Can't access 3100 appliance
-
@cdsJerry said in Can't access 3100 appliance:
And I did remove "hacked" from the subject already based on your first suggestion.
Cool...I didn't notice as I was at the bottom of the thread...thank you!
I got to say though the shipping computer with no WAN IP made me scratch my head...so, what the router in front of it but behind the pfSense box do?
-
@NollipfSense My pfsense is in pass through mode. It doesn't issue IPS etc. It just makes sure the traffic coming in is "clean" and controls what ports are open etc. The WAN IPs all pass through it to their destinations which then control the traffic from that point forward.
-
Given that someone was able to shutdown VMs and that your firewall is in pass thoughmode with public IPs internally, is it possible 'they' created a new VM on the same IP as pfSense? Or altered the IP of existing VM?
Steve
-
@stephenw10 There weren't any new VMs. We only have a few running so it would have been easy to spot. And the VMs aren't on the same WAN IP as pfsense. They pass through pfsense but you can't access pfsense from them as they are not the WAN assigned to pfsense. Pfsense is the only thing using that IP. The VM host uses a LAN IP for it's access. It is connected to the WAN in order to pass those WAN addresses over to the virtual NIC cards in the VMs but none of those WAN IPs are assigned to the NIC on the host (Proxmox). None of the IPs on the VMs have been altered.
-
@cdsJerry said in Can't access 3100 appliance:
@NollipfSense My pfsense is in pass through mode. It doesn't issue IPS etc. It just makes sure the traffic coming in is "clean" and controls what ports are open etc. The WAN IPs all pass through it to their destinations which then control the traffic from that point forward.
Okay, I remember reading your response earlier where you mentioned the above. I don't know what to say...
-
I'm assuming you've gone back through the pfSense logs and there are no reports of: 'xxxxxx is using my IP!' ?
Because it really looks like that might have happened from everything you describe.
Steve
-
@stephenw10 The short answer would be no we didn't. I didn't see anything that jumped out at me when I was looking in the logs but I didn't know what I was looking for. In pass-through mode would that error even show up?
When we couldn't get the password to reset and we couldn't get into pfSense via the GUI we ended up re-loading the entire thing from a backup just to make sure that none of the rules or aliases had been altered, so everything was reset at that point to try and secure the network again.
-
pfSense will log that if it sees some other device using it's IP so broadcast messages from that IP or something else responding to ARP. I would see that traffic in a bridged setup still.
Steve
-
@stephenw10 I don't see anything like that in the logs. And it's still working fine today. Nothing on the network has changed but it's all operating as expected for several days now.
-
Hmm, well that's a public IP so it could have been some issue at your provider. They mistakenly issued your IP to another client perhaps and have now corrected that. Hard to say at this point.
-
It definitely looks like your configuration is more complex, so maybe this is not very useful to you.
But I'll toss it out there.One of the practices I've developed is to assign virtual IPs to my router.
I worked a fair bit in telecom before as a developer, and I just developed this as habit in our test labs.
I've kept it going in my home setups.
For example, my sg-3100 has 192.168.1.1, 192.168.1.2...The reason I do this is in case a device I plug in to the network default to a certain conflicting IP. This way, I can still access the router and see what's happening.
-
@yaminb In my case there's no potential for an IP conflict because there's no DHCP on any WAN IP. The pfSense has a WAN but everything else is just passed along. The routers are all downstream and would hand out DHCP to any device plugged into their networks. I only have a dozen WAN IPs so it's not hard to track those in the switch, and nothing would ever be connected directly to the ISP other than those dozen, and even those are post-pfSense.
