Wrong configuration, but it works partially


  • Hi everyone,

    I am having a little problem with my configuration and dont know how i could mak it work without having more problems.

    I set up a virtual network in Hyper-V. My Hyper-V machine has ip 10.3.17.27.

    The thing is, when I installed pfsense I made a wrong installation and allowed dhcp ip for my wan (who is normally 10.3.17.27) so i am having an IP where i configured piratically everything and it works. And sometime it doesn't.

    3a5d8687-3194-4d0d-be39-7f21641a67f9-image.png

    When I say it works, I mean, I have a website on my dmz and installed it from the ip 10.3.17.4:80 and all my redirections are to this ip. But sometimes the IP 10.3.17.4 doesn't respond anymore and cant do anything anymore.

    I tried to change it to my initial ip 10.3.17.27, but nothings worked correctly.

    Here is a picture of my network : 8143ca37-dac5-47cf-929d-b8e538962c7e-image.png

    Is thought maye to add a nic with this ip and make a redirect of everything but seems not working and revert to initial setup.

    Does someone have any idea how I could fix this ?
    Thank you :)

  • Netgate Administrator

    You can't use the same IP the hypervisor is using but you should use a fixed IP if you're port forwarding from that to the server.
    Where is that dhcp lease coming from? Hyper-V?

    Either make that a static dhcp mapping so pfSense always gets the same IP on it's WAN from the server or set the WAN interface IP statically in pfSense.

    Steve


  • @stephenw10 Thank you for your answer.

    I actually tried to get that fixed IP, but i can't get that IP. this is an IP from above my hyper-V so if someone is using it in the network I wouldn't get any result. I either can't fix a static dhcp mapping because I only received the IP 10.3.17.27 to work on it.

  • Netgate Administrator

    So where is it pulling 10.3.17.4 from?

    Some upstream dhcp server you don't control?

    Can you connect to it by hostname if you resolve against the upstream gateway?

    It sounds like you need to discuss this with whoever admins the network you're on.

    Steve


  • @stephenw10 Yup indeed, its an upstream dhcp server that I don't control.

    What seems weird is that sometimes it works and sometimes not.

    So maybe i made a wrong configuration, but we agree that this is a correct setup ?
    72594896-5cba-4d48-81d3-b78f183261cb-image.png

    If i can not use the same IP of my Hyper-V and my IPv4 needs to be in the same range as my Wan IP this one should be good.

    I'm trying to understand where i messed up or where "it" messed up :/

  • Netgate Administrator

    No, you have to use DHCP if that's how the subnet is configured.

    If you set it static like that it will break when something else is assigned that IP by the DHCP server.

    Steve

  • LAYER 8 Global Moderator

    Im confused as to your listing for your inside interface? Looks like you have its gateway set to your wan IP?? 10.3.17.4??? Where are these 172.20.x.x dns servers?

    The lan interface shouldn't have a gatway set at all..


  • @johnpoz Yes indeed sorry I made a mistake.

    I am not 100% confortable with network diagrams sometimes I make mistakes.

    So the IP 192.168.0.50 is the ip of my web interface and LAN. beff10b9-6669-4542-be5c-876c5ea03fd5-image.png

    The DNS are outside of my network / control. They are managed by my school.

    And the Gateway I got on my Hyper-V is 10.3.17.1.
    49374092-9b7f-49bd-aee6-35ebb6a54276-image.png

    I dont know if this answers to your question ?

  • LAYER 8 Global Moderator

    But your not showing on your diagram where this 172.20 network is - from your diagram there would be no way to get to those NS.

    Is pfsense using those - how does it get to them? Or is pfsense just resolving, which is default?

  • Netgate Administrator

    Your HyperV server is using a static IP. Was that given to you to use by the network admin? Because if not that will break too if some other device uses it via DHCP.

    Steve


  • @johnpoz & @stephenw10

    Sorry for the late reply. I talked with an ICT guy in my native language. and he explained to me that it could not work properly.

    I received my Hyper-V IP from the network admin and I should work only on that IP. I didn't notice that i could not use other IP's in this range.
    Actually it was working so I didn't realize my config was wrong.

    The DNS 172.20 is not under my control and don' event know where it is๐Ÿ˜ž . I just received a machine with Hyper-V installed on it and 1 NIC (see below) 18e6af8a-5f0e-467d-8b49-adcd1ec56f6d-image.png

    With that I had to build on a virtual network. And as I said, I only received IP 10.3.17.27. Buy when I installed Pfsense received IP 10.3.17.4 in my configuration. It was working so I didn't notice that IP was not attributed to me.

    I don't know if there is any solution to use IP 10.3.17.4 and redirect all the trafic to 10.3.17.27 like using 10.3.17.27 as gateway or something like that ?

  • Netgate Administrator

    If you can't get an additional IP to use you have few choices:

    NAT that traffic in Hyper-V so the pfSense WAN is using some other subnet.

    Assign the interface directly to the pfSense WAN so it uses 10.3.17.27 dircetly and Hyper-V does not have an IP in that subnet (or uses dhcp)

    Leave the pfSense WAN as DHCP and find some other way of addressing it so you can access it on that. You never said if the upstream DNS servers can resolve local hostnames.

    Steve


  • @stephenw10 I can't get an additional IP. I am trying to find out how to NAT my trafic in Hyper-V with the WAN interface but i'm not sure about how it works so i'm still reading som tutorials and forums. But I think this is what i am going to do.

    I cannot assing the interface to my pfsense. I think there is a MAC filter who not allows me to send the trafic. I tried once, and lost my connectivity with the machine. the IT admins had to put my initial configuration back.

    Should it work if I add a new vNIC with a fix ip and route all the network from the new vNIC to my WAN and using my vNIC as pfsense "WAN"

    Its a bit tricky I know and i'm sorry for that.

    Thank you for your answers

  • LAYER 8 Global Moderator

    Yeah hyper-V can for sure nat.. So pfsense wan would be behind that nat as well as any other nats upstream.

    If your saying there is a mac address filter, you could always have pfsense wan use that mac.. And don't put an address on that hyper-v interface.


  • This should probably work, but i'm afraid do to this. And losing my connectivity with the servers. All of this is visualized, so i will choose for Hyper-V NAT, but I am not sure about how it works I am still searching how to do it correctly.

    I have a Little more question. should I use the mac spoof method on pfsense when use the nat or is it not needed ?

  • Netgate Administrator

    ...and devices behind pfSense are behind it's NAT. Are you up to quad NAT at that point? ๐Ÿ˜ฌ


  • @stephenw10 what do you mean with "to quad NAT" ?

  • Netgate Administrator

    You have 4 devices all NATing the traffic between the inner clients and the public internet.

  • LAYER 8 Global Moderator

    Which is just insane ;)

  • Netgate Administrator

    Yo dawg.....


  • Yeah i know, ... but i have to make my virtual network work.

    I couldn't make it. Still searching a solution about how to make it work with this configuration :/

  • Netgate Administrator

    It will probably work fine with 4 layers if NAT, it's just ugly. Any of the solutions I suggested above will work here.

  • LAYER 8 Global Moderator

    I'm I missing a nat?

    internet - 1 Nat (company) -- (hyperV 2nd nat) -- (pfsense 3rd Nat)

  • Netgate Administrator

    Nah, probably me double counting at 2am!


  • Thank you very much guys for replying !! Really big thanks !

    I just hang up with IT of my school and it seems that exactly as you thought someone is using the same IP as me.

    He uses DHCP IP 10.3.17.4. Thats why sometimes it was working for me and sometimes not.

    I could not figure out it was used, because even if i tried to ping i didn't receive an answer.

    The IT person checked the logs and saw someone else was using it on another VM.

    What I did to solve the problem: easy... you know it, I changed my IP. I am now using 10.3.17.250 who is not used by nobody in the network and it seems to be working (hope it will work until Monday midnight cross fingers!)

    So I think my problem is solved !

    I just have a stupid question about firewall rules to be sure i did not misunderstand it

    I got 3 networks LAN, Guest(WIFI) and DMZ.

    The DMZ should have acces to internet or not ? Every connection is allowed to the DMZ but what is allowed to go outside the dmz ?

    Thank you very very very much guys !!! (if you are coming to Brussels i'll offer you a beer ! โ™ฅ)

  • Netgate Administrator

    @Farisse said in Wrong configuration, but it works partially:

    10.3.17.250

    Is that IP outside the DHCP range? If not it may fail again.

    Whether or not the DMZ gas access to the internet is up to you. What is in it? Do those hosts need top pull OS updates for example? They will need to access the internet for that then or maybe some local update server if you have that.

    Steve


  • Its inside the DHCP range, but apparently the IT guy told me that this IP has never been used by anyone. So I have a lot more chance that nobody will use it (we are 10 working on this DHCP range but no communication). So it may fail again, but the chance for someone using the same ip as me right know is low (hope to keep it like this๐Ÿ˜…)

    I only have an webserver running on port 80. So I could let it open to update my wordpress but otherwise there is no specific rule for a DMZ that cannot acces to internet right ?

  • Netgate Administrator

    If you don't have a rule on the DMZ interface allowing it the server will not be able to connect out.
    A web server is exactly the sort of thing that should stay updated though. Especially if it's open to public access.

    Steve


  • @stephenw10 Great ! Its as I expected, Thank you very much for your answers ! โ™ฅ

    Farisse