How to enable web access for VM behind pfSense?

double-happiness · Apr 14, 2022, 10:34 AM

I have two VirtualBox VMs, one with pfSense and another with Debian. They were set up as per instructions that I was given.

The Debian has one NIC:

internal network

pfSense has 3:

NAT
Host-only
int

We were told to set everything up to end up with the network configuration shown in the screenshots:

WAN em0 10.0.2.15/24
LAN em1 172.16.1.1/24
opt1 em2 172.16.2.1/24

We have to test the internet connectivity and troubleshoot as necessary. There is no web access on Debian, and I haven't been able to ping anything successfully, including the pfSense VM, but funnily enough I can ping the Debian VM from the pfSense VM just fine.

All screenshots

Any help please? TIA!

Gertjan · Apr 14, 2022, 11:24 AM

@double-happiness

On the Debian :

You've showed :

and that tells me that localhost or 127.0.0.1 is fine.
But nothing about the (virtal) NIC ?!
You need the dhcp client, or use a static IP setup (IP, mask, gateway, DNS, etc).

You could also type

ifconfig

or

ip addr

and you'll see ;)

double-happiness · Apr 14, 2022, 11:38 AM

@gertjan Ah, sorry, I missed a screenshot out.

I could be wrong, but I think perhaps pfSense is acting as a DHCP server for the Debian VM, and that's how the Debian VM gets its IP address.

Gertjan · Apr 14, 2022, 1:15 PM

@double-happiness said in How to enable web access for VM behind pfSense?:

I could be wrong, but I think perhaps pfSense is acting as a DHCP server for the Debia

Do not doubt, or wait to find out.
Take the mouse, click and admire the the answers.
Status > DHCP Leases and you'll see if there is a lease on the "opt1 em2 " interface where the device 08:00:27:39:39:3c was asking for an lease.

Or go the the centre of all answers : Status > System Logs > DHCP and you will find the negotiation between "08:00:27:39:39:3c", the Debain device, and the pfSense DHCP server.

If you can't find any traces of "08:00:27:39:39:3c", then this could indicate that the Debian isn't using DHCP, that it is using a static setup, with, for example, the gateway (== 172.16.2.1) missing, and that explains the "doesn't work".
Because the link between the virtual Debian NIC and the OPT1 interface of pfSense (also virtual) is purely software, the VM settings are also important.

Check the network settings on Debian.
See the doc : https://www.debian.org/doc/manuals/debian-reference/ch05.en.html secrion 5.2.1 and 5.3.

From what I recall, when I launch a Debian ISO in a VM without any GUI, just the command line, it will find the one and only NIC you assigned to its VM, and should default to 'DHCP', like any other device on earth.
It should work out of the box.

double-happiness · Apr 14, 2022, 1:15 PM

@gertjan said in How to enable web access for VM behind pfSense?:

Status > DHCP Leases and you'll see if there is a lease on the "opt1 em2 " interface where the device 08:00:27:39:39:3c was asking for an lease.

Right, thanks, so I think all is well here, right?

Gertjan · Apr 14, 2022, 2:32 PM

@double-happiness

So, from pfSense you can ping 'debian' or 172.16.2.10.
This means that the other way around should also work.

Can you show the firewall rules on this interface :

@double-happiness said in How to enable web access for VM behind pfSense?:

opt1 em2 172.16.2.1/24

When you create a 'new' interface, pfSense doesn't place any rules on those interfaces, so 'nothing' comes in.
You lifgt ask : then how is it possible that the DHCP requests coming from the debian device are received by pfSense ? Because some firewall rules are 'hidden', and these ones let in coming DHCP traffic pass.
There is also a final 'block all traffic rule".

So : the question : did you allow traffic (UDP, TCP, ICMP, etc etc, it best to select all kind of traffic) to come in into the interface em2 or OPT1 ?

double-happiness · Apr 15, 2022, 8:21 AM

@gertjan Thanks.

So I just looked, and the only firewall rules I have at present are for the LAN.

I can see how to add a rule, but I'm not sure what settings to use other than just allowing everything?

Gertjan · Apr 15, 2022, 8:25 AM

@double-happiness

Your debian VM is on OPT1, not LAN.

Create two pass rules on the OPT interface like the last 2 LAN firewall rules
You have to select "OPT net" as the source, of course, not "LAN net". The rest should be identical.

You can actually copy a rule from LAN, change source to "OPT net" and change the interface from LAN to OPT1 and save + Apply. Do this for both rule, IPv4 and IPv6, and you'll be fine.

Remember : with no rules on an interface, no traffic can enter that interface = no traffic enters the router pfSEnse. That explains your issue.
Traffic can go out of the interface and then answers are allowed to come back. That's what a state-full firewall is all about.

double-happiness · Apr 15, 2022, 9:06 AM

@gertjan Ah, brilliant, that did the trick. Many thanks! :)