PFNoob - A Few Issues (Router IP, Local Ports, and Separate Interface)

Viejo

Hello, I hope everyone is doing well. I'm very new to a lot of this and having a few issues (and confusion) with what I'm trying to do. Any input is very much appreciated, please don't hesitate to ask me for more info if needed as I'm not 100% sure what is relevant here.

I have a few things to figure out:

1. I cannot access, or find my wireless router's IP address within PFsense. The router is in bridge mode, and wifi is working, but I don't see it listed anywhere on my DHCP leases and am unable to access the router web interface.

2. On this wifi network, I'm able to access my SMB share normally as well as my Qbittorrent web client which runs on port 8081. For some reason though I'm unable to access Jellyfin, which should be running on 8096. I'm assuming this is a port issue/block some where but not sure where to check on PFsense.

3. I want to set up a "trash" wifi network using a secondary old router that does not go through the firewall, but still has to be plugged into PFsense for network access as I only have a single outlet directly off the modem. I was thinking the most appropriate/easiest way to do this would be to set it up as a separate interface off of PFsense, but am having issues getting the trash router to provide internet access. For some reason, and I can't determine why, only my normal router on the LAN interface is able to reach the internet. I don't want the trash network to be able to communicate with normal LAN.

I know I'm doing something wrong, I'm a novice in this and am barely even sure if I'm asking the right questions. Here are some pictures of my topology and settings, please let me know if any more info would be helpful. I'm currently unable to access the LAN router to pull up it's settings page.

General topology:

Normal LAN Interface:

TrashLAN Interface:

Normal LAN DHCP Leases (I see & can access the switch, but don't see the wifi router):

Outbound NAT:

TrashLAN DHCP Settings:

akuma1x

@viejo For your TRASHLAN to be able to get out to the internet, you have to create a firewall rule on that interface that looks like this:

Action: Pass
Interface: TrashLAN
Address Family: IPv4
Protocol: Any
Source: TrashLAN Net
Destination: any
Description: give it a good name here

That will allow any computer or host on TrashLAN to get to the internet. Might have to reboot your pfsense box when you finish this rule, but usually not. Make sure your test computer has an IP address in the 192.168.55.X range.

Make sure this new rule is at the top of your TrashLAN firewall rule page. After you get this one working, you can add other rules to block access to other networks. We can go over that when you get this first rule working.

akuma1x

@akuma1x By the way, I think when you put an "old router" in bridge mode, you can't get at the web interface anymore. Technically you don't need to, since it's simply acting as an access point now. Might also be why there is no DHCP listed for it anymore. I don't actually have any boxes that do this, so maybe somebody else can chime in and offer some other suggestions.

viragomann

@viejo said in PFNoob - A Few Issues (Router IP, Local Ports, and Separate Interface):

I cannot access, or find my wireless router's IP address within PFsense. The router is in bridge mode, and wifi is working, but I don't see it listed anywhere on my DHCP leases and am unable to access the router web interface.

So presumably it didn't request an IP from the DHCP. Are you sure its DHCP client is configured?
If not, maybe you can find it Diagnostic > ARP after unplugging and re-plugging.

On this wifi network, I'm able to access my SMB share normally as well as my Qbittorrent web client which runs on port 8081. For some reason though I'm unable to access Jellyfin, which should be running on 8096. I'm assuming this is a port issue/block some where but not sure where to check on PFsense.

Jellyfin is on the same wifi, I guess. So you might have to enable communication between the stations on the AP.

I want to set up a "trash" wifi network using a secondary old router

Sure that it's a router? If so, the DHCP server on pfSense will only provide an IP to its WAN interface, but not to clients behind.

Also you have to allow traffic from it to the internet.
For the rule it's a good advice to create an alias with all RFC 1918 network included. So you can use this in a filter rule to block all access to internal destination.
Above this rule you have to put a rule to permit DNS access to pfSense ("This firewall", assuming you're running the DNS resolver on pfSense).
And at the bottom add rules for allowing internet access from the trash.

Viejo

@akuma1x Thank you very much for your response! The TrashLAN and secondary router are now able to get to the internet after adding that rule and rebooting pfsense.

I'd still like to be able to access the settings for both routers since they're still broadcasting a network, and I'd still like to be able to change the WPA2 passcodes, network ID's, or things like that to further control the network. Do I need to do that prior to bridging them, or is there another way to access their settings?

akuma1x

@viejo What make and models of wireless routers are those?

Viejo

@viragomann I don't think the wifi routers are configured to request a DHCP license, or at least I know(?) that the main LAN router is set to static IP - I think it should be 10.40.40.2, but I get no response, and I don't see that IP anywhere within PFsense or on the network.

Jellyfin is on the same wifi as the main LAN network. By checking the "stations", do you mean between the 2.4ghz and 5ghz channel? I know everything is on the same subnet and VLAN (haven't configured any VLANs yet). I'd need to access the web interface to check the channel settings.

Thank you for your response, the TrashLAN/wifi is up now, I'll look more into those rule details as well for best practice.

@akuma1x The main LAN router is Linksys MR7350, the Trash router is a old TP Link N600.

viragomann

@viejo said in PFNoob - A Few Issues (Router IP, Local Ports, and Separate Interface):

I don't see that IP anywhere within PFsense or on the network.

Even not in the ARP table after reconnecting the device?
If not, you might have to reset it to default settings.

By checking the "stations", do you mean between the 2.4ghz and 5ghz channel?

No, Access Points can just block communication between the connected devices. Some do this by default.
But since you need it, you have to enable this option, it's often called "inter-BSS communication" or some alike.

Thank you for your response, the TrashLAN/wifi is up now, I'll look more into those rule details as well for best practice.

Consider that the suggested rule allows access to your LAN, which might not be desired from a trash network at all.

Viejo

@viragomann Nothing in ARP, I'm sure I misconfigured something somewhere.

On the HTPC (runs Jellyfin) I'm able to access that Qbittorrent web interface on port 8081 no problem, but on the same PC I can't connect to Jellyfin on port 8096. I can check that inter-BSS option once I figure out where my routers are.

I would expect (I may be incredibly wrong here) that I should normally be able to access the routers by going to 192.168.55.1 for my Trash router, or 10.40.40.2 for my normal LAN router. That may be incorrect but it's odd to me that I don't see them listed anywhere, something to do with them both being in bridge mode?

stephenw10

How are those old routers connected? What ports physically?

They won't have any static routing so their web interfaces would only be accessible from a client on their LAN side in the same subnet.

Steve

Viejo

@viragomann said in PFNoob - A Few Issues (Router IP, Local Ports, and Separate Interface):

@viejo said in PFNoob - A Few Issues (Router IP, Local Ports, and Separate Interface):

I don't see that IP anywhere within PFsense or on the network.

Even not in the ARP table after reconnecting the device?
If not, you might have to reset it to default settings.

For some reason after rebooting (I haven't yet reset it) the main LAN router, I'm now unable to get to the firewall page or any outside internet with the Trash router - However I'm suddenly able to access the Trash wifi configuration on 192.168.0.1

So I can't see the 10.40 network right now on Trash, but I can access the router's config page now just from power rebooting the OTHER router.

I'm sure I have something twisted around somewhere. Thank you for helping me troubleshoot this.

I'm getting this error now in PFsense. I think I should enable SSH so I can remote in and read these logs.

@stephenw10
WAN interface igb0 directly from modem
LAN interface igb1 goes into Port 1 on the GS switch
Main router is plugged into Port 2 on the GS switch
Trash router is plugged directly into igb2 on the firewall

I'm pretty sure I did try to set these routers up with static routing, so that could very well be the issue. I'll reset them to factory defaults and see if that helps clear anything up. So to confirm, should the router itself use DHCP (instead of static IP), but have it's DHCP server capabilities disabled? Thinking about it now I guess that would make sense, so the router actually gets a DHCP address from the firewall... derp.

Thank you everyone for your patience with me, I'm just trying to learn this/figure things out as I'm going.

stephenw10

Sorry I mean on the old routers what ports are connected? If you are connected boa their WAN ports you would not expect to be able to access the web interfaces.

Viejo

@stephenw10 Sorry I meant to include that info - Both routers have their inlet cables going into Port 1 on them, but not the Internet/WAN port.

So Trash router has cable going from PFsense into Port 1 on the router (not WAN). Main router has cable going from the switch into Port 1.

I reset the Trash router to factory defaults, and now I'm unable to access it again on 192.168.0.1. If I type "ip route" on one of my laptops while connected to the wifi on it, it tells me 192.168.55.1, which if I navigate to brings me to the PFsense login screen. I also still have no outbound access on this router again.

I'm getting error logs, it looks like it may be having issues applying the rule I made earlier in this thread? I'm trying to look into things and troubleshoot as I'm responding just to try and make sure I haven't made an obvious mistake.

Edit: The laptop on the TrashLAN is still getting DHCP addresses from the firewall so the issue seems to be somewhere with the router being able to get outside into open internet. Looks like that rule from earlier may not be working now based on the logs but I don't see why. I also still don't see either router themselves on the network.

The routers should have their inlet cables going into normal ports on them, and not into their WAN ports correct?...

stephenw10

Ok, that's correct.

The laptop will only be able to reach the wifi router if it's in the same subnet though. If it;s been reset to 192.168.0.1 that's no longer the case.
When you try to reach that IP from the laptop it routes that traffic via it's gateway (pfSense at 192.168.55.1) but pfSense also has no idea where 192.168.0.0/24 is so it routes it out of the WAN where obviously it fails.
However even if that request was routed correctly to router it has no idea where 192.168.55.0/24 is so it cannot reply.

There are ways to workaround that but really you should just set the router to a static IP in 192.168.55.0/24 subnet.

That v6 bogons error is because the maximum table size is too small. See:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-maximum-table-entries

Steve

Viejo

@stephenw10 I'm still just having a hard time figuring out how to actually access the router config so I can correct the IP on it and put it in the proper 192.168.55.0 subnet.

I thought plugging a laptop directly into the Trash router via an ethernet cable and disabling wifi on the laptop may allow me to connect directly to the router's IP, but it still defaults to 192.168.55.1, and trying to go to that page still forwards me to PFSense - What's odd is I noticed I was able to get outside to the internet again on the ethernet connection, and even after I unplugged and went back on Trash wifi, the internet continued to work - I haven't changed anything since my last comment, so I'm not sure if something just took a long time to propagate or what...

"ip route" shows 192.168.55.1 as the gateway, so somehow it knows to use that presumably from the interface configuration on PFSense.

stephenw10

Set your laptop to a static IP in the 192.168.0.0/24 subnet temporarily.

Viejo

@stephenw10 Thank you very much, I was able to reset the Trash router and manually set my laptop's IP to something within the subnet like you mentioned, and was then able to configure the router and put it on the correct 192.168.55.1 subnet within it's own menu by setting the IP there.

Since I wasn't able to access the main LAN router either, I tried to do the same thing with that one but I'm getting different results. I reset that router, and once again set my IP as static for something in the 192.168.0.0/24 subnet (I'm pretty sure this router should default to 192.168.0.1). This is the router that's plugged into the switch.

"ip address" command shows that I have 192.168.0.3, and "ip route" shows default via 192.168.0.1, but if I try to navigate to that page it does not find it.

I'm not sure right now why this one is behaving differently than the other router.

stephenw10

The most likely is that it isn't at that IP for whatever reason.

If you reset it I'd expect it to start handing out DHCP leases again in it's own subnet.

Steve

Viejo

@stephenw10 Thank you, you were exactly right. Turns out that router factory defaults to 192.168.1.1 - I really wish it had a sticker on the bottom or something that indicated that, didn't think to search it online yesterday just kept pinging the 192.168.0.0 network assuming it was somewhere there. Fixing the address for the main LAN router also resolved the port issues I was having with Jellyfin, so that's great :)

Thank you Stephen and everyone else who's offered help here as I stumble through this.

Edit: Also, I'm forgoing my plans for the trash network as far as any type of firewall bypassing. At most I may make it where the VPN isn't active on that interface, but otherwise I think I'm good on that too.

Thank you all!!