Solved - No access to WebGUI after setting interface addresses



  • Apologies first, being a complete noob. First attempt at pfsense. Have it installed on an old Pentium 4 HT machine. Got it running and was able to access WebGUI on LAN, but after configuring interface addresses in the console, I can no longer access the WebGUI through either LAN or OPT1. I would really like to be able to access it through either the downstream router or OPT1.

    Here's what I did: reset factory defaults, after using autodetect through the console to assign the interfaces, I went to 192.168.1.1 and was able to configure the WAN, LAN and OPT1, but I could not figure out how to set them to DHCP and the ranges in the WebGUI.

    I used the console to reset the interface addresses as follows:
    WAN DHCP
    LAN 192.168.1.1; Subnet mask 255.255.255.0; DHCP; Range 192.168.1.2 to 192.168.1.50
    OPT1 192.168.1.101; Subnet mask 255.255.255.0; DHCP; Range 192.168.102 to 192.168.1.150

    Now I cannot connect to the WebGUI using 192.168.1.1 when I connect my laptop to either the LAN or OPT1. I am at a complete loss.

    The whole intent was to run squid and snort, but I need to use the WebGUI to set that up.

    Note the downstream router is:
    WAN 192.168.1.51; Static; Subnet mask 255.255.255.0
    LAN 192.168.2.1; Subnet mask 255.255.255.0; DHCP; Range 192.168.2.2 to 192.168.2.50

    Thanks for any help!



  • Your LAN and OPT1 should be in different subnets.

    For example...
    LAN could be 192.168.10.1/255.255.255.0

    and OPT1 could be 192.168.20.1/255.255.255.0

    Having them both in the 192.168.1.0/24 net, will not work.



  • Extra detail :

    @coreybrett proposed for LAN
    192.168.10.1/24 (and not 192.168.1.1/24)
    because your WAN (upstream router) already occupies
    192.168.1.0/24

    Having all or any interfaces on the same subnet ... won't work and is world's fastest way to "break the (local) net".



  • MEgearhead used the term "downstream" to describe the other router. I interpreted that to mean he has another router (perhaps WiFi) connected to the LAN of pfSense.

    @MEgearhead Please clarify your configuration.

    Is it...

    MODEM -> pfSense -> Other Router

    or...

    MODEM -> Other Router -> pfSense ?



  • Thanks for all the replies.

    Downstream is correct

    FiOS-->pfsense-->G1100 router

    I also tried for OPT1
    192.168.3.1/24; DHCP; Range 192.168.3.2 to 192.168.3.50

    Either way, as soon as I assign the addresses from the console I cannot access the WebGUI.

    Just in case it matters:
    WAN is an Intel EXPI9301CT
    LAN is a D-Link DGE 530-T
    OPT1 is an Intel on board interface

    Also, all existing devices connected to the downstream router (wired or wireless) access the internet and work correctly.

    If I connect my laptop to OPT1 I can get an IP after ipconfig /release, ipconfig /renew, but don't have internet access.

    Thanks again!



  • What is your end goal for the network design?

    What are you connecting to the OPT1 interface?

    Why do you have the G1100 router in the mix?

    What address is the WAN of pfSense getting?



  • What is your end goal for the network design?
    For right now to run access logging at the head. Ultimately I might segregate my system for home automation, kids, normal.

    What are you connecting to the OPT1 interface?
    Nothing is normally connected to OPT1. For now I was just going to use it to periodically access WebGUI since the LAN adapter has only one port.

    Why do you have the G1100 router in the mix?
    I'm using it for wireless.

    What address is the WAN of pfSense getting?
    I'll have to get that later. It's 96.241.something if I remember correctly.

    I tried to set the G1100 up as LAN/LAN and WAP but could not get that to work. The current configuration works with performance at least as good as the G1100 alone. I just can't access the WebGUI.

    Maybe, I should also mention I'm using Google DNS servers on both pfsense and the G1100. Also, since LAN is only one port, I have to unplug the G1100 from LAN to attempt to access the WebGUI on LAN. I could go buy a switch, but I was trying to get something working (proof of concept) before I started spending too much.

    Thanks again!



  • If you are serious about this, I would get yourself a few switches and an AP.

    Cheap options...
    Link: http://a.co/d/0opWq3K
    Link: http://a.co/d/2hYxLf9

    You can spend a lot more (and prob should), but these will get you started.

    Remove the G1100 from the mix. (You don't want double NAT)

    Reset the pfSense box to defaults.

    Then set the LAN for 192.168.10.1/24

    Set the OPT1 for 192.168.20.1/24

    You can actually use any RFC1918 addresses, but the above will work fine.

    I would recommend using the on-board NIC for the WAN.

    You will need to connect to the GUI from the LAN interface, and create a Pass rule on the OPT1 interface. Until you do that, OPT1 will not have Internet access. You can copy the default Pass rule on the LAN for the OPT1.

    I'm jealous that you have FIOS. ;-)



  • I wondered if the G1100 might be part of the problem. I will try to set it up again with the G1100 unplugged, and see if that fixes it. It's just the internet and wireless are working so well.

    So I'll try:
    WAN DHCP
    LAN 192.168.1.1/24; DHCP; Range 192.168.1.2 to 192.168.1.50
    OPT1 192.168.10.1/24; DHCP; Range 192.168.10.2 to 192.168.10.50

    I couldn't figure out how to set DHCP and the range up for LAN and OPT1 in the WebGUI the first time through so I assigned LAN 192.168.1.1/24 and left the rest default. Then I used selection 2 on the console to reassign both to include DHCP and the range. After this no more access to WebGUI.

    I'll reset factory defaults and try again using the above and report back my. If it works I can always plug the G1100 back in and see if I lose WebGUI.

    Other than my current WebGUI issue is there another reason for no double NAT? I've read it might slow things down, but I don't see that. It actually seems a little faster. I did change to Google DNS from whatever Verizon had set up in the G1100.

    I was using the Intel PCIe card for the WAN because it should have the highest performance. The on board is only 100 not Gigabit.

    Thanks again for all your help!



  • Is your FIOS tier higher than 100Mbits? If so, than use the on-board for OPT1 instead.

    Double NAT can cause issues with a number of protocols, so best to just not go there.

    You could use the G1100 as an AP by only connecting it to the network with it's LAN port. And making sure you disable it's DHCP server. However, that's not the cleanest solution and fraught with peril.

    On another note, you might want to find a box with a newer CPU. The P4 is a pretty dated CPU. Is it 64bit? How much RAM? It will be stuck on the 2.4.x series of pfS.



  • I have not had much time to look into this too much.
    However, I was able to disconnect the G1100, reset factory defaults, and reconfigure the interfaces.

    I now have access to the internet and WebGUI on LAN, and was able to enable OPT1 and copy two of the firewall rules from LAN to OPT1. I just copied them and changed LAN to OPT1 and LANnet to OPT1net. The port 80 and 443 rule at the top doesn't have a copy icon, and I couldn't figure out how to create a new rule similar to it.

    When I connect my laptop to OPT1 I get an IP address (192.168.3.100), but I don't have internet access. If I ping the address for OPT1 (192.168.3.1) there is no response.

    I wonder if the on-board interface just doesn't play well with pfsense.

    I guess I should mention that everything is working fine through LAN now.

    Hopefully I will have time this weekend to step through your suggestions in a little more methodical process.

    Thanks again!



  • send screenshots of firewall rules



  • I just remembered that I never answered your hardware question.

    The CPU is a Pentium 4 HT 2.8GHz 64 bit.
    2GB of memory
    750 GB SATA II Hard drive.

    I know the hardware isn't optimal, but from what I've read it should be sufficient to run what I need so I can decide if I can manage a DIY open source router, or if it's just too much for me, and I should just go for commercially available products or services.

    Thanks!



  • I'll send them when I can get back to it. I apologize, but unfortunately other things are getting in the way.

    Thanks again for all your help!



  • So It's now all working after a reboot. I don't know exactly what change made the difference. What I did was disconnect the downstream router, reset factory defaults, set up the interfaces using autodetect, and then configured the interfaces through WebGUI. After configuring the interfaces, I copied the two default rules from LAN to OPT1. I made an error first then corrected it. At this point LAN worked fine but I had no internet on OPT1.

    Just so the family would have internet, I reconnected the downstream router since I ran out of time to work on it. When I came back to it later, I rebooted pfsense and everything now works. I thought I had tried that the night before, but I may not have after correcting errors in the copied firewall rules from LAN. (When I copied the rules I changed the interface from LAN to OPT1, but I forgot to also change the destination from LANnet to OPT1net.)

    Thanks so much for all your help!

    Here are the settings in case it helps someone else:
    (Anything related to IPv6 or DHCPv6 is likely irrelevant for me as I don't think my connection supports it)

    Interfaces/WAN:
    IPv4 - DHCP
    IPv6 - DHCP6

    Interfaces/LAN:
    General Configuration:
    IPv4 Type - Static IPv4
    IPv6 Type - Track Interface
    Static IPv4 Configuration:
    IPv4 Address - 192.168.1.1/24
    IPv4 Upstream Gateway - None
    IPv6 Configuration:
    IPv6 Interface - WAN
    IPv6 Prefix - 0

    Interfaces/OPT1
    General Configuration:
    IPv4 Type - Static IPv4
    IPv6 Type - None
    Static IPv4 Configuration:
    IPv4 Address - 192.168.3.1/24
    IPv4 Upstream Gateway - None

    Services/DHCP Server/LAN:
    Enable - checked
    Range - 192.168.1.100 to 192.168.1.199

    Services/DHCP Server/OPT1:
    Enable - checked
    Range - 192.168.3.100 to 192.168.3.199

    Services/DHCPv6 Server&RA/LAN/DHCPv6 Server
    Enable - checked
    Range - ::1000 to ::2000
    Prefix Delegation Size - 48

    Firewall/Rules/OPT1:
    Edit Firewall Rule: (for first rule)
    Action - Pass
    Interface - OPT1
    Address Family - IPv6
    Protocol - Any
    Source - OPT1net
    Destination - any

    Edit Firewall Rule: (for second rule)
    Action - Pass
    Interface - OPT1
    Address Family - IPv4
    Protocol - Any
    Source - OPT1net
    Destination - any

    Settings for Verizon G1100 router:

    My Network/Network Connections/Broadband Connection/Settings
    Internet Protocol - Use the Following IP Address
    IP Address - 192.168.1.200
    Subnet Mask - 255.255.255.0
    Default Gateway - 192.168.1.1

    My Network/Network Connections/Network/Settings
    Internet Protocol - Use the Following IP Address
    IP Address - 192.168.2.1
    Subnet Mask - 255.255.255.0
    IP Address Distribution - DHCP Server
    Start IP Address - 192.168.2.2
    End IP Address - 192.168.2.199