Noob needs help with pfsense



  • I wasn't sure where this post should go, so I posted it here. Technically it could go in either webGUI or Installation. So I figured post it here. Let me know if it needs to be moves else where. Sorry, for the mix up.

    I'm new to pfsense, and built a machine out of spare parts laying around when v2.3 was new. Then I got super busy and left it for a while. Finally got around to deploying it in my home network and it was working great, up until I made a really dumb mistake. Disabling ping request on the LAN, without adding a FW rule to allow my PC, which is set to a static IP. :'(
    I didn't feel comfortable with enabling it on the WAN side, in order to get back in. So I attempted to reset to factory settings, should have been simple... That didn't go over well, I'm still not able to ping or connect to the webGUI. So, I figured I'd start all over with a fresh copy of v2.4.4 (using the USB Memstick Installer); however, when I try to boot to the USB, it freezes at the screen below.
    ![0_1573918279200_screenshot.jpg](Uploading 100%)

    I'm a little frustrated and decided to reach out here for help and had to step away. Not sure what my next step should be.
    Network details, the pfsense box is used as an FW/IDS/IPS and separates my main network from my DMZ. In between the pfsense box and my PC is a router and yes I have verified that the FW is not blocking any outbound requests. (The webGUI stopped working when screwed up) :)
    Here are the specs of the pfsense box:
    ASRock itx board with an embedded Intel Quad-Core J4205 2.6GHz
    16GB of DDR3 memory
    250GB SSD + 2TB for logs (it was the smallest drive I had laying around)
    and a StarTech dual gigabit rj45 port NIC.

    Thank you all, in advance!!



  • @Perseverance66 said in Noob needs help with pfsense:

    (The webGUI stopped working when screwed up)

    The most important UI isn't the GUI, but the console access ;)
    With this access you can recover from any failure - except hardware failure.

    @Perseverance66 said in Noob needs help with pfsense:

    ![0_1573918279200_screenshot.jpg](Uploading 100%)

    Didn't see any image.



  • I meant: (The webGUI stopped working when I screwed up)

    Looks like the screenshot it too large to upload.
    When trying to boot from the USB, to reinstall, it hangs here:
    Trying to mount root from ufs:/dev/ufs/FreeBSD_Install [ro.noatime]. . .
    random: unblocking device.
    Then is shows the 3 port, status and stops...


  • Netgate Administrator

    That's what you will see if you have he wrong console type set as primary.

    So either use the correct memory stick image if that's what it's failing to boot or if it's already installed:
    https://docs.netgate.com/pfsense/en/latest/hardware/boot-troubleshooting.html#booting-with-an-alternate-console

    Steve



  • @stephenw10
    I'm using USB Memstick Installer. Is that not the correct image to be using? I was attempting to reinstall pfsense.


  • Netgate Administrator

    Yes, that's correct but if you're using the serial console you must use the serial image.
    After it mounts root the majority of the console messages appear only on the primary console. Only a few messages, such as ports coming up, are shown on all consoles until it finishes booting.

    Steve



  • @stephenw10
    Epic fail! on my part....
    Wow, I'm betting I was trying to use the serial console image and should actually be using the VGA image instead...
    I'll double check when I get home. Thanks stephen!



  • Sorry for the late response, been a little busy with work.
    I was able to reinstall v2.4.4, using the correct image this time. :) (Thanks Stephen!)
    Gave the interfaces an IP, restarted the web configurator and PHP-FRM, just to make sure and still not able to access the web GUI, tried all of this with a continuous ping running. No such luck.
    Obviously the request is being refused, which I'm guessing the other router on the other side of the pfsense machine.
    I'm able to ping the router, 192.168.1.5, from the pfsense machine, 192.168.1.3, and vice versa.
    Checked the firewall rules on the peplink router and even created both inbound and outbound rules to allow any connection from 192.168.1.3. Still no ping from me PC.
    Tried running a tracert from my PC to the pfsense box, but it just times outs. I do have a dumb switch in between my PC and peplink router, so I tried plugging my laptop directly into the peplink router just to rule out the dumb switch.
    This is definitely on the peplink side, just not sure what to try next. I know it's got to be something simple. Any ideas?


  • Netgate Administrator

    @Perseverance66 said in Noob needs help with pfsense:

    I'm able to ping the router, 192.168.1.5, from the pfsense machine, 192.168.1.3, and vice versa.

    How are you doing that? From the console directly?

    If you have 192.168.1.X on the pfSense WAN what subnet do you have on the LAN side? It must be a different subnet and 192.168.1.X is the default.

    Connections to the webgui from the WAN side are blocked by default and it sounds like that's how you're trying to connect.
    Can you connect to it from the LAN side?
    You will need to add a firewall rule on WAN to allow that traffic if you want to be able to access it fro WAN.

    Steve



  • @stephenw10

    @stephenw10 said in Noob needs help with pfsense:

    @Perseverance66 said in Noob needs help with pfsense:

    I'm able to ping the router, 192.168.1.5, from the pfsense machine, 192.168.1.3, and vice versa.

    How are you doing that? From the console directly?

    Yes, from the console. Option 7, Ping Host

    The WAN on the pfsense box is set to DHCP, it's pulling a private IP from my ISP.
    The LAN on the pfsense box is set to 192.168.1.3, where the peplink router's WAN is set to a static IP of 192.168.1.5.
    I have been trying to connect to the webGUI from the LAN side the whole time and still cannot connect, from the LAN side.
    I definitely do not want to open that up on the WAN side.


  • Netgate Administrator

    Ah, OK. I misunderstood the connection order. I assume you mean a public IP on the pfSense WAN?

    If you connect a client directly to the pfSense LAN can you connect to it?

    What is the peplink using for it's internal subnet? That must also be different from it's external interface (192.168.1.5). If it's also using 192.168.1.X internally that is conflicting and must be changed.

    Steve



  • @stephenw10 said in Noob needs help with pfsense:

    Ah, OK. I misunderstood the connection order. I assume you mean a public IP on the pfSense WAN?
    Yep, public IP, my mistake. Sorry about that.

    I more than likely could connect, but I only have 3 rj45 ports. The 3rd one is for my DMZ.
    The LAN on the peplink side is set to 192.168.1.6 and the DHCP range is from 192.168.1.10 - 192.168.1.200. This is how it was setup before I screwed myself and it was actually working. I don't recall changing anything on the peplink side. Interesting...
    I've got to run a couple of errands and will try changing the LAN IP on the peplink when I get back.
    Thanks Steve! :)


  • Netgate Administrator

    No problem. Yeah that's definitely a subnet conflict. It will break routing.

    Steve



  • @stephenw10
    Now this is interesting...
    Changed the LAN setting to 192.168.2.5, on the peplink side.
    Rebooted both pfsense box and peplink router. At the same time I had a continuous ping running, pinging 192.168.1.3, the pfsense machine and I was able to ping it for maybe 30 seconds. Then the ping went stopped again.
    Was able to access the GUI for about 1 minute, even though I couldn't ping in, from my PC which is now static to 192.168.2.10. During that time I was able to configure the pfsense host name, click next, then nothing...
    And I verified that the 192.168.2.X subnet was not in a VLAN. Getting closer here..


  • Netgate Administrator

    That kind of implies the Peplink might have just passed the traffic on the existing subnet while it booted.

    I would not expect a continuous ping to work there. The client you are pinging from had the change it's IP so the ping source address would change. If you managed to open a firewall state in either router it might be held open by the pings preventing the correct NAT states being opened.
    I would stop pinging, or connecting in any way, unplug the client and reconnect it so it pulls a new IP (or even reboot it) and then test from there.

    Steve



  • @stephenw10
    HAHAHAHAHA
    Have you tried turning it off and on again?... LOL

    Wow, weird how releasing and renewing the IP didn't work correctly.
    With that said, IT'S WORKING!!!!!
    I'm in the GUI and I'm able to ping, with no issue!!!
    Thank you sooooooo much Steve!! You are awesome!!!!


  • Netgate Administrator

    Ha, there's a reason that phrase is a meme! 😁

    Steve


Log in to reply