP 131.253.61.80.443 > 192.168.1.131.50030: tcp 0
    17:17:24.714343 ARP, Request who-has 192.168.1.1 (d4:7b:b0:d5:c4:c0) tell 192.168.1.131, length 46
    17:17:24.714587 ARP, Reply 192.168.1.1 is-at d4:7b:b0:d5:c4:c0, length 46
    17:17:34.567014 IP 192.168.1.131.50031 > 131.253.61.64.443: tcp 0
    17:17:34.734215 IP 131.253.61.64.443 > 192.168.1.131.50031: tcp 0
    17:17:37.566502 IP 192.168.1.131.50031 > 131.253.61.64.443: tcp 0
    17:17:37.732957 IP 131.253.61.64.443 > 192.168.1.131.50031: tcp 0
    17:17:39.742572 ARP, Request who-has 192.168.1.131 tell 192.168.1.1, length 46
    17:17:39.743934 ARP, Reply 192.168.1.131 is-at 28:18:78:57:97:9b, length 46
    17:17:43.572412 IP 192.168.1.131.50031 > 131.253.61.64.443: tcp 0
    17:17:43.739304 IP 131.253.61.64.443 > 192.168.1.131.50031: tcp 0


  • LAYER 8 Global Moderator

    Clearly from that sniff there is traffic flow and your getting answers from public IPs..

    17:17:13.537522 IP 192.168.1.131.50030 > 131.253.61.80.443: tcp 0
    17:17:13.707694 IP 131.253.61.80.443 > 192.168.1.131.50030: tcp 0

    Where did you do that sniff?

    Maybe that answer is a RST??  From that amount of info can not really say what is happening.. Other than you sent packet to that public IP and there was some sort of reply..

    Your doing an arp to what I assume is your isp device.. Not really a modem if its doing nat now is it ;)
    17:17:24.714343 ARP, Request who-has 192.168.1.1 (d4:7b:b0:d5:c4:c0) tell 192.168.1.131, length 46
    17:17:24.714587 ARP, Reply 192.168.1.1 is-at d4:7b:b0:d5:c4:c0, length 46

    I show that d4:7b:b0 as ASKEY COMPUTER CORP.

    How exactly did you setup transparent mode?  Why would you not just put your isp device into bridge more or run double nat?  What is providing wifi?  I assume your isp device??  Which would be in front of pfsense anyway..  I have to assume your surface pro 2 is wifi, its a tablet is in not.. So wifi not a wire connect to your cisco switch.



  • I did that sniff on the pfSense. (Diagnostic - Packet Capture)
    Yes, that's exactly the strange thing. 131.253.61.80 is an public IP from Microsoft. I can see that traffic is going out and some sort of reply. Without changing anything on my laptop, only removing the pfSense and cabling the ADSL Modem directly to my switch, the login is working. So it must be something with the config of the pfSense. But I can't find anything that is blocking or wrong configured.


  • LAYER 8 Global Moderator

    How would pfsense have anything to do with wifi connection to your isp device??

    What is providing wifi to your tablet?  Your isp device or some AP connected to your switch?  How is that configured?  Is that IP address list your tablet IP 192.168.1.131?

    How did you configure pfsense in transparent mode - what are you firewall rules?  Clearly where you sniff your seeing an answer from public IP..  Load that up into wireshark, post up the pcap..

    You did that sniff on what interface of pfsense?




  • An Ubiquity Wireless access point is connected to the cisco switch. So all the traffic (wireline and wireless) has to pass the pfSense for connecting to the internet.
    Yes, 192.168.1.131 is the IP of the surface pro.

    IPv4 * LAN net * * * * none Default allow LAN to any rule    
    IPv6 * * * * * * none Default allow LAN IPv6 to any rule


  • LAYER 8 Global Moderator

    And how exactly did you setup pfsense in transparent mode.  To do that you need to setup a bridge.. So what are your rules on your bridge?  Where exactly did you do that sniff?  What interface of pfsense?



  • set net.link.bridge.pfil_bridge to 1.
    Configured: BRIDGE0 with the 2 interfaces: WAN, LAN
    Sniff was on the LAN Interface, but on the WAN Interface I get the same results (because of the bridge config, or?)


  • LAYER 8 Global Moderator

    And what are you rules on your bridge interface?

    Again clearly your seeing packets with some sort of reply.. Maybe it was RST??  So did you assign pfsense an IP to the bridge?  What interface did you assign to bridge?  Did you make sure wan and lan don't have any IP?

    Your going to have to go into more details of your bridge setup if you want help figuring out what you did wrong or what you forgot to do.  Why do you not put isp device into bridge mode or double nat… What exactly are you thinking your accomplishing via transparent mode?  Your isp device is the nat device so you have to setup the rules there for any port forwarding.  And then you would have to also allow that traffic on your pfsense.  If your just going to do any any - what exactly does pfsense get you in this sort of setup.



  • On the LAN Interface, I configured an internal IP 192.168.1.10 for accessing the GUI of the pfSense.
    The WAN and OPT1 (Brigde) have no IP configuration.

    In the Firewall Rule configuration I have an outgoing any allow Rule on the LAN-Interface, on the WAN Interface I have one special rule for allowing openVPN and on the bridge interface is no rule configured.

    I'm just learning how to use the pfSense, so if I make any mistakes, I can just remove the pfsense and cable the modem directly and all the other devices are working without any IP changes or reconfigurations. Until now all is working fine. I can access the internet on all my other devices without any problem (mac). But the only windows system I have is making problems at the login when I have the pfSense between my modem and cisco switch.


  • LAYER 8 Global Moderator

    "The WAN and OPT1 (Brigde) have no IP configuration."

    And that is not a valid configuration..

    If your going to setup a transparent you would put your IP on the bridge interface an dfirewall on the Bridge interface, etc.

    What does learning have to do with trying to setup a complex setup like a bridge?  Just turn of pfsense out of the box and everything will work with your double nat..  Just make sure you pfsense lan network is different than what your isp router is using.



  • Hi

    I found a good document describing how to setup correctly a bridge:
    http://users.ox.ac.uk/~clas0415/assets/Setting-up-pfSense-as-a-Stateful-Bridging-Firewall-with-commodity-hardware.pdf

    After making all the steps described there, it worked fine. WAN and OPT1 still have no IP configuration. I think changing the advanced settings and disable the auto-creation of NAT rules completly solved the problem.

    Thanks for your help.


Log in to reply