Cant ping my netgate remotely or webgui into firewall.
-
I have a T1 connection and a Broadband Connection at a site. My T1 connects to my Cisco router and routes 2 Vlan's back to my network, and the broadband is a backup. However i am going to set up a public wifi that will route out my Broadband, and also use my broadband as a backup to the 2 Vlans incase my T1 goes down. I have this set up currently working ( the 2 vlans get routed to my network through a VPN when going through broadband). I have the netgate currently placed between my router and broadband. MY 2 vlans go through the netgate and connect to my VPN just fine when i disconnect my T1, and i have created a separate vlan that is strictly for public wifi users, and that goes out to the internet without touching my internal network. This is currently working.
Here is where i am having an issue. I set an IP on the netgate (lan port) to one of my Internal VLANs. I can see the IP in my router and can ping it from both my router and switch. I can get into this router and switch remotely. But i cannot ping the netgate device remotely or get into the web gui. I have setting a rule on the LAN interface to allow everything to access it, but nothing seems to work. ANy ideas on what i should try to get this working?
-
by the way, i can hook a laptop up to the netgate in one of the other LAN ports, get a dhcp from my router and i can ping that pc remotly. but not the netgate. Some kind of setting that is checked that shouldn't be?
-
Draw this if want any hope of help..
-
Why is anyone still using a T1 for Internet these days? A 1.544 Mb/s it provides only a fraction of the bandwidth now available from most ISPs. I don't remember the last time I saw someone using a T1 for that purpose and they're disappearing for other applications, such as phones, too. The backup networks I've seen, over the past few years, have been wireless, with the main connection via ADSL, cable or fibre.
-
Most likely pfSense is sending the replies back to you over the VPN and they are blocked somewhere because of asymmetric routing. When you ping from something local to pfSense it has an interface in that subnet so replies directly.
But, yes, we need a diagram here there is a lot of confusing wording that makes the situation far from clear.
Steve
-
-
I eliminated the T1 out of the equation.
-
That screams of asymmetrical.. If something in in the 10.210.22/23 is using the SVI in your 2901 as gateway, and return traffic comes back your netgate has a leg in that network so why would it send traffic back to the 2901?
Also cable "modems' don't do nat But you show it with a 10.x.x.x segment connecting to your netgate? So you mean that is a gateway device, ie modem/router in one?
And the endpoint of your vpn to the main office is your 2901?
-
You killed the T1 entirely or just removed it from the diagram?
That seems like another source of asymmetry otherwise.
You don't route VLANs. You can route to or from those subnets. Do those subnets exist at the remote location also? The VPN carries layer 2?
Steve
-
@johnpoz No our vpn router is a 3925 i believe. I dont deal with our office network.
Yes it is a cable modem/router -
Where is the 3925 connected? What subnets is it in?
Steve
-
So where is that in your diagram? Why not just run everything into and out of pfsense? Multiple wan connections - vpn connections?
Having a hard time understanding what your wanting to do from that diagram to be honest, other than it screams asymmetrical when you have a downstream router routing a segment where pfsense also has a leg in that segment and a transit network into pfsense from that downstream router..
-
@stephenw10 I just unplugged it so we are just on the vpn. Yes our VPN carries Layer2. That exact subnet does not exist at any other of our remote sites ( if thats what you are asking).
-
Ok, so when you're pinging pfSense remotely and it's failing what source IP are you using?
-
@johnpoz We use no Firewalls out in our remote networks. We just use a router, couple switches and use BGP or VPN back to our office networks through MPLS. But my boss wants to do public wifi at one of our remote locations. So i set up a Vlan for public wifi. I have that routing out the cable modem hitting the public internet (not our network) . However he wants to have a firewall between the Public Wifi and our router. If this is not the best way of doing this, please let me know. I have no prior experience with adding firewalls. We want to use the netgate as just a firewall between the public internet and our local router at that remote site.
-
@stephenw10 I have the LAN port set to a static ip on my VLan 20 . 10.210.22.24 . That fails when trying to ping from my desk. I plugged my laptop into one of the other 3 LAN ports in the netgate, it got a 10.210.22.106 address from dhcp, and i could ping that from my computer remotely, and remote into that laptop.
-
@mbock said in Cant ping my netgate remotely or webgui into firewall.:
Yes our VPN carries Layer2. That exact subnet does not exist at any other of our remote sites ( if thats what you are asking).
Huh?? That makes no sense.. When you use a vpn as layer 2 you normally mean your extending your layer2 from one location into the other location.
So you have your offices connected via MPLS - so what is the point of the VPN? Is that into other offices? You run your VPN over the mpls? So this is some sort of public mpls connection with no restrictions on other connections in this mpls cloud where customer A can talk to customer B, etc. ??
As to just using router vs firewall - you do understand that with any any rules between segments pfsense becomes for all intensive purposes just a router... While it will maintain states - with any any between segments its really no different than just router.
Consolidation of your different network connections into 1 pfsense, or even an HA pair of pfsense would for sure allow for way more functionality all the way around and ease of configuration.. But sure you can use it for just your wifi network, and ad a backup for your current network internet access via a transit network into your current network - but not getting how your vpn comes into play to be honest from that drawing or whre your mpls comes into it, seems you left all of out of the drawing and has what looks like only your cable internet connection going through pfsense to get to your local network via that 2901 you list.
If you want help on leveraging pfsense into your network - a drawing of all your connectivity from the location into your wider corp network would be helpful and we can then discuss where and how to best connect pfsense and your public internet into that and isolating your guest wifi, etc.
-
Those devices are all in the same subnet. So assuming they all have the same subnet mask, /23, they should be talking directly.
I suspect if you ran a packet capture on the pfSense LAN whilst trying to ping it from 10.210.22.24 you would see it ARPing for that address and not seeing any replies.
Unless the client is also unable to ARP for the pfSense IP in which case you would see nothing.Can you ping 10.210.22.24 from pfSense?
The VPN should carry ARP if it's really layer 2 but something might be filtering that.
We would need to see a packet capture to diagnose further.
Steve
-
@johnpoz Sorry let me correct myself.... We have connections via T1 at some sites, routed through BGP hitting our MPLS and back to our corp office. We also have some sites using broadband connections that we use EZVPN, setting our router as a client with a username and password for authorization.
Yes i do understand that the current rules (any any) arn't doing anything. I only set that to try and at least be able to ping the firewall remotely. I do plan on setting rules once i can figure out how to remotely manage the firewall.
We have over 300 remote sites all of the private subnets we use for them are extended back to our corp office and can connect to them via those private IPs.
-
This post is deleted!