Can't Connect to New 6100
-
Apparently I'm missing something when trying to setup my new 6100. I ran through the wizard and setup the device with a static IP of 192.168.50.10 because I was trying to test it at my desk.
After the reload, I see I'm getting a 192.168.50.19 address and the device assigning me the default gateway of 192.168.50.10, but I can't connect to the GUI.
My computer is connected to LAN 1 and as of right now, nothing is connected to the WAN port. I wanted to set it up internally and then was hoping to just input the WAN static IP address and viola, minimal downtime.
I have no idea what I'm missing. Thank you!
-
The webgui is https by default but it should redirect you to that.
Can you ping it?
I would probably connect to the console to see what's happening there:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-6100/connect-to-console.htmlThe most common cause of that is a subnet conflict somewhere.
Steve
-
Moved from General pfSense Questions by
stephenw10
-
@stephenw10 said in Can't Connect to New 6100:
The webgui is https by default but it should redirect you to that.
Can you ping it?
I would probably connect to the console to see what's happening there:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-6100/connect-to-console.htmlThe most common cause of that is a subnet conflict somewhere.
Steve
Hi Steve. Thank you for the help. I am unable to ping it. I can successfully get into the console, but I'm not sure what to do when I'm in there. I went through the Set interface(s) IP address and changed it to 192.168.50.11 and then rebooted. Still nothing.
Now I'm getting a 192.168.50.100 address with a gateway of 192.168.50.11, but still no web GUI.
Thank you!
-
@spyderturbo007 said in Can't Connect to New 6100:
I can successfully get into the console, but I'm not sure what to do when I'm in there.
Let's start easy - can you post a screenshot of the console window?
-
What does the console show the LAN IP address to be?
Try to ping the other way, ping 192.168.50.100 from the console.
Does the client you're using have more than one network connection? There could be a conflict there.
Steve
-
@stephenw10 said in Can't Connect to New 6100:
What does the console show the LAN IP address to be?
Try to ping the other way, ping 192.168.50.100 from the console.
Does the client you're using have more than one network connection? There could be a conflict there.
Steve
I think I got it. It was me being dumb it appears. I'm trying to test this at my desk and my current Edgerouter is handing out 192.168.50.0/24 addresses. I set the WAN1 port to a static of 192.168.50.10 and also assigned LAN 1 with a subnet of 192.168.50.0/24. Whoops.
I used the console to change the LAN to 192.168.51.0/24 and all appears to be working.
I don't know if I should start a new thread with my new questions, or just post here?
-
What's the best way to handle testing a VPN with another location without breaking my current VPN? I'm not sure if this will work behind the current EdgeRouter or not?
-
My DC at this location is on the other side of the VPN. I have my current EdgeRouter handling DHCP and assigning clients a DNS server address for the DC. That allows us to access shares using \servername as opposed \IP address. Is there a better way to handle that? We haven't had any issues at all, but was curious.
Thanks everyone for the help! I have a long road with 3 locations, each getting a new 6100 all connected with VPNs. Yikes!
-
-
It's your thread.
To test a VPN I would initially set it up to a different local subnet so it doesn't conflict with the existing VPN. So your change to a LAN subnet of 192.168.51.0/24 should prevent a conflict there.
If it's an IPSec VPN then it will need to support NAT-T if it's behind the edgerouter.Using DHCP across a VPN is usually a bad idea. If that's what you mean.
If the VPN goes down clients on the other side can become unreachable.Steve
-
@stephenw10 Thank you. I might try the VPN when everyone leaves.
We don't use DHCP over the VPN. Right now the EdgeRouter handles DHCP, but it hands out DNS addresses to the clients of the domain controller on the other side of the VPN. So if the VPN went down, we would lose the ability to resolve DNS queries.
I wasn't sure if there was a better way. Someone mentioned a DNS forwarder at some point but I'm not sure if that would be relevant or not.
Thanks again for all the help!
-
Ah, OK. Yes, you would need to do that if you need remote clients to resolve local DHCP clients by hostname.
-
@stephenw10 Thank you. I wasn't sure if there was an easier way or not. On a happy note, I got the VPN working after everyone went home. I found a walkthrough on the Ubiquiti site for a pfsense to EdgeRouter VPN setup.
They have me setting it up with AES and SHA1, which I hope is secure enough? I can always change it when I deploy the other pfsense on the other side of the VPN if it isn't.
-
Yeah you can change it later but I wouldn't consider that secure any longer. AES is fine but SHA1 is deprecated pretty much everywhere. We use AES-128, SHA256 and DH group 14 as defaults now.
If you can use AES-GCM it incorporates the authentication anyway. -
Is there a way to easily migrate all the settings from an interface to another interface? I set my LAN up on LAN 1 but would like to move it to one of the 10G fiber ports. I don't have 10G internet, but I have SFP adapters laying around and it would free up a port in my switch.
I can't create a second interface with the same settings and was hoping there was an easy way to move everything from one interface to another.
-
You can just re-assign LAN as whichever port you want and all the interfaces settings will follow it.
You will have to unassign whatever is using ix0 or ix1 first.
-
So I would go into Interface -> Assignments and do it there?
I have these LAN ports:
LAN (igc0) which is the 1GB copper
10GFiberLAN (ix1) which is the 10G fiberDo I delete the igc0 and then use the drop down box to change 10GFiberLAN to igc0?
Thank you!
-
You would delete the ix1 assignment. So that's WAN4 by default. You need to do that first because you can't have the same NIC assigned more than once.
Then change the LAN assignment from igc0 to ix1.
Steve
-
Also make sure you have some other connection to the 6100 when you're doing that in case you have any problems linking to ix1.
-
@stephenw10 Well, I messed that one all up, but learned a few things.
- Apparently you can't use a 1G SFP adapter in a 10G port.
I tried switching to the WAN1 port and assigned the igc0 to the WAN1 interface. Unfortunately, it didn't work. I couldn't get anything out of the WAN1 port after making the change.
Unfortunately I couldn't plug it into my laptop to see if it was even handing out IP addresses.
Thoughts? It's not a big deal, but would free up that port in my switch.
-
You should be able to use 1G SFP module in ix0/1 but you might need to set the link speed to 1G in the interfaces settings. You might also need to down/up the NIC or replug the module but it should, always link at boot if it can.
-
Thank you for all the help!
I have 2 more of these to setup both of which are an a site with a domain controller running DHCP. If I wanted to make WAN3 the uplink to the switch, what do I choose for IPv4 Configuration Type?
I haven't set up a pfsense where the device wasn't also the DHCP server. I'm stuck on the Assignment configuration for the port.
-
It should still be a static IPv4 address. You always want the firewall to be a static IP so you can always access it even if the dhcp server goes down.
The only interfaces you might want to be a dhcp client would be the actual WAN if it is a DHCP type.