Adding a Subnet to an Interface
-
I have installed pfSense (hardware - non-virtualized) with a 2-port network card and a bridged connection from a router to the motherboard onboard LAN port. No problem.
I have internet connection via pfSense, too. No problem. - LAN (personal PC on bge0 and webserver on bge1).
The problem is that I need to add a subnet to bge1 in order to connect to it via SSh from bge0. - I have tried using 127.0.0.1 localhost, as that was an obvious solution to the problem of having no local IP showing in ifconfig or ip addr show ...only I have found it impossible to establish a connection via localhost even if using fully open bge0 to bge1 and bge1 to bge0 firewall rules.
Following the above I tried aliases and virtual IPs (neither worked), and I tried adding a new interface ...only the new interface can only be added as an rge0 interface (which is the interface used by my WAN, so it kills my internet connectivity as a result of overwriting the existing configuration for that interface).
Can anyone offer any advice on this, please, as I am completely out of ideas and need some way of being able to manage bge1 via SSh from my bge0 PC?
-
@nogosubnet Not sure how your setup is. Can you make a drawing with ipadresses ? This might make the entire setup more clear for everyone
-
Not good with drawings, but the setup is this:
Draytek Vigor 2860 set to Bridge with automatic address assignment (nothing in DHCP credentials) and using 192.168.0.0/24.
|
pfSense running on own boad with 2-port LAN card (re0 for WAN, bge0 for LAN (Windows 7 x64 PC), bge1 for Optional, that being a RHEL webserver in this case) and using 10.100.0.0/24. The login credentials were entered via the web configuration after selecting PPoE as the connection type, as opposed to the default DHCP selection.
|
RHEL webserver with BIND DNS on one board and Windows PC on another board, both independent of each other (webserver connected to bge1, PC connected to bge0).I also now realise that localhost would not have worked as a way of connecting the webserver from the PC because it would have routed to just that: localhost on the local machine; however, the other tests all involved private subnets of the 10.10.0.0/24, 10.200.0.0/24 etc. ranges.
There is no requirement for IPv6 because my broadband supplier does not provision IPv6 to its customers; however, I guess that there is no reason why it could not be considered as a means of creating a subnet between my PC, - bge0, - and the webserver, - bge1.
Does that clarify the situation, or do you require further details?
-
You only need Firewall Rules to allow your networks/interfaces to talk to each other.
I also don't really understand your setup, it would help to see a drawing and some pfSense configuration screenshots.-Rico
-
@rico Thanks, but as I have no idea how to get this working for that that is required, it is a bit difficult to post screenshots, as I do not know what the screenshots need to be of. - Configuration? - Yes, sure, - I can probably provide several hundred shots of each and every tab and it would not help anyone (least of all myself) in the slightest.
As to the drawing, - it is here (but I completely fail to see how it should enlighten anyone):
-
So you on pfsense you have Lan (bge0), connected to your PC and Opt (bge1) connected to your web server.
What network did you setup on bge1?
Lets say lan is 192.168.1.1 (default)
Seems like you want your webserver on 10.100.0/24 network - ok so set opt1 interface on pfsense to be 10.100.0.1/24
There you go done.. Either enable dhcp server on bge1, or setup your webserver with an IP on this 10.100.0/24 network and create the rules you want on the bge1 interface.
-
@johnpoz: Thanks. Unfortunately I omitted one crucial issue: there is already a routed subnet assigned to bge1 (OPT), otherwise that is exactly what I would have done.
The routed subnet is /29 block of IPv4 addresses, so these are assigned via Static IPv4; so it would seem that I either need to find some other way of making those addresses available, preferably exclusively, to bge1 or I need some way of assigning both those addresses and a, preferably private, subnet to bge1.
Alternatively, extending the private subnet of LAN may be an option, but that would place both the Windows PC and the webserver on the same subnet (something I would rather avoid, if possible).
-
@nogosubnet well what is that - you show your webserver plugged into that network - what is it? Why do you want/need this webserver to be on 10.100.0 if its already on a network?
edit:
If you have some routed network /29 on this bge1 - why do want/need it also to have a 10.100 address? At a loss to what that gets you?BTW I take it there are some switch(es) involved you don't just have 1 pc and 1 webserver plugged into these interfaces on pfsense?
-
@johnpoz The problem is that, even disregarding a private subnet for the webserver, I am unable to SSh from the webserver (bge1 - OPT) to the Windows PC (bge0 - LAN), and I am unable to assign a private address range (or even share the bge0 range) to bge1 because it already has a /29 IPv4 routed subnet assigned to it.
There are no switches involved (unless you are going to be technical and confuse the issue by including parts of the default configuration). The 10.100 address would be part of seperating everything through private subnets for security; hence the reason for the 192.168 /24 on the router, 10.100 /24 on the pfSense (which equates to LAN - bge0).
-
@nogosubnet what are the rules you put on the bge1 interface? What IP be it public or private has nothing to do with it being able to access anything on the lan network.
-
@johnpoz Nothing but the default setup. LAN is set to PPoE with my broadband service provider credentials. That is it.
The only firewall rule is that of the BOGON, not the private range option because that could, potentially, block access to the webserver on bge1. I have deliberately kep everything to default settings whenever and wherever possible in order to simplify things whilst I resolve the LAN - OPT connectivity issue.
-
@nogosubnet said in Adding a Subnet to an Interface:
10.100 /24 on the pfSense (which equates to LAN -
So 10.100/24 is your lan network - ok fine.. What are the rules on your bge1 interface - doesn't matter what network is on that or what IP your webserver has be it private or public.. Access to the lan network would be allowed per the rules on the bge1 interface, if your forcing traffic out a gateway then you would need a rule above that to allow access to your lan network - no matter what that network is as well.
-
@nogosubnet said in Adding a Subnet to an Interface:
LAN is set to PPoE with my broadband service provider credentials.
NO it freaking isn't - that would be a WAN interface...
-
@johnpoz Yes, - you are right (my apologies), - I am confusing things here. - The 10.100 /24 would be on LAN, with the PPoE credentials on rge1 - WAN.
I have had a further look at my webserver and can confirm that there are no issues there (yes, including the firewall - disabled during tests); so, looking at some historical posts that touch upon similar issues, it looks as though I am going to have to decide between routed subnet or being able to connect to the webserver. Not ideal, so I am relieved that I have saved £200 - £300 on not buying a hardware pfSense router in the first place and that I have been able to confirm the situation by talking to you, - thanks.
-
@nogosubnet What??? Have no idea what your going on about..
I am going to have to decide between routed subnet or being able to connect to the webserver.
Have no idea what your taking about..
So you have a routed /29 on your bge1 interface - wtf does have to do with being able to access that from your lan 10.100 network? Nothing!! How about you post up your rules on your lan and your bge1 interface..
Doesn't matter what IP ranges you have on bge0 and bge1 interfaces - doesn't matter if 1 is public IP space that is routed to you via the wan.. They are 2 locally attached networks to pfsense - the only thing that would keep them from taking to each other would be firewall rules..
If you were bridging from wan to bge1 and device on this network was getting IP from upstream and pfsense was just bridge then you could have a problem.
-
@johnpoz Thanks anyway, but don't worry about it: I have been over all the settings now and have confirmed that, when using pfSense, it is definitely not possible to manage a network via a local address subnet on an interface already using a routed IP subnet.
The issue here is that once a routed IP subnet has been assigned to an interface, - in this case OPT - bge1, - it is no longer possible to connect to that interface from LAN - bge0 regardless of firewall rules to allow completely open access between the interfaces (including that of re0 - WAN, of course).
On the webserver side (RHEL) you will normally see a private (local) address under ifconfig or ip addr show and this is normally pulled from the router (probably via DHCP address assignment) and requires no changes to the network script files in the event of it changing (although a reboot may be necessary in order for it to be picked-up in some cases).
With a pfSense setup this does not happen (again regardless of firewall rules), so it becomes impossible to connect (even ping, for that matter) the WAN local subnet (or the LAN subnet, if aliased) and there appears to be absolutely nothing that can be done about this, which also appears to be expected behaviour with pfSense.
As I have said, this is not ideal, and means that, in using pfSense for this arrangement, you have a choice of subnet or internet access (with management only by disconnecting the LAN machine and connecting directly to the webserver) ...so pfSense is another "home user" product and not suited for power, SoHo, or SME use, which is a real pity (and, yes, I am aware of paid support, but am not prepared to pay $399 just to have what I have already said confirmed and with no refund after basically telling me that pfSense cannot do what I need it to do).
-
@nogosubnet said in Adding a Subnet to an Interface:
it is no longer possible to connect to that interface from LAN - bge0 regardless of firewall rules to allow completely open access between the interfaces (including that of re0 - WAN, of course).
Nonsense.. Plan and simple.. Again... What IP space is on an interface has zero to do with access from another network attached to pfsense.
which also appears to be expected behaviour with pfSense.
Where are you getting such nonsense?
A device on either of these networks can talk to each other without issue.. Unless you have firewall rules blocking them, or policy route not allowing it.. Doesn't matter what the IP space is!
-
Normally I would agree, but that is not holding up on pfSense.
We can assume that rules on the router are not a factor because all of this is happening behind the router, and the router is functioning as a bridge only and we are dealing with private / local networks, so this argument (at this stage) is purely between re0, bge0, and bge1.
As for the rules in place in the webConfigurator (which is accessed via bge0 - LAN), I have rules between re0, bge0, and bge1 that allow each to talk openly to each other - IPv4 & IPv6, any protocol, any application; so how can the firewall possibly be getting in the way of things? - Provided that the BOGON and local net tick-boxes are not ticked, and therefore not a factor, the only way that the firewall could still be influencing things is if something is bugged, broken, or otherwise not working as intended.
On both bge0 and bge1 I have also taken the precaution of disabling the firewalls (as in those software firewalls that would normally be present on those systems), too, and, again, that made no difference (even following reboots, resets, etc.).
-
@nogosubnet said in Adding a Subnet to an Interface:
and the router is functioning as a bridge
Well there might where you have problem like I mentioned already..
If the router doesn't have an IP in the bridge, then no your not going to be able to talk to anything in the bridged network via routing.. Put an IP on the bridge interface so pfsense can route to it.
What exactly are you bridging - bge0 and bge1 to me just means its broadcom interfaces
-
@johnpoz the DSL line is connected to the Draytek router which, in turn, connects - and bridges the internet - to the pfSense setup, ie: rge0 - WAN (pfSense WAN, not the router WAN).
I would not be able to connect pfSense directly to the DSL line, as pfSense has no means of modulating and de-modulating the signal; however, I could look at adding the required subnet as a WAN IP alias on the router side and having that IP join the NAT IP Address Pool. - If I am understanding things correctly, that should advertise the subnet to all interfaces associated with rge0 - WAN and would mean that I could, potentially, access OPT - bge1 from LAN - bge0.
Internet connectivity works fine with the current setup, as it is, though: the issue is purely one of being able to get LAN - bge0 and OPT - bge1 talking to each other, so the latter can be managed via the former.
