New to pfsense, cant access web from Lan.



  • Hello
    Im not even sure if this is the corect place to ask.
    I have a setup like this.
    ISP (DHCP 10.130.16.44/21) - pfsense 2.4.3 - 192.200.0.1/30
    192.200.0.2/30 - Cisco router 2811 - 192.168.1.254/24
    Cisco 2800 switch VLAN2 192.168.1.253, every used port is in no shutdown mode, and switchport mode access VLAN2.
    192.168.1.1/24 DC with Dns and DHCP. (Scope 192.168.1.100-199)
    192.168.1.2/24 memberserver with secondary dns.
    192.168.1.3/24 memberserver with printserver.
    192.168.1.99/24 printer
    192.168.1.100/24 client pc (DHCP)

    Problem, from any pc/server I Can ping all pc/server, switch, Lan and wan on router, but not Lan side of pfsense, even though i have configured rule for this.
    From router i Can ping Lan side of pfsense, but not wan side, rule has also been configured here.
    If i take The client pc, configures it with 192.200.0.2/30 instead of DHCP, plug it directly to pfsense, voila, internet. But othervise not.
    I cant see What The error/errors I have made is.. any help is appreciated.



  • So you have a pfSense router in front of a Cisco router.
    Connecting a host directly to your pfSense, bypassing the Cisco, works.
    Why the router cascade?

    Your ISP really hands out an RFC1918 subnet 10.130.16.44/21 to you? With a /21 mask, that are 2046 hosts? Strange setup. But there's something new every day...

    Edit:
    Sorry, forgot the obvious: did you uncheck "Block private networks and loopback addresses" on your WAN interface?
    While it's not causing your main problem it might help later on.



  • @jahonix
    I just want the pfsense to work as a firewall, not as a Router.
    Im in School, hence the DHCP address I get i /21.



  • @simunf said in New to pfsense, cant access web from Lan.:

    From router i Can ping Lan side of pfsense, but not wan side, rule has also been configured here.

    What do you mean, pfSense WAN or WAN gateway upstream?
    Ever tried a trace route to your upstream WAN gateway and see where it hangs?
    Are you sure the IP ranges 192.200.0.0/30 and 10.130.16.0/21 aren't configured elsewhere in your 2811?



  • also (unrelated) your 192.200.0.1/30 isnt a valid rfc1918 address for your transit network


  • Rebel Alliance Global Moderator

    If your creating a downstream network.. What are you lan rules, since 192.168.1 is not going to be included in "lan net"

    Also you created the gateway that says to get to 192.168.1/24 talk to 200.0.2 ? Which as mentioned already is not rfc1918.

    Also you didn't mess with outbound nat right? when you create your gateway and route to this 192.168.1 network it will auto adjust your outbound nat for the downstream network. Unless you set it to manual, etc.



  • @jahonix 0_1533210039214_Udklip7.PNG
    I have now unchecked this.



  • @jahonix 0_1533210105653_Udklip1.PNG
    Tracert stops at my router.



  • @heper
    Hello, I have changed my pfsense lan IP to 172.16.0.1/30 and my router wan to 172.16.0.2/30.
    Is this correct?



  • @johnpoz
    Hello, I have changed my pfsense lan IP to 172.16.0.1/30 and my router wan to 172.16.0.2/30.
    Is this correct?
    0_1533212428482_Udklip8.PNG
    0_1533212440302_Udklip6.PNG
    0_1533212447788_Udklip7.PNG


  • Rebel Alliance Global Moderator

    What do you have those rules on your wan? Did you turn off nat on pfsense?
    Your rule to allow ping to wan net is pointless with that any any rule below it
    And when ever would source be lan address into lan net?

    Where are you routes showing how to get to 192.168.1/24 and your gateway setup to it?



  • @johnpoz
    Hello John, I appreciate your help, I would like you to know that.
    I have deleted wan rules created by me.
    I have now turned off nat on PfSense.
    I think I now understand the ping rule and the any rule :-)
    I dont get line 3, lan into lan?
    I have poked around and cant find the routes/gateway you mention.



  • @johnpoz
    Is this what you want from me?
    0_1533214391739_Udklip10.PNG
    0_1533214398857_Udklip9.PNG


  • Rebel Alliance Global Moderator

    @simunf said in New to pfsense, cant access web from Lan.:

    I have now turned off nat on PfSense.

    NO... I didn't tell you to do that - I asked if you had because that would be the only reason for such rules on your wan.

    Rules are evaluated as traffic enters and interface from the network, how would lan address EVER be a source of traffic entering the lan interface?

    Did you create your gateway to your downstream router in
    System / Routing / Gateways



  • @johnpoz
    I have found these. I have reenabled auto nat (as it was before)
    2_1533216107622_Udklip12.PNG 1_1533216107622_Udklip11.PNG 0_1533216107620_Udklip10.PNG
    Thanks in advance. My workday is over for now.


  • Rebel Alliance Global Moderator

    And you have no gateway setup, so how is pfsense going to know to send traffic for 192.168.1/24 to your cisco? It will just send traffic with that dest out its wan..

    WTF is the route for 192.168.1.0/32 doing in there?



  • @johnpoz
    Good morning from Denmark :-)
    I have removed the route you mentioned. and created this gateway.0_1533277253861_Udklip13.PNG
    I'm sorry for the inconvenience.



  • I have now removed the Cisco Router, changed the pfsense lan IP to 192.168.1.254/24.
    And now I have net on all machines...
    It is not the setup I wanted, but for now it is the setup that works.


  • Rebel Alliance Global Moderator

    So the cisco is 172.16.0.1? Or is that pfsense itself?

    Where is the route?

    Seems basic routing is beyond your current skill set - so why you would want to complicate it with a downstream router is beyond me.

    Cisco 2800 switch VLAN2 192.168.1.253, every used port is in no shutdown mode

    Also you sway every port? The port connected to pfsense, ie your transit network wold not be the same layer 2 network as your 192.168.1 network..


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy