No access to device on separate LAN

DaHai8

I'm a pfSense NOOB, sorry.
I'm connected on my Laptop to my pfSense router on 192.168.2.185 on LAN2 - internet access and all.
I have a device (Raspberry Pi) on 192.168.1.4 on LAN1 - it has internet access as it is sending me emails and stuff and is in the ARP table.
But I can't Ping or SSH, or anything to my Pi from my Laptop.
I know I've screwed up something simple, just can't figure out where.
Any/all help, suggestions, etc. are greatly appreciated!!

KOM

What are your LAN2 firewall rules?  Post a screenshot.  Do you know for sure that your Pi responds to ping and SSH?

DaHai8

This is my Second LAN (Loki) that I'm connected on with my Laptop:

This is my First LAN (Sif) that has the Pi on:

Before installing pfSense, I was able to Ping and SSH into it from my laptop - of course it was on the same LAN (I only had one then). Now I need it on a separate LAN, but I thought I would be able to access any device regardless of the source and destination LAN.

Thanks for your help!

DaHai8

P.S. I can Ping my Pi from the pfSense Diagnostics / Ping utility, but not from my laptop on the separate LAN (Timeout)

If I select the Source Address in Diagnostics / Ping as LOKI, then Pings fail as well (timeout)

Derelict

Probably a local firewall on the Pi, which is a very common user configuration error when you can connect from the local subnet but not from others.

Or the default gateway on the Pi is wrong, which is a second almost equal user error when you can connect from the local subnet but not from others.

DaHai8

Derelict: Thank for the suggestion!
I think I input the iptables properly and my eth0 interface in dhcpcd.conf looks correct, but I still can't ping it from another subnet:
iptables-save shows:

-A INPUT -m iprange --src-range 192.168.3.0-192.168.3.255 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.2.0-192.168.2.255 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.1.0-192.168.1.255 -j ACCEPT

And dhcpcd.conf shows:

interface eth0
static ip_address=192.168.1.4/24
static routers=192.168.1.1
static domain_servers=192.168.1.1 8.8.8.8

Derelict

Diagnostics > Packet Capture on that pfSense interface. If you see the pings leaving and nothing coming back, you have it configured wrong.

You are passing any any any on that interface. It's almost certainly something on the pi. Packet Capture will tell exactly what's happening.

DaHai8

Thanks!
I'll take a look at Packet Capture.
I also posted a message about this on the Raspberry Pi forum since it is look like a Pi issue and not pfSense configuration.
When resolved, I'll post the fix here in case anyone else runs into this.

Thanks again for everyone's help!

DaHai8

I THINK I found the problem, but I have NO idea what happened!
Here's my Interfaces in pfSense (note 'Sif' IP address):

And here's my DHCP Configuration in Sif:

So, I plugged my Laptop into Sif with DHCP enabled and this is what I got!!!

Sif used to be 192.168.4.x, but I changed it yesterday back to its original 192.168.1.x. And I updated DHCP. And I applied all the changes. And I did that all again just now after it assigned me .4.x address.

What the HECK have I screwed up?!?!?!

johnpoz

did you delete any old leases..  If that box use to have a 192.168.4 it will ask for it again, if there is still a lease its possible that it could say sure go ahead even if the current pool is something else..  That would be my guess from the info you have given.

DaHai8

The old leases have no expired. Once I stopped and started the DHCP Service (thanks, Derelict!), it's now giving me IP Addresses and from the correct Pool.
I'm rebuilding the Pi with a clean Raspbian Lite image and going to test that out (I've probably mucked something up Royal on the old Pi).
I'll post back with the results (good or bad)…
Thanks again!
Can't say that enough here. This is a really awesome forum filled with great people!

DaHai8

Ok, I'm desperate and I know this is going to be out-of-scope for pfSense, so appologies up front.

My Pi is running OpenVPN Client over SSL (because it has too - it just does as required by the server. please don't even speculate)

When OpenVPN is running, it blocks out all other subnets on my router, except the one it is on.
So my options are:

1. Unblock the other subnets from my Pi when running OpenVPN
2. Figure out how to run OpenVPN over SSL within pfSense

On Option 1, I have a post in the OpenVPN forum, but its not as active as this forum. So any ideas here are VERY Welcome!

I figure for Option 2, I'm going to have to get into pfSense through SSH and manually install/configure stunnel - much like I did on the Pi.
Problem there is, while I have SSH enabled in pfSense, when I try to connect to 192.168.1.1 with PuTTY I get:

Couldn't agree on a key exchange algorithm (available: curve25519-sha256@libssh.org)

So I'm stuck there even before I get started.

Any ideas/suggestions/pointers are, as always, greatly appreciated.

johnpoz

"2) Figure out how to run OpenVPN over SSL within pfSense"

You mean run it over tcp port 443??  Or you mean run some vpn connection inside a stunnel?

"while I have SSH enabled in pfSense, when I try to connect to 192.168.1.1 with PuTTY I get:"

What version of putty are you using?  Pfsense did lock down their sshd awhile back to use current ciphers and algo's  The old version of putty does not support chacha20 or ed25519 for kex.  Use the dev version of putty..  It has support for new stuff for well over a year now.

On the putty download page go to the http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
The latest development snapshot

section..

The only reason you would have to run openvpn through a stunnel or ssh tunnel is there was DPI being used and they were blocking openvpn.. Which is kind of odd if they would allow a ssh connection, since you can for sure tunnel traffic through a ssh tunnel.

As stated in your other thread - it would be much easier to help you if you just gave us the whole picture of what your trying to accomplish exactly.  We can then discuss all the different ways to skin that particular cat..

DaHai8

I should have thought of upgrading PuTTY, my bad. I'm running around in circles trying to get everything working.
I am running OpenVPN through stunnel (SSL encapsulated VPN) TCP only (UDP doesn't work that way). Yes, its slooooow, but at least it works.
So, yes, I would need to install my multi-server client certificate in pfSense and install stunnel on pfSense as well and then have only the Loki Interface run through that service.
My original setup was:

Internet <--> Modem/Router combo <--> Pi (VPN/SSL) <--> Wifi Router <-> Me

Since it was a dual-NAT'd/Router setup, it was easy to just place the Pi between the two and make it the Gateway for the Wifi Router with the Modem/Router combo as the Gateway for the Pi.
Now I have a single Router/Nat (pfSense) and a simple Modem.

Internet <--> Modem <--> pfSense <--> Loki <--> Wifi AP <--> Me
                                  \-> Sif <--> Pi

I need the data from the WiFi AP on Loki to go to the Pi. Problem is, once OpenVPN is started on the Pi, it only accepts traffic from its own interface (subnet), Sif
I don't think I can put the Pi on Loki and direct the WiFi AP traffic to it, or maybe that is possible?
With my talent for mucking things up, I'm reluctant to install OpenVPN and stunnel on pfSense…
And that's my current conundrum...

DaHai8

See:```
https://forum.pfsense.org/index.php?topic=121732.0

This thread is done for me.

Thanks everyone!