SG-1100 no internet, no web UI, SSH OK



  • I have been running my SG-1100 for over a month now, resulting in stable and fast internet in my home. Since today, suddenly, with no change made in the past week, SG-1100 stopped serving internet. SG-1100 is up with all the correct green LEDs, but no internet is available.The login screen shows but the web interface never loads after logon (Chrome keeps spinning). I am able to login through SSH and tried reroot and reboot to no avail.

    Help! What could be causing this, how to diagnose and what is the best resolution?

    [EDIT] I am running Steve Gibson's three router set up with SG-1100 serving my secure network and Draytek Vigor serving my unsecure network. Both are connected to my ISP gateway which is a Fritz!Box. My guest wifi network (hosted by Draytek Vigor) is working, so it is not the ISP connection that is causing this.



  • Restored the last safety backup (01) through SSH console. That caused the system to work again! However, only for a very brief period of time: after a few minutes it stopped working again. I suspect the auto-update process is causing this by installing a faulty update?

    0) Logout (SSH only)                  9) pfTop
    1) Assign Interfaces                 10) Filter Logs
    2) Set interface(s) IP address       11) Restart webConfigurator
    3) Reset webConfigurator password    12) PHP shell + pfSense tools
    4) Reset to factory defaults         13) Update from console
    5) Reboot system                     14) Disable Secure Shell (sshd)
    6) Halt system                       15) Restore recent configuration
    7) Ping host                         16) Restart PHP-FPM
    8) Shell
    
    Enter an option: 13
    
    Another instance is already running... Aborting!
    


  • Nothing in pfSense gets auto-updated. All updates to the base and any packages must be manually triggered.

    Another instance is already running... Aborting!

    Now that is interesting. I don't think I've seen that before.


  • Banned

    After restoring the config pfSense will (re)install all packages and restore their configuration. So I guess you have either a faulty package, or a bad configuration on one package.

    I would do a fresh install to make sure the system is clean and then restore the config area by area and watch closely when it breaks, do the "Package Manager" last. This should give you a clue on where the error is.



  • OK thanks for the tips! Will save the backups so I can reuse them after the fresh install. Will report my progress and findings back here.



  • Total failure. After a few retries my latest one caused DHCP not to work anymore, so I cannot enter the system at all anymore. I can connect through console but none of my known passwords is now accepted by the system. Locked out. How can I do a complete reinstall of SG-1100?



  • @grimson said in SG-1100 no internet, no web UI, SSH OK:

    After restoring the config pfSense will (re)install all packages and restore their configuration. So I guess you have either a faulty package, or a bad configuration on one package.

    I think this may be true but the question is, how did this occur? The last edit I made was last weekend and was adding one IP address to my "do not route through the VPN" alias. No change was made today, yet it decided somewhere mid morning CET, when I was at work and no-one was doing any change or work to it (because no-one but me knows how to edit it in the first place) to stop working. And now it's in an unknown state, not accepting any of my known last passwords ... did I brick it? Did it brick itself? What to do?



  • Use this one :
    @brightwolf said in SG-1100 no internet, no web UI, SSH OK:

    1. Reset to factory defaults

    Which means : you have to 'redo' your WAN setup. This won't take long, because you have an upstream router (The Fritzbox).
    If needed, set your LAN network if it wasn't the default 192.168.1.0/24
    Your up, your network is fine.
    !! Do not import your back config !!
    From now on, it should stay up no matter what. If you can, test drive this 'bare' situation a couple of days.

    After that, if you used other settings, apply them one by one. And take pauses, test-drive every situation.
    Take spare config backups so it's easy to go step back fast.

    Remember : going to default and importing the config backupright away will install all packages that were present, and apply settings to these packages. If one was faulty (breaks networking, whatever) your back to square one in a couple of minutes,



  • You can use a text editor and delete all package infos from your config.xml before restoring.



  • Thanks for the tips but I cannot enter the console menu anymore: it won't let me in, each password I enter is denied. The default password is denied, and all passwords I used with it are denied. How can I factory reset without entering console?


  • Banned



  • That looks promising, thanks! Will try tonight and report back here on my progress.



  • Finally I am getting time to re-install (read: unbrick) my SG-1100. However, as it turns out, I need to request support for an install image. Since I did not buy support as I did not expect that I would need it, I am in trouble again. Is there some other way to obtain this image? Can I use a generic image? Can somebody share the SG-1100 image with me?

    All hints/tips/tricks welcome.



  • I do no own a netgate device, but I'm pretty sure that when you buy a Netgate device, you have access to some netgate's support portal like https://go.netgate.com/support/login where you can download the latest pfSense firmware. For life.

    Note : you have to create your access yourself.


  • LAYER 8 Moderator

    @brightwolf said in SG-1100 no internet, no web UI, SSH OK:

    Finally I am getting time to re-install (read: unbrick) my SG-1100. However, as it turns out, I need to request support for an install image. Since I did not buy support as I did not expect that I would need it, I am in trouble again. Is there some other way to obtain this image? Can I use a generic image? Can somebody share the SG-1100 image with me?

    All hints/tips/tricks welcome.

    Contact the official support as it is stated in: https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html


  • Netgate Administrator

    Yes, just open a ticket if you have not already and we will get that to you ASAP.

    Steve



  • @brightwolf said in SG-1100 no internet, no web UI, SSH OK:

    Can I use a generic image?

    No!
    Available generic/CE images are x64 only.
    The SG-1100 is based on ARM architecture and needs a totally different image.



  • Thanks everyone for the feedback. I created an account and asked for the SG-1100 image on 15:42 yesterday. At 15:43 the helpdesk provided me with the image. Nothing to complain about.



  • So finally I came around to reinstalling my SG-1100. I had no time earlier. Here's what I did so far.

    I flashed the supplied image file to a USB flash drive with Etcher, connected to console and started the SG-1100. Following the reinstallation guide, I had it up and running in a vanilla state again 10 minutes later. Then I connected and restored my previous backup file without the 'packages' parts (because those were likely to be the root cause of the issue causing all this) and that worked too. Finally, I hooked it into my network again but.. this is causing some headaches. It just refuses me to connect. I do not even see the login screen. It may be due to some network interference, IP conflict, I do not know, but after spending some time I decided to do one other reinstallation and then reconfigure the whole thing from scratch. It will take some time (openVPN, firewall rules and all) but I will also learn from it. However, that will have to wait till the weekend, for now I had enough pfSense for one evening...



  • Confirmed, my wireless router which I hooked up to the SG-1100 indirectly through my switch, had the same IP address. Changed that one and after that, it worked flawlessly.



  • @brightwolf
    Hello,
    I've recently bought SG-1100 too. And I find myself in kinda similar situation.
    I've been trying to read the whole thread over and over trying to see if I get where I go wrong in setting up, with no success.

    Would you kindly share with me what you did in set up?

    I have a computer connected to LAN port of SG-1100 and the WAN port of SG-1100 connected to the LAN port of my router.

    The router IP is 192.168.0.1/24. (With a plic IP a.b.c.d and DNS servers e.f.g.h).
    When I connect the SG-1100 (as mentioned above) this gets a DHCP address of 192.168.0.23/24. My client computer connected to it is assigned 192.168.1.2/24.

    Please share/advice how you did your set up and made it work so that I can do the same. I can't manage to have Internet.

    Thank you in advance.



  • @padreloco
    I am not an expert myself but I think the only thing you need to do is to add an "allow" firewall rule on your LAN network. pfSense will block everything by default, is what I understood.

    So in Firewall > Rules > LAN add something like:
    Action: Pass
    Interface: LAN
    Protocol: any
    Source: any
    Destination: any

    Once you have that rule you can start adding "deny" rules above it, to block everything you wish to block.



  • @brightwolf
    I have tried that too with no success.
    I guess the error is in WAN and/or LAN settings of pfsense...
    This is why I was curious to know how you did in settings...


  • LAYER 8 Rebel Alliance

    Show screenshots of your WAN + LAN Settings, Firewall Rules and output of ipconfig /all from your Client machine.

    -Rico



  • @padreloco
    Did you restore a backup? In my case, I suspect the initial problem occurred due to some package settings. When I restored the backup I introduced the same problem again. That's why I did a complete reinstall of pfSense, then a complete reconfiguration of it. Now it's working without problems.



  • @brightwolf said in SG-1100 no internet, no web UI, SSH OK:

    you need to do is to add an "allow" firewall rule on your LAN network.

    That rule, on the LAN interface - is present by default.
    So, any device, hooked up to the LAN interface will have full access as soon as the WAN interface works.
    Typically, the WAN interface is setup to DHCP (client), thus when hooked up to an up stream (ISP) router, everything works.

    Except : the conflicting network range issue : when the upstream router uses for itself at it's LAN - this is the LAN of the upsteam router ! - also 192.168.1.0/24 then you should :
    Change that network address on your upstream (ISP) router, like 192.168.2.0/24
    or
    Change the default 192.168.1.0/24 on the LAN on pfSense to, for example, 192.168.2.0/24
    Like this :
    e1c066af-f926-458d-b175-fd12824cfd2c-image.png

    Check also the DHCP server on the DHCP server page, interface LAN : the pool must be in the 192.168.2.x/24 range. Normally, it is.

    Now, you'll be fine.

    Note : pfSense behaves as any other router on planet earth : with all settings on default, it's works.
    If it doesn't, check already existing material in your environment that isn't setup by default.



  • @Gertjan said in SG-1100 no internet, no web UI, SSH OK:

    If it doesn't, check already existing material in your environment that isn't setup by default.

    Yes, like, for example, an IP conflict because of which I could not connect to my pfSense on SG-1100 anymore. Both my wireless router (downstream of the SG-1100 and in bridge mode) and my SG-1100 appeared to have the same IP on the LAN. Once I changed the wireless router's IP I could connect to the SG-1100 again.



  • @brightwolf
    Well, I did the "4. Reset to factory defaults", again, followed with the standard configuration with no success.

    Giving up, I changed the computer from macOs to windows OS. I could then have access to internet. I hate the fact that I don't understand why!

    Another thing is that from my computer I don't see other devices (NAS...) connected to the switch where my computer (client) is connected... 😬


  • Netgate Administrator

    The client OS should make no difference there assuming both are configured for DHCP.

    What is actually not working though. Are you able to ping 8.8.8.8? Are you able to ping google.com?

    Windows firewall may have set that new network as pub;ic as the dhcp server MAC address will be unknown to it.

    Steve



  • @stephenw10
    In fact I am able to ping 8.8.4.4... I don't know why then I can't access Internet through Chrome, safari... (using mac)


  • LAYER 8 Rebel Alliance

    DNS working?

    -Rico


  • Netgate Administrator

    Yeah if you can ping by IP but can't ping FQDNs then it sounds like DNS is not working. Check the DNS setup on that OSX client.

    Steve



  • @stephenw10
    That was the problem.
    Now the internet is up and running through the firewall



  • @stephenw10
    Would you or anyone advice how to access NAS through firewall? I.e: how can computers for example connected on WiFi on the same router as sg-1100? Computers have address as 192.168.0.x while the sg-1100 has 192.162.1.1 and Nas having IP addr 192.162.1.2?


  • LAYER 8 Rebel Alliance

    You need to setup/modify your Firewall Rules.
    For help in detail post Screenshots showing your actual Rules here.

    -Rico


  • Netgate Administrator

    So clients in the WAN subnet accessing the NAS in the LAN?

    You can open access to it with a port forward:
    https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html#adding-port-forwards

    Steve


Log in to reply