[SOLVED] Cannot Get back into WebGUI - No Network on LAN Port



  • ***Edit2 Changing title to solved. Please refer to post 23.

    ***Edit Updated the title as the forum discussion has shifted

    Hello,

    I have been messing around this thing trying to get this thing to work to to no avail. I read over the quick startup guide and then read the book and applied what I understood. POS still wouldn't work. I would get an IP from my ISP provider, but no network connection on my LAN.

    So I tried disabling the DHCP server and setting up the LAN port with DHCP. I thought maybe this was my issue. The only reason I disabled the DHCP server was due to the fact when I tried to give the LAN port a DHCP, the setting told me I had to disable the DHCP server. I thought it was werid honestly from my knowledge though limited, how the **** could the LAN port be setup with DHCP if I had to disable the DHCP server and get an IP address?

    Well now I cannot get back into the webGUI. Can I get back into this thing or should I just return it?


  • LAYER 8 Netgate

    Connect to the serial console to see what is really going on.



  • @Derelict:

    Connect to the serial console to see what is really going on.

    Thank you for the input. Tried to get a connection to no avail. This thing is bricked. 100+ dollars down the drain. I see you're a moderator so please close this thread. Going to find a better solution for a hardware firewall.



  • Have you tired setting a static IP on the same subnet the lan port is set to and try logging into the box.



  • @tripplex:

    Have you tired setting a static IP on the same subnet the lan port is set to and try logging into the box.

    I had to change the com port and start up putty. Then I had to unplug the device and replug it back in as I was trying to connect through putty. I was able to salvage it by resetting it which is good because now I am going to sell this thing and get back what money I can back out of it.

    Why make a device that doesn't work out of the box? I am getting an IP address from my ISP provider but no network on my LAN. And after googling the issue, it appears to not only be a huge problem, but no straight answer. Fuck this device and this firewall.

    Thank you for your time though.



  • What device ?
    By default, pfSEnse behaves as any other 'domestic ISP router' on the planet : hook up a switch to the LAN port, hook up a PC and all your other LAN to the switch and your good.
    The part where you have to set it up, is the WAN part. You should know that about every ISP need different settings to enable your Internet connection. You has some chance : it worked right away.

    I wonder were this logic came from :

    So I tried disabling the DHCP server and setting up the LAN port with DHCP. I thought maybe this was my issue. The only reason I disabled the DHCP server was due to the fact when I tried to give the LAN port a DHCP, the setting told me I had to disable the DHCP server. I thought it was werid honestly from my knowledge though limited, how the **** could the LAN port be setup with DHCP if I had to disable the DHCP server and get an IP address?

    Believe me, never saw  something like that before.
    The default IP is just fine : 192.168.1.1/24 - DHCP server is running on the LAN segment to hand over IP's - as is done for half a century by now.

    Normally, people try things out things before they invest. pfSense works great on an old zero $ worth PC. You just have to a add a 5 $ extra Ethernet card on your up. Later on, you shift to a SG-1000 (example) when you start to think a 10 W device can do the same as a 300 W device with far less noise ;)

    Hundred of thousands of companies and household use pfSense as their primary Internet access device, and more. Good to know is also : most of the operators (admin) never ever heard the word "router" or "firewall" in a classroom. They all learned this by READING about it. That's right, you can be a network expert if you know how to read. Period.



  • Normally, people try things out things before they invest. pfSense works great on an old zero $ worth PC. You just have to a add a 5 $ extra Ethernet card on your up. Later on, you shift to a SG-1000 (example) when you start to think a 10 W device can do the same as a 300 W device with far less noise ;)

    I agree.  I run pfSense on a refurb computer.  I had absolutely no problem getting it up and running.  Once installed, it was no more difficult to set up than a box from D-Link etc.


  • Netgate Administrator

    Yes, as others have said pfSense, by default, behaves as most other firewall/routers you have used does. It should give an IP via DHCP to a LAN connected client and that should then have access to the webgui and the internet if the WAN is UP. In your case it sounds like the WAN was UP.

    The most common cause of this not working is a subnet conflict, usually the WAN in 192.168.1.0/24 which the LAN uses by default. Or another DHCP server already on LAN.

    I'd be very interested to know what hardware you are using if it came with pfSense installed. If there is some issue with a specific NIC type for example we need to know about that to be able to correct it.

    Hardware incompatibility aside I'm sure we can help you get this setup and working.

    Steve



  • @Gertjan:

    What device ?
    By default, pfSEnse behaves as any other 'domestic ISP router' on the planet : hook up a switch to the LAN port, hook up a PC and all your other LAN to the switch and your good.
    The part where you have to set it up, is the WAN part. You should know that about every ISP need different settings to enable your Internet connection. You has some chance : it worked right away.

    I wonder were this logic came from :

    So I tried disabling the DHCP server and setting up the LAN port with DHCP. I thought maybe this was my issue. The only reason I disabled the DHCP server was due to the fact when I tried to give the LAN port a DHCP, the setting told me I had to disable the DHCP server. I thought it was werid honestly from my knowledge though limited, how the **** could the LAN port be setup with DHCP if I had to disable the DHCP server and get an IP address?

    Believe me, never saw  something like that before.
    The default IP is just fine : 192.168.1.1/24 - DHCP server is running on the LAN segment to hand over IP's - as is done for half a century by now.

    Normally, people try things out things before they invest. pfSense works great on an old zero $ worth PC. You just have to a add a 5 $ extra Ethernet card on your up. Later on, you shift to a SG-1000 (example) when you start to think a 10 W device can do the same as a 300 W device with far less noise ;)

    Hundred of thousands of companies and household use pfSense as their primary Internet access device, and more. Good to know is also : most of the operators (admin) never ever heard the word "router" or "firewall" in a classroom. They all learned this by READING about it. That's right, you can be a network expert if you know how to read. Period.

    I have the SG-1000 as a matter of fact. Now, I thought maybe after applying some settings after reading the book that maybe yeah… I screwed something up. I don't know much when it comes to networking or setting up a firewall, I'll admit. So after reading that even a "novice" like me can setup this thing up, I was thinking, "Great!".

    So after "locking" myself out of the device and being able to get back into it after resetting it. I decided to leave everything alone and just plug it in. Now, from my experience with installing a custom firmware on my router. I have to unplug my modem for 5 minutes to pull down a new IP from my ISP provider if I plug in any new device to the modem as it looks at the MAC address of that device. I thought maybe that was my issue. Still no network on the LAN port of the device. So then I thought, "Maybe it's the router. Let's eliminate that altogether and reboot the modem again. Plug in a machine directly to the LAN port and see what we get" Still no network on the LAN port. Okay, let's take to Google.

    After googling the issue I have came a crossed a few "solutions"

    1. Make sure LAN has no gateway - Check

    2. Make sure firewall rules are in place for the LAN port to allow any connection in or out - check (this was defaulted, read some where to try to remove and re-add the rules. Still no luck.)

    3. Disable hardware checksum - check

    And there were a few others I cannot remember right now. Of course, before I went on to the "next solution" any modification I made I changed back to it's default.

    Looking at the LAN port from my first post. When I first started to configured this thing and couldn't get it working. I noticed it was setup for static IP, this is defaulted. So I said to myself, "Self, let's change that to DHCP." Just messing around like you stated, but to get this thing to work! Well when I did so the firewall stated to disable the DHCP server in order to make that change on the LAN port. Again, I am no Einstein, but I thought, "How weird. How can DHCP work on the LAN port if the DHCP server is disabled"  And then I ended up locking myself out. I did not change a single defaulted IP address that the device was given during this or any other time.

    I want to thank you for your time.

    @JKnott:

    Normally, people try things out things before they invest. pfSense works great on an old zero $ worth PC. You just have to a add a 5 $ extra Ethernet card on your up. Later on, you shift to a SG-1000 (example) when you start to think a 10 W device can do the same as a 300 W device with far less noise ;)

    I agree.  I run pfSense on a refurb computer.  I had absolutely no problem getting it up and running.  Once installed, it was no more difficult to set up than a box from D-Link etc.

    Maybe that's my problem. Could be the hardware I am running this firewall on. Now only if I was smart enough to set it up on a old machine.



  • @stephenw10:

    Yes, as others have said pfSense, by default, behaves as most other firewall/routers you have used does. It should give an IP via DHCP to a LAN connected client and that should then have access to the webgui and the internet if the WAN is UP. In your case it sounds like the WAN was UP.

    The most common cause of this not working is a subnet conflict, usually the WAN in 192.168.1.0/24 which the LAN uses by default. Or another DHCP server already on LAN.

    I'd be very interested to know what hardware you are using if it came with pfSense installed. If there is some issue with a specific NIC type for example we need to know about that to be able to correct it.

    Hardware incompatibility aside I'm sure we can help you get this setup and working.

    Steve

    I have the SG-1000. I wanted the firewall to be compatible with the hardware. So I purchased this device as it would suit my needs.

    No other DHCP server on my LAN as I eliminated the router. I thought that was the issue as well. WAN is pulling down a class A network that starts with an IP address of 24.XXX.XXX.XXX no class C here. ( I am an idiot so if my knowledge is wrong I do apologize)

    Thank you for your time.


  • Netgate Administrator

    Ok, well that's definitely compatible with pfSense then.  ;)

    The LAN interface itself should always be set as static, as it is in default config. Setting that to DHCP configures it to get its IP from another DHCP sever in that network like the WAN does. That is almost never the case.
    It cannot run a DHCP server on an interface that's itself set to DHCP as there is no subnet defined.

    By default when you connect a client to the LAN interface it should receive an IP in the 192.168.1.0/24 subnet. Did that happen?

    You made some changes to the config, were they in the webgui or from the console?

    If you could access the webgui but not anything on the internet that implies a different issue. The next thing to check at that point would be if the firewall itself has internet access. Go to Diagnostics > Ping and try to ping both 8.8.8.8 and google.com. If either of those fail note the failure error.

    Steve



  • @stephenw10:

    Ok, well that's definitely compatible with pfSense then.  ;)

    The LAN interface itself should always be set as static, as it is in default config. Setting that to DHCP configures it to get its IP from another DHCP sever in that network like the WAN does. That is almost never the case.
    It cannot run a DHCP server on an interface that's itself set to DHCP as there is no subnet defined.

    By default when you connect a client to the LAN interface it should receive an IP in the 192.168.1.0/24 subnet. Did that happen?

    You made some changes to the config, were they in the webgui or from the console?

    If you could access the webgui but not anything on the internet that implies a different issue. The next thing to check at that point would be if the firewall itself has internet access. Go to Diagnostics > Ping and try to ping both 8.8.8.8 and google.com. If either of those fail note the failure error.

    Steve

    Yes, I am receiving a subnet of 192.168.1.0/24 After reading the book and seeing that chart. I made sure that the LAN port was setup for that class. It was defaulted so I left it alone.

    The changes I made or make are through the WebGUI. In no way would I be able to make changes in the console. Not at my level, ha ha ha Though I have read that some changes do not work with WebGUI. Not sure if this is true or not.

    I went to Diagnostics > Ping and tried to ping Google's DNS server and it worked. All three(3) packs passed (Ping only tried three(3) times). That was one(1) of the things I tried along my travels through Google.

    One thing I know is a fact is that the device is getting a network connection just fine. I had to update the firewall of the device and I was able to. Just for some reason somewhere down the line I cannot get a network connection on the LAN port. The lights light up on the port, though I don't know if this makes it a fact that it is indeed working?

    EDIT: forgot to mention, I tried Google.com as well with 100% success


  • Netgate Administrator

    Ok, so you previously had a connection on LAN but now you do not? Even after resetting it from the console?

    When you tried the ping test was it by IP only or were you able to ping by url also? You may have a DNS issue here. If that was the case then trying to ping anything from a client attached would have reported 'unable to resolve host' or similar.

    Steve



  • @stephenw10:

    Ok, so you previously had a connection on LAN but now you do not? Even after resetting it from the console?

    When you tried the ping test was it by IP only or were you able to ping by url also? You may have a DNS issue here. If that was the case then trying to ping anything from a client attached would have reported 'unable to resolve host' or similar.

    Steve

    I may have not made myself clear and for that I apologize. I have yet to receive a connection on the LAN port. Not when I configured it and not after I reset it back to its defaults and changed nothing to start with. Just to see if it would work.

    Again, sorry for not making myself clear. I was able to ping both IP and URL with a 100% success rate from the Diagnostics > Ping menu from the pfSense firewall's WebGUI

    When I try to ping either IP or URL from a client attached I get the "Destination host could not be reached" error

    If it is a DNS issue, which is something I thought might be the case. I did try to configure both DNS Forwarder and DNS Resolver respectively as you cannot have both running at the same time as I am sure you're more than well aware of. Again this was something I discovered through my travels through Google and any setting I made that did not work I changed back to its default before trying the next solution I found in regards to this or any other solution I found.



  • @stephenw10:

    You may have a DNS issue here.

    I agree. What do you find under System>General Setup "DNS Server Settings"?

    And please ping from Diagnostics>Ping the site www.Google.com and report your results.

    And to steal more great ideas from Stephen from another post…

    @stephenw10:

    Try going to Diag > DNS lookup and check google.com from there.

    Check Status > Services and make sure Unbound (the DNS resolver) is running. It should be by default.


  • Netgate Administrator

    @llabtaem:

    I have yet to receive a connection on the LAN port. Not when I configured it and not after I reset it back to its defaults and changed nothing to start with.

    Ok, we may have some confusion here. You have not been able to get a connection at any time on the LAN port?

    In which case how were you reaching the webgui? How are you defining connection?

    I expect that you connect your client either directly to the LAN port on the SG-1000 or via a switch and you will see link LEDs on both the client and the SG-1000. Then the client should receive an IP address.

    Steve



  • @Presbuteros:

    @stephenw10:

    You may have a DNS issue here.

    I agree. What do you find under System>General Setup "DNS Server Settings"?

    And please ping from Diagnostics>Ping the site www.Google.com and report your results.

    And to steal more great ideas from Stephen from another post…

    @stephenw10:

    Try going to Diag > DNS lookup and check google.com from there.

    Check Status > Services and make sure Unbound (the DNS resolver) is running. It should be by default.

    Under System > General Setup for DNS.

    1. There is no DNS Server in the DNS Servers field. The drop down box is set to "none"

    2. The DNS Server Override boolean is checked

    3. The Disable DNS Forwarder boolean is not check

    Under Status > Services

    1, unbound (DNS Resolver) is running

    Again, I reset the device back to it's defaults as these are the defaults. If this is suppose to work out of the box like a router should. Then it's starting to sound like faulty hardware.

    Thank you for your time



  • @stephenw10:

    @llabtaem:

    I have yet to receive a connection on the LAN port. Not when I configured it and not after I reset it back to its defaults and changed nothing to start with.

    Ok, we may have some confusion here. You have not been able to get a connection at any time on the LAN port?

    In which case how were you reaching the webgui? How are you defining connection?

    I expect that you connect your client either directly to the LAN port on the SG-1000 or via a switch and you will see link LEDs on both the client and the SG-1000. Then the client should receive an IP address.

    Steve

    Ah yes, I confused you. My apologies. I am able to get to the WebGUI from the LAN port via 192.168.1.1 from a web browser with a client directly plugged into the SG-1000 LAN port. I just cannot get a network connection from it no matter what I have tried.


  • Netgate Administrator

    Ok, it appears that Unbound is not able to provide DNS responses to clients for some reason. That may be shown as errors in the Unbound logs, Status > System Logs, Unbound tab.

    If that is the case you should be able to ping 8.8.8.8 from the lan side client still?

    It would also show in the output from Diag > DNS Lookup. That should show you the responses from every configured DNS source including Unbound at 127.0.0.1. If it shows a very high latency or no response from Unbound that's the problem. The firewall itself will attempt to use any available source eventually but clients will only use Unbound if it's configured.

    If you are seeing that  try going to Services > DNS resolver and enabling 'DNS Query Forwarding' and disabling 'DNSSEC'. Client will then get whatever DNS your ISP is supplying.

    Steve



  • @stephenw10:

    Ok, it appears that Unbound is not able to provide DNS responses to clients for some reason. That may be shown as errors in the Unbound logs, Status > System Logs, Unbound tab.

    If that is the case you should be able to ping 8.8.8.8 from the lan side client still?

    It would also show in the output from Diag > DNS Lookup. That should show you the responses from every configured DNS source including Unbound at 127.0.0.1. If it shows a very high latency or no response from Unbound that's the problem. The firewall itself will attempt to use any available source eventually but clients will only use Unbound if it's configured.

    If you are seeing that  try going to Services > DNS resolver and enabling 'DNS Query Forwarding' and disabling 'DNSSEC'. Client will then get whatever DNS your ISP is supplying.

    Steve

    I think the version you're running and the version I am running are different. I am running version 2.4.0-RC (there was another update just recently)

    I have Status > System Logs but no Outbound tab. I do have a DNS resolver tab that I clicked on. Here is a link with a few screen shots by the way https://imgur.com/a/1HXsL

    There is no DNS Resolver option under Diagnostics. Again I think this is due to the different versions.

    I did disable DNSSEC and enabled DNS Query Forwarding. It did not work.

    I am going to step away for a bit as I am really starting to get upset. I will come back in a few hours and see if anyone else can tell me what's going on. Try their solutions and if it doesn't work I am going to have to find another firewall solution as this is unacceptable and I will leave it at that.

    Thank you for your help and time Steve, Presbuteros and everyone else! It is greatly appreciated! You guys are a great community!


  • Netgate Administrator

    Sorry that's my fault the tab is named DNS Resolver not Unbound as you saw. I'm using 2.4-RC also. The logs there look normal, no errors shown.

    The option under Diagnostics is DNS Lookup not DNS resolver. That will show you what the response time of each configured source is.

    The only thing I'd like to see not shown in your screen shots is what error (or not) you see when trying to ping google.com from the client.

    Do you still have the default allow all firewall rule on the LAN interface?

    Steve



  • @stephenw10:

    Sorry that's my fault the tab is named DNS Resolver not Unbound as you saw. I'm using 2.4-RC also. The logs there look normal, no errors shown.

    The option under Diagnostics is DNS Lookup not DNS resolver. That will show you what the response time of each configured source is.

    The only thing I'd like to see not shown in your screen shots is what error (or not) you see when trying to ping google.com from the client.

    Do you still have the default allow all firewall rule on the LAN interface?

    Steve

    Hello again,

    So I updated the link https://imgur.com/a/1HXsL with the screen shots that include the following:

    1. Ping results from client when pinging URL

    2. DNS Server List from the System Information Panel from the Dashboard

    3. Firewall Rules for the LAN port

    4. And last but not least. The DNS Look up results

    I am pretty confident that with the results of the DNS Lookup will tell you what's wrong. The Query time has no response.



  • What is default gateway for the client?
    Also check that you have set one  on
    services-dhcp server-lan-other options (gateway 192.168.1.1) GUI page!



  • I will be kicking myself in the butt for this one for a long time. I found out what the issue was. Since I run a GNU/Linux OS I never reboot the device. This is the same device I was using as the client that was connected directly to the LAN port of the firewall. After thinking "Windows" I thought to myself. I should restart the network adapter. Low and behold, the moment I did so I was receiving a network connection. So remember kids. Restart that network adapter!

    I will also go over a couple other things I discovered for someone else in the future as after I figured out my issue, I began to reconstruct my network. Upon adding my router back into the circle I ran into two other issues. So pay attention kids.

    1. If you are going from the Firewall to a router, DO NOT plug it into the WAN port of the router. Plug into one of the existing LAN ports. Follow the flow chart below:

    Modem >>> Firewall WAN >>> Firewall LAN >>> Router LAN >>> Switch (Optional) >>> Client

    2. Another thing I discovered. If you have your router setup to give out static IPs, disable all of them and reassign your Static IPs in the firewall. If you are not getting a connection, remember! Restart that network adapter!

    Again I want to thank you all for your help and time in this matter. Despite my frustration you guys never gave up on me. This truly is a great community! I cannot thank you all enough!

    And now, without further ado. Off to configure the device until I either make my network vulnerable or I lock myself out / receive no network connection again!  ;D

    EDIT: I thought I could click the Thanks button for everyone, but apparently it doesn't work that way. Sorry everyone, especially you Steve. Now I feel bad.


  • Netgate Administrator

    Ha, no need to feel bad, I'm glad you got up and running.  :)

    Steve


Log in to reply