Adding a Subnet to an Interface
-
@nogosubnet said in Adding a Subnet to an Interface:
I have not added any bridge configuration under the webConfigurator.
Then pfsense would HAVE TO HAVE an IP in your /29
If so then you you could route between your rfc1918 on lan and the network on your opt1 network.. As long as device in lan is using pfsense lan IP as its gateway, and device in your /29 is using pfsense IP on opt as its gateway.
-
@johnpoz How do I route from an RFC? - I thought that they were simply that, - not interfaces. The LAN uses the pfSense WAN by default (I am using the internet connection from that at the moment).
I do not have private networks blocked (if that is a potential issue - and the source of the RFC note), so I guess that all I need now is a pfSense bridge between WAN and OPT1?
-
@nogosubnet said in Adding a Subnet to an Interface:
he LAN uses the pfSense WAN by default (I am using the internet
What??
Here expanded drawing.
I have a device on my rfc1918 network on lan.. This device would use pfsense lan IP of 192.168.1.1 as it gateway. Now my routed public network. In my example 12.13.14.0/29 where pfsense IP in this network is 12.13.14.1 and your webserver is 12.13.14.2 - it would be using pfsense 12.13.14.1 as its gateway.
if your webserver wants to go to 192.168.1.100, it would send that traffic to pfsense. Pfsense would say oh yeah I am connected to this 192.168.1/24 network - let me send that on. As long as the firewall rules on opt allow it.
Do you have some gateway hard coded in your opt1 rules? Please post your opt1 rules, and your lan rules. There should be no gateway setup in the firewall rules - or your policy routing. Which if you are, then there would need to be a rule above this policy route that allows your traffic.
-
@johnpoz OK, - I will post those and confirm that I have created no firewall rules at all at the moment, except the auto-generated BOGON rules.
WAN:
LAN:
OPT1:
-
@nogosubnet bogon would only go on WAN interface..
Lan rules would default to any any, and opt1 interface would have NO rules by default. You would have to create 1, say a any any rule to get started with.
-
@nogosubnet why would you have bogon on your OPT? Bogon would include rfc1918.. Please post Screenshot of rules.. not some ascii art..
edit:
Out of the box wan would have block rfc1918 and bogon.
Lan would have antilock and any any rule
opt1 would have nothing - you have to create rules on new interfaces. So create an any rule - and there you go you can route between lan and your public network on opt1When you route public space on pfsense lan side network, you also want to make sure your not natting it.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
-
There you go.. What about your nat rules? If you do not edit those your public space network would be natted to your pfsense wan IP.
But with those rules - you would be able to talk from your webserver on your opt network to your lan network. As long as you didn't put something in floating blocking it.
-
@johnpoz - thanks, - just tested, but not working.
-
@nogosubnet well from your webserver can you ping the IP of pfsense lan IP, 192.168.1.1 in my expample drawing?
Out of the box any say windows box, or pretty much anything with a firewall would not allow access from some IP that is not its local network.
You have no rules in floating right?
-
@johnpoz I have no rules under floating, no, and I have now put together a NAT rule, too:
Also:
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms -
@nogosubnet why would you have that rule? Makes no sense for such a rule.. And it wouldn't ever work anyway..
Your saying that is sent to pfsense wan IP, send it to pfsense opt1 address.. What would that do?? pfsense opt1 address is not your webserver..
-
@nogosubnet said in Adding a Subnet to an Interface:
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64There you go.. Your routing to rfc1918 space from your webserver. If you can not talk to say 192.168.1.x, then it has a firewall on it not allowing it, or its not using pfsense as its gateway.
-
@johnpoz Again, thanks, - I am just working my way through the recipe page that you pointed me to and have completed the OPT1 interface and NAT rules; so I am just about to test and then to add the suggested firewall rules, if still required or necessary.
I can navigate to the webpage, so something is definitely working, but I still need to get SSh from LAN to OPT1 working.
-
@nogosubnet said in Adding a Subnet to an Interface:
but I still need to get SSh from LAN to OPT1 working.
Well that would work out of the box with the lan rules, being any any.. Even if you had no rules on opt. Just hit whatever IP is on your webserver.
If ssh is running, it would work just like you said you can hit the web page..
As stated early in this thread - does not matter what IP space used on network connected to the same router. be it rfc1918 or public.. Router will route anything that its connected to.. So unless you were policy routing specific traffic out some gateway that can not get to whatever other network is connected to pfsense.. It works out of the box as long as your firewall rules allow it.
-
@johnpoz The problem here (and I am just about to check) is likely to be that there will be no private IP advertised on the webserver side of things (ie: no address that I can use with OpenSSh in order to connect to the webserver).
-
@nogosubnet said in Adding a Subnet to an Interface:
no private IP advertised on the webserver side of things
that has ZERO to do with anything - just hit the IP that is on the webserver.. Why are you locked into this webserver needing a rfc1918 to get to it??
It has an IP connected to pfsense, and uses pfsense to route - doesn't matter what the IP space is be it rfc1918 or public.. Its just another network to pfsense.
-
@johnpoz agreed, but unless ifconfig or ip addr show gives a local address that I can connect to (ie: something specifically for the webserver) it will not allow me to connect, - even if I can otherwise ping that address, - it does not matter and the webserver will not allow me to connect. This is why I was trying to create a subnet specifically for the webserver.
-
@nogosubnet said in Adding a Subnet to an Interface:
local address that I can connect to
that would be whatever IP your public IP is you setup on this webserver - in my example 12.13.14.2
What IP does your webserver have? That is in this /29 you setup on pfsense.. That IP is the IP you would use to talk to it - be it your on some rfc1918 connected to pfsense, or some public IP out on the internet.
If you can not connect to the webservers IP 12.13.14.2 in my example - but you can ping that IP, and you can access its website on that IP. Then ssh is not running, not listening on that IP or it has a host firewall blocking access to ssh. Doesn't matter if that IP is public or rfc1918.. It doesn't!!!
-
@johnpoz Used a public IP address from the Routed IP Subnet /29 range but, no, still not SSh and webpage not being displayed (holding page only).
I am going to kill setenforce and the firewall on the webserver and see if they are the problem, because, otherwise, both httpd and sshd show no problems.
The /29 is: 87.75.210.24/29.
I have found the problem: DNS is not working or, more accurately, something is blocking it and the lookup requests on port 53.
-
@nogosubnet said in Adding a Subnet to an Interface:
DNS is not working or
Well what are you using for dns. Out of the box pfsense would hand out its IP on whatever interface dhcp is running on.
Out of the box pfsense resolves, does not forward.
What specific for dns is not working? Something your trying to resolve? Are you trying to access your webserver from public, from something on your lan? What fqdn are you using? Where did you point your webserver for dns?
You understand nothing is going to be able to get to your webserver from the public until you setup the correct wan rules to allow it.
edit: From the IPs you posted, looks like your using some of those for authoritative dns, I see PTR records saying ns1.domain.uk and ns2.domain.uk etc..
If your trying to resolve something these are authoritative for, then no its not going to work publicly if you can not get to them, etc. Your wan rules would have to all someone to talk to those IPs on udp/tcp 53
edit2: You mention webserver, but you also have NS for domain.uk that points to IPs in this /29 - so anything those are authoritative never going to work.. Unless your running those and you have edited your wan rules to allow access to those IPs.
