Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to enable web access for VM behind pfSense?

    Scheduled Pinned Locked Moved
    Virtualization
    2
    9
    731
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      double-happiness
      last edited by double-happiness

      I have two VirtualBox VMs, one with pfSense and another with Debian. They were set up as per instructions that I was given.

      The Debian has one NIC:

      • internal network

      pfSense has 3:

      • NAT
      • Host-only
      • int

      We were told to set everything up to end up with the network configuration shown in the screenshots:

      WAN em0 10.0.2.15/24
      LAN em1 172.16.1.1/24
      opt1 em2 172.16.2.1/24

      We have to test the internet connectivity and troubleshoot as necessary. There is no web access on Debian, and I haven't been able to ping anything successfully, including the pfSense VM, but funnily enough I can ping the Debian VM from the pfSense VM just fine.

      All screenshots

      Any help please? TIA!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @double-happiness
        last edited by

        @double-happiness

        On the Debian :

        You've showed :

        187ca6ed-1d01-4b2c-a818-e60d1f1f35a9-image.png

        and that tells me that localhost or 127.0.0.1 is fine.
        But nothing about the (virtal) NIC ?!
        You need the dhcp client, or use a static IP setup (IP, mask, gateway, DNS, etc).

        You could also type

        ifconfig

        or

        ip addr

        and you'll see ;)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        D 1 Reply Last reply Reply Quote 1
        • D
          double-happiness @Gertjan
          last edited by double-happiness

          @gertjan Ah, sorry, I missed a screenshot out.

          ip addr

          I could be wrong, but I think perhaps pfSense is acting as a DHCP server for the Debian VM, and that's how the Debian VM gets its IP address.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @double-happiness
            last edited by Gertjan

            @double-happiness said in How to enable web access for VM behind pfSense?:

            I could be wrong, but I think perhaps pfSense is acting as a DHCP server for the Debia

            Do not doubt, or wait to find out.
            Take the mouse, click and admire the the answers.
            Status > DHCP Leases and you'll see if there is a lease on the "opt1 em2 " interface where the device 08:00:27:39:39:3c was asking for an lease.

            Or go the the centre of all answers : Status > System Logs > DHCP and you will find the negotiation between "08:00:27:39:39:3c", the Debain device, and the pfSense DHCP server.

            If you can't find any traces of "08:00:27:39:39:3c", then this could indicate that the Debian isn't using DHCP, that it is using a static setup, with, for example, the gateway (== 172.16.2.1) missing, and that explains the "doesn't work".
            Because the link between the virtual Debian NIC and the OPT1 interface of pfSense (also virtual) is purely software, the VM settings are also important.

            Check the network settings on Debian.
            See the doc : https://www.debian.org/doc/manuals/debian-reference/ch05.en.html secrion 5.2.1 and 5.3.

            From what I recall, when I launch a Debian ISO in a VM without any GUI, just the command line, it will find the one and only NIC you assigned to its VM, and should default to 'DHCP', like any other device on earth.
            It should work out of the box.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            D 1 Reply Last reply Reply Quote 1
            • D
              double-happiness @Gertjan
              last edited by

              @gertjan said in How to enable web access for VM behind pfSense?:

              Status > DHCP Leases and you'll see if there is a lease on the "opt1 em2 " interface where the device 08:00:27:39:39:3c was asking for an lease.

              Right, thanks, so I think all is well here, right?

              alt text

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @double-happiness
                last edited by

                @double-happiness

                So, from pfSense you can ping 'debian' or 172.16.2.10.
                This means that the other way around should also work.

                Can you show the firewall rules on this interface :

                @double-happiness said in How to enable web access for VM behind pfSense?:

                opt1 em2 172.16.2.1/24

                When you create a 'new' interface, pfSense doesn't place any rules on those interfaces, so 'nothing' comes in.
                You lifgt ask : then how is it possible that the DHCP requests coming from the debian device are received by pfSense ? Because some firewall rules are 'hidden', and these ones let in coming DHCP traffic pass.
                There is also a final 'block all traffic rule".

                So : the question : did you allow traffic (UDP, TCP, ICMP, etc etc, it best to select all kind of traffic) to come in into the interface em2 or OPT1 ?

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                D 1 Reply Last reply Reply Quote 1
                • D
                  double-happiness @Gertjan
                  last edited by

                  @gertjan Thanks.

                  So I just looked, and the only firewall rules I have at present are for the LAN.

                  alt text

                  I can see how to add a rule, but I'm not sure what settings to use other than just allowing everything?

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @double-happiness
                    last edited by

                    @double-happiness

                    Your debian VM is on OPT1, not LAN.

                    Create two pass rules on the OPT interface like the last 2 LAN firewall rules
                    You have to select "OPT net" as the source, of course, not "LAN net". The rest should be identical.

                    You can actually copy a rule from LAN, change source to "OPT net" and change the interface from LAN to OPT1 and save + Apply. Do this for both rule, IPv4 and IPv6, and you'll be fine.

                    Remember : with no rules on an interface, no traffic can enter that interface = no traffic enters the router pfSEnse. That explains your issue.
                    Traffic can go out of the interface and then answers are allowed to come back. That's what a state-full firewall is all about.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    D 1 Reply Last reply Reply Quote 1
                    • D
                      double-happiness @Gertjan
                      last edited by

                      @gertjan Ah, brilliant, that did the trick. Many thanks! :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post