Cant Access WebGUI via VPN?

DoZZa

Hi all,

I have two local networks, both in physically different towns, one has the range of 10.0.0.1/24, the other is 10.0.1.1/24

I have setup a site-to-site VPN between these two networks that I can confirm is working fine.

I have PFS WebGUI running on the 10.0.1.1/24 range on 10.0.1.111.

I am unable to ping 10.0.1.111 from the 10.0.0.1/24 network.

Here are some rules I have setup.

WAN

LAN

I know that the pfSense firewall is seeing the traffic from the 10.0.0.1/24 network as ICMP requests to 10.0.1.111 are being blocked by the firewall, even though I have created a rule directly from the firewall logs, as you will see in the screenshot above. However, even with this rule, I am still unable to ping 10.0.1.111 from my computer on 10.0.0.12.

I want to be able to ping 10.0.1.111 and ultimately access the WebGUI from 10.0.0.12.

What have I missed?

Thanks

DoZZa

I do not have Block Private Networks, or Bogon Networks enabled either.

johnpoz

WTF dude why would you allow any any to your wan… You should TURN that OFF now!!!

Atleast you have it limited to your wan nat, which is just the network your wan is on, and not the whole internet

Rules are evaluated on the interface traffic would enter pfsense on, top down first to trigger wins no others evaluated.

DoZZa

@johnpoz:

WTF dude why would you allow any any to your wan… You should TURN that OFF now!!!

Atleast you have it limited to your wan nat, which is just the network your wan is on, and not the whole internet

lol, dont worry, the WAN is not currently in use!

johnpoz

Post up the rules you have on your vlan interfaces.  If your wan is not active where are you coming in from vpn?

DoZZa

@johnpoz:

Post up the rules you have on your vlan interfaces.  If your wan is not active where are you coming in from vpn?

Site-to-site VPN is taken care of by a Unifi USG.

Here are the VLAN rules.

viragomann

Since pfSense obviously is not the vpn endpoint, you need a static route to it.

DoZZa

@viragomann:

Since pfSense obviously is not the vpn endpoint, you need a static route to it.

Why?

I can ping every other host on the 10.0.1.1/24 network from 10.0.0.1/24 network without an issue.

pfSense LAN port is connected directly to port 12 on my Unifi switch.

viragomann

Does the LAN devices use another default gateway than pfSense?

DoZZa

@viragomann:

Does the LAN devices use another default gateway than pfSense?

Yes, all other LAN devices, including the pfSense WebGUI port use the Unifi USG as the gateway, which is on 10.0.1.1

johnpoz

So your pfsense wan is what network… And that is downstream of your usg... Which btw you make zero mention in your first post.

So these vlans and managment networks are downstream networks from your usg.  Is pfsense natting them?  Or did you turn off natt and letting your usg nat all the dowstream networks?

edit:  Whatever this wan network is, that you would allow access to stuff behind pfsense from these other routers... I have to assume this is where your usg connects is limited to only what the wan net is.. ie 10.0.2/24 ??

DoZZa

@johnpoz:

So your pfsense wan is what network… And that is downstream of your usg... Which btw you make zero mention in your first post.

So these vlans and managment networks are downstream networks from your usg.  Is pfsense natting them?  Or did you turn off natt and letting your usg nat all the dowstream networks?

edit:  Whatever this wan network is, that you would allow access to stuff behind pfsense from these other routers... I have to assume this is where your usg connects is limited to only what the wan net is.. ie 10.0.2/24 ??

Thanks for you help with this, I appreciate it very much.

The pfSense WAN port is connected directly to the LAN2 port on my USG, with an IP of 10.0.10.14. The USG provides the pfSense WAN interface with the 10.0.10.14 IP via DHCP.

Here is how the networks are configured on the USG

Here are the NAT rules on pfSense, I have not changed these from the default settings.

pfSense is providing DHCP for both the 55 and 99 VLANS, I have them set as "VLAN Only" on the USG so I can do VLAN tagging on certain switch ports.

I find it odd that I can ping all hosts on the 10.0.1.1/24 network from the remote 10.0.0.1/24 network, except for the pfSense box on 10.0.1.111. Even though there is a rule set to allow ICMP from 10.0.0.12, which is my Macbook.

I have not tried to access the WebGUI via WAN side of the pfSense box from the 10.0.0.1/24 network. Perhaps I will try adding some rules to see if that works.

The pfSense box has access to the internet, I can ping 8.8.8.8 fine from the ping tool in Diagnostics, and Traceroute to google.com gives the expected output. I can also ping 10.0.0.12 from the pfSense box.

I am lost.

viragomann

@DoZZa:

Yes, all other LAN devices, including the pfSense WebGUI port use the Unifi USG as the gateway, which is on 10.0.1.1

Let me recap:

• The pfSense WAN interface is connected to your USG and has the IP 10.0.10.14/24. The WAN IP is pulled from a DHCP on the USG.

• For whatever reason a second interface of pfSense is connected to the same USG and has the IP 10.0.1.111/24 out of your LAN.

• The USG LAN IP 10.0.1.1 is set as default gateway on all LAN devices, including pfSense (sure?).

• That also means, there is no gateway set on the WAN interface. But it gets its setting from a DHCP, which usually also sets a GW.

• The USG provides the site-to-site VPN to 10.0.0.0/24.

???

A strange setup. Maybe you have reasons for this, we don't know.

I guess you will have an issue of asymmetric routing due to that setup.
Plase post the pfSense routing table for clarity.

johnpoz

Yeah with viragomann here - that setup makes ZERO sense… I mean zero!!

If you want to use your USG as your edge router than fine.  But the only connection to the usg then should be pfsense wan.. And pfsense would then be a downstream router, and should turn off natting..  If you want to have other networks hanging off your USG.. Sure ok - but networks behind pfsense should not be connected..

The connection of pfsense wan to an upstream router becomes transit network.. Only devices on this network should be usg and pfsense - any other devices on this network would need to do host routing or you have asymmetrical routing.

Have no idea what your trying to accomplish exactly.. But seems like a mess.. If you want to fix it be happy to help, but draw out your network how you want it to work and then we can discuss how you would set that up..

DoZZa

Thanks for your help. Perhaps I have not given enough detail of what I am trying to achieve. I will do my best to explain.

The diagram below shows how the devices are physically connected together. Perhaps I have not connected everything in a manner that will achieve what I want. I am learning!

I have three ESXi hosts running various VM's, the ESXi hosts are configured with a Distributed Switch with VLAN 0, 55 and 99.

VLAN 0 = 10.0.1.1/24
VLAN 55 = 10.0.55.1/24
VLAN 99 = 10.0.99.1/24

I want the pfSense box to take care of the DHCP, DNS, IDS, IPS etc for the 55 & 99 VLANS. The Unifi USG takes care of DHCP, DNS etc for VLAN 0.

I also want to be able to access the pfSense WebGUI from two hosts, one on the 10.0.1.1/24 network (no problems here, can access fine already), and the other on the 10.0.0.1/24 network which is a remote location connected to the USG via a VPN. I can access ALL devices on the 10.0.1.1/24 network from the 10.0.0.1/24 network EXCEPT for the pfSense WebGUI!!!???

Management PC 01 on Local LAN= 10.0.1.10
Management PC 02 on Remote LAN = 10.0.0.12

Currently the VM's on both the 55 & 99 VLANS are getting IP's from the pfSense box just fine, they all have internet access too.

Is there is a better way for this to be done without having to use extra hardware?

Thanks again :)

johnpoz

vlan 0?  You mean untagged?  What is the vlan ID on your unfi switch?

How exactly are your esxi connected do they have multiple interfaces connected to multiple vswitches.  You trunking to them with 4095 on your vswitch?  Where is your vmkern connected?

What is on lan 1 of your usg?  You have it going to your switch… What vlan is it in, is it carry multiple tag networks?  What is the untagged if any network on it?  What is the configuration on port 3 and 2 that connect to pfsense?

What is your gateway for your different vlans?  What networks do you have configured on your usg?  Is it the gateway for any of those downstream networks?

DoZZa

@johnpoz:

vlan 0?  You mean untagged?  What is the vlan ID on your unfi switch?

How exactly are your esxi connected do they have multiple interfaces connected to multiple vswitches.  You trunking to them with 4095 on your vswitch?  Where is your vmkern connected?

What is on lan 1 of your usg?  You have it going to your switch… What vlan is it in, is it carry multiple tag networks?  What is the untagged if any network on it?  What is the configuration on port 3 and 2 that connect to pfsense?

What is your gateway for your different vlans?  What networks do you have configured on your usg?  Is it the gateway for any of those downstream networks?

Yes, VLAN 0 meaning untagged. VLAN ID of the switch is 0, untagged.

Each ESXi host has a Distributed Switch made up of several physical adapters which are connected directly to the Unifi switch.. They are not trunked to 4095. The VMkernel is on the 10.0.1.1/24 network.

The LAN1 on the USG is the 10.0.1.1/24 network. Port 1 is a trunk port, and so are the rest of the ports on the Unifi switch as the Distributed Switch takes care of the VLAN tagging on the ESXI hosts.

The networks that are configured on the USG are:

The USG is the gateway for the networks, but it sets individual gateway IP for each network range, 10.0.1.1, 10.0.10.1 etc etc.

DoZZa

Just to update this. It appears that the install on pfSense was somehow corrupt, a full reinstall gave me back access to the GUI via my VPN!