Cannot Access WebConfigurator

BrianMcG · Jul 26, 2022, 1:41 PM

I'm pretty sure I have installed pfSense on Hyper-V OK. At the end it told me:
You can now access the webConfigurator by opening the following URL in your web browser
https://192.168.16.1/
But when I try to do so using Microsoft Edge it tells me:
Hmmm… can't reach this page
What should I do now?

I can access my ISP's Router on 192.168.0.1 without problems.
I've tried resetting the webConfigurator from inside pfSense.
I've also tried using Chrome. But no joy with either.

Rico · Jul 26, 2022, 1:25 PM

pfSense default LAN IP is 192.168.1.1 /24 not 192.168.16.1

-Rico

Jarhead · Jul 26, 2022, 1:41 PM

@brianmcg said in Cannot Access WebConfigurator:

I'm pretty sure I have installed pfSense on Hyper-V OK. At the end it told me:
You can now access the webConfigurator by opening the following URL in your web browser
https://192.168.16.1/
But when I try to do so using Microsoft Edge it tells me:
Hmmm… can't reach this page
What should I do now?

I can access my ISP's Router on 192.168.0.1 without problems.
I've tried resetting the webConfigurator from inside pfSense.
I've also tried using Chrome. But no joy with either.

If you're on the 0.1 network, you won't have access to the 16.1 network.
You would either have to connect to the 16.1 network or allow access through the wan of the pfSense.

BrianMcG · Jul 26, 2022, 11:38 PM

@rico I've tried https://192.168.1.1/ as well. It didn't work either.

Whilst I was in the pfSense VM, I reconfigured the IP Address of the INTERNAL Virtual Switch to 192.168.16.1 That's why the installer told me to use 192.168.16.1, surely?

BrianMcG · Jul 27, 2022, 1:06 AM

@jarhead I agree. However, I have a Windows 11 VM inside Hyper-V with an IP of 192.168.16.2 and a Gateway of 192.168.16.1. It can't even PING 192.168.16.1 or anything on 192.168.0.x, of course. The only thing it can PING is 192.168.16.2.

If I change its IP Address to 192.168.0.3 and its Gateway to 192.168.0.1, then of course it can ping anything on192.168.0.x.!

When I go into pfSense, I get:
Welcome to pfSense.PNG

BrianMcG · Jul 27, 2022, 1:20 AM

@brianmcg Whenever I do something for the first time I always create an Audit Trail of what I've done in case I ever have to do it again. I have a complete Word Document that describes what I'm trying to do and how I've gone about it. I can't upload it here. So I've uploaded it to Dropbox here: link text

You'll have to excuse me, for despite over fifty years computer experience, I am new to Server 2019, Windows 11 and, of course, pfsense. The last time I upgraded this Server was fourteen years ago!

One thing that is confusing me, is how do I connect the Host Server to the network in such a way that it is NOT accessible to the WAN?

Jarhead · Jul 27, 2022, 1:46 AM

@brianmcg said in Cannot Access WebConfigurator:

@jarhead I agree. However, I have a Windows 11 VM inside Hyper-V with an IP of 192.168.16.2 and a Gateway of 192.168.16.1. It can't even PING 192.168.16.1 or anything on 192.168.0.x, of course. The only thing it can PING is 192.168.16.2.

If I change its IP Address to 192.168.0.3 and its Gateway to 192.168.0.1, then of course it can ping anything on192.168.0.x.!

When I go into pfSense, I get:
Welcome to pfSense.PNG

16.2, set statically or did it receive an address from pfSense?

Gertjan · Jul 27, 2022, 8:14 AM

@brianmcg said in Cannot Access WebConfigurator:

One thing that is confusing me, is how do I connect the Host Server to the network in such a way that it is NOT accessible to the WAN?

A device, like a desktop PC, phone, camera, printer, or a server connected to a LAN type interface are never accsible from the Internet, or traffic that comes into the WAN.
By default, all incoming traffic into WAN is discarded.
That's what a firewall is all about.

Only traffic initiated from pfSense or one of its LAN devices, that creates an answer on a WAN (Internet) based device will get back to the initiating (pfSense or LAN) device.
That's what a statefull firewall does : it accepts answers for outstanding (outgoing) requests.

pfSense is like any other low end or high and firewall : they all do the same thing.

Nothing new since the last 50 years ;)

Btw : running pfSense from a VM does add complexity. Like : setting up the VM with it's interfaces, some are virtual-to-a-real-hardware-NIC, some are virtual-to-a-real-hardware-NIC and shared with the host device, some are purely virtual.

BrianMcG · Jul 27, 2022, 12:50 PM

@jarhead I am not using pfSense as a DHCP Server. I set the IP Addresses of the Windows 11 VM manually from inside the VM.

BrianMcG · Jul 27, 2022, 1:06 PM

@gertjan But surely if I have my Server connected to both the INTERNAL Virtual Switch on 192,168,16.1 and the EXTERNAL Virtual Switch on 192.168.0.2 then the Server is exposed directly to the WAN?

The last time I had a firewall it was on a separate machine, so the Server was in no way exposed to the WAN, as it was only connected physically to the LAN. Since pfSense is a VM INSIDE the Server and is connected to the EXTERNAL Virtual Switch, how is it protected? I'm still having problems in coming to grips with it.

Jarhead · Jul 27, 2022, 1:16 PM

@brianmcg I will never understand why anyone would want a firewall as a VM so I have never done this.
But it looks like you may have the switches reversed, meaning what you call external, is actually connected to the internal.
Go into pfSense and reassign the interfaces in the reverse order. So what you have as the WAN now will be the LAN and vice versa.

Gertjan · Jul 27, 2022, 2:09 PM

@brianmcg said in Cannot Access WebConfigurator:

how is it protected?

These are my words, I'm not a pfSense in a VM expert.

I was using pfSense in a VM @home.
The PC used is also my main home PC, suing Windows 10 Pro so Hyper-V was available.

I reserved one NIC 'physically' for the VM, used by pfSense.
This means that when pfSense uses this NIC, it is the only one using it. My host, Windows 10, was not using this NIC. This NIC was of course the pfSense WAN interface, connected to my uplink ISP router.

Another VM NIC, assigned also to a hardware NIC, is shared among the host, the VM and other VMs in my host PC. This was my LAN network.

Because my host OS uses only the internal VM NIC (switched with an external real hardware NIC ) called LAN, my host PC was 'behind' pfSense.

@jarhead said in Cannot Access WebConfigurator:

I will never understand why anyone would want a firewall as a VM

I had one : didn't want to buy more hardware as needed.
I was using pfSense @home purely for development reasons. I could mess around with it, and rebuild from scratch in minutes.
@work : I agree. I've been using always a hardware bare bone solution. It's a SG4100 since a couple of months.

BrianMcG · Jul 28, 2022, 2:30 AM

@gertjan Thanks for that your comment:
"I reserved one NIC 'physically' for the VM, used by pfSense."
finally made one penny drop, anyway. Obviously you disabled:
"Allow management operating system to share this network adapter" for your EXTERNAL Switch. This obviously protects the Server from the WAN. So thanks for that. :-)

Mine is currently ticked. It's the only way I have any internet access.

My current setup is that I have one Server, called FILE-SERVER, running Server 2019 and Hyper-V. Inside Hyper-V I have two VMs: pfSense and BRIANS-PC running Windows 11. I also currently only have one Network Adapter - the one on the new motherboard inside FILE-SERVER. (I thought I had 3 x 1Gb adapters available. But it turned out that they were so old the were only PCI Adapters, so would not fit the new motherboard.) I have a new 2.5Gb on order, from AliExpress, that I intend to use to connect to an 8-port hardware switch an the rest of the internal network.

I want pfSense to act as a firewall for FILE-SERVER and all of its VMs, as well as the rest of the internal network. HOWEVER, first, I have to get pfSense working.

pfSEnse's WAN is connected to the EXTERNAL Virtual Switch with an IP Address of 192.168.0.2 and an Gateway of 192.168.0.1 on our ISP's Router.

pfSEnse's LAN is connected to the INTERNAl Virtual Switch with an IP Address of 192.168.16.1 which is intended to be the Gateway of Internal Network.

Stage one is to get Brians-PC, a VM inside Hyper-V, connected to the Internet. It has a Virtual Adapter with an IP of 192.168.16.3 and a Gateway of 192.168.16.1 - but it is NOT working, and I'm buggered if I know why. The only thing it can ping on the 192.168.16.x Network is itself 192.168.16.3!!

BrianMcG · Jul 28, 2022, 2:58 AM

@jarhead I tried that. It made no difference - apart from the fact that I lost all Internet connectivity. I could not connect to the WebConfigurator using either IP address. So i've switched them back again. If you look at link text I think you will see that it's connected correctly.

Jarhead · Jul 29, 2022, 6:17 AM

@brianmcg said in Cannot Access WebConfigurator:

@rico I've tried https://192.168.1.1/ as well. It didn't work either.

Whilst I was in the pfSense VM, I reconfigured the IP Address of the INTERNAL Virtual Switch to 192.168.16.1 That's why the installer told me to use 192.168.16.1, surely?

Is the switch really .1 also?

BrianMcG · Jul 29, 2022, 6:22 AM

@jarhead The short answer is YES. But herewith screen shots of all my settings - just in case you have other questions:
From FILE-SERVER the Windows Server 2019 machine running pfSense:
login-to-view
login-to-view
login-to-view
From Brians-PC a WIndows 11 PC inside Hyper-V:
login-to-view
login-to-view
As you can see Brians-PC can't even ping 192.168.16.1

Jarhead · Jul 30, 2022, 1:14 AM

@brianmcg Can't have both devices using the same IP. Change the internal switch to 192.168.16.254.

Going back over this thread now.

Honestly I think you should just enable the dhcp server on pfSense LAN and set the switch to dhcp. See if it gets an address.
Other than using the same IP twice, it's hard to tell if everything is connected correctly with all being VM. DHCP will help, and after the test you can just turn it off again.

BrianMcG · Jul 30, 2022, 1:14 AM

@jarhead OH!! That wasn't an accident. I thought pfSense and the INTERNAL Switch were the same thing! So I used the same IP Address deliberately.

I'll do what you suggest; enable the DHCP on pfSense for the INTERNAL Network; disable the DHCP Server on FILE-SERVER; allow Brians-PC to pick up an IP Address and see if tha makes any difference. If it does we'll at least know the source of the problem.

Good job I posted all my settings.

BrianMcG · Jul 30, 2022, 2:10 AM

@jarhead I just did as you suggested, I :

enabled the LAN DHCP Server on pfSense to allocate IP Address from 192.168.16.100 up,
Changed the INTERNAL Network Switch to pickup its IP Address using DHCP,
Changed Brians-PC to pickup its IP Address using DHCP,
Ensured FILE-SERVER was not also a DHCP Server,
Ran IPCONFIG on both Brians-PC and FILE-Server:
- Brians-PC Autoconfiguration IPv4 Address 169.254.215.192,
- INTERNAL Virtual Switch Autoconfiguration IPv4 Address 169.254.255.141
So it seems that pfSense's DHCP Server did not dish out any IP addresses.

Incidentally, if there are two DHCP Servers on different Virtual Networks dishing out IP Address, how is a humble Network Adapter supposed to know which one you want it to connect to? Are they blessed with ESP?

Jarhead · Jul 30, 2022, 2:55 AM

@brianmcg I think I just found the problem. On your internal switch you chose Internal network, should be Private Network.