502 Bad Gateway when PFSense connect WAN port.
-
I want to build a PFSense for my family and I am building it in a configuration with a LAN board with four ports, but I have connected a Lenovo notebook that has no internet connection to the LAN to the on-board LAN, prevented it from logging in to Admin from the LAN board with four ports, and allowed it to access other ports.The LAN board with four ports is not allowed to log in to Admin, and access to the other ports is also not possible, and internet connection is allowed.
I then connected the LAN of the wireless LAN parent connected to the ONU to the WAN of the PFSense, but I can no longer access Admin from the Lenovo connected via LAN, and a 502 BadGateway error is being displayed.What I would like to ask is whether the 502 Bad GateWay error occurs in a normal setup like this, and how to deal with this issue - if I restart PFSense, I can access it again.
-
No it's not normal to see errors like that.
Need a lot more info about your setup but the first thing I'd check for is a subnet conflict betwen pfSense and the upstream router you're connecting it to.
Steve
-
@stephenw10 Thanks.The cause of the problem remains unknown, but it seems to happen when I connect a terminal to the LAN board. the interface setting on the port side of the LAN board was DHCP, so I changed this to StaticIP and set it to 192.168.2.1/24, then I also connected the WAN.Admin's 502Bad Gateway did not happen anymore.Not sure why.
I had asked a question here before and had set up a "You can only enter Admin from this port" setting, and I am setting it up in the same way this time.However, I can't browse the web even if I connect my PC to the port on the LAN board (let's say OPT1-TV), because it might be a problem with the LAN board
I am getting this error.The configuration review I have done is: - Configure DHCP on the OPT1-TV side as well - Switch FireWall from ISC to a new type of Firewall.This is also the first time that the IP address 169.254.112.167 has appeared in the Firewall logs,
so I am at a loss as to what to do.If I find any other screenshots I need, I will post them here.Can I somehow at least get an internet connection?I am having trouble getting it to work as well as it has so far.
-
When you say 'LAN board' do you mean that quad port NIC you have added?
Very unlikely to be that if it passes any traffic at all. Which it does if DHCP is working.
What firewall rules do you have on the OPT1-TV interface?
The firewall logs show it blocking access from that link local address which implies dhcp is not working. But since it sees that traffic the NIC is passing it.
-
LAN board is a quad-port NIC.I have taken a picture of the firewall rules and will post it here.I currently have internet communication with this setting on the other PFSense I am using in my room.
I have a firewall configuration like this.I would like to know if there is anywhere I should change the settings.
-
Ok that allow all IPv4 rule will pass traffic there no problem.
So that fact it was seeing traffic from an APIPA address (169.254) implies some Windows clients couldn't pull a dhcp lease. What dhcp settings do you have on OPT1-TV?
If you check Status > DHCP Leases do you see clients on OPT1-TV?
-
@stephenw10 I see that the client and the IP address given are displayed.Normally, I would expect the website to be able to be displayed at this point...
OPT1-TV's client notePC is allocated IP Address.
-
@Yet_learningPFSense The port number was listed in the address field, so I will upload a hidden version.
-
OK that looks good. Can you ping out from that client at 192.168.2.11? If not how does it fail?
-
I'm getting no response when I ping.If I switch the line that connects to the WAN of the PFSense and the 192.168.2.11 terminal, I can browse the net immediately.
-
It looks like the client has no gateway. Did you set a gateway in the dhcp settings for OPT1-TV? It should use the interface IP address by default if no gateway is set. If you set an invalid gateway the client will ignore it.
-
Thank you. It seems that I had not configured the default gateway. The 3 ports we were using before were a disaster, as we only needed LAN to be configured out of the WAN / LAN / Admin only ports. I have set it up and it is now logged in the firewall.
However, it seems that communication on 443/53 is allowed, but the web page does not appear to be displayed. At first, the Windows network icon was in the "connected" state, but after a while, it changed to the "forbidden" state. Also, the WAN is constantly logging blocked access to port 1900. I don't think that my Netgate-1100 logs anything like that...
-
Those blocks on WAN are from the upstream router sending UPnP discovery packets. They are blocked because all traffic from private networks is blocked by default on a WAN. You can change that setting in the WAN interface settings.
Does ping work? Do you see anything else blocked when the client shows it as 'forbidden'?
-
Thank you @stephenw10,
ping is not getting through 8.8.8.8 and web is also getting DNS errors and timeout errors.
I was able to turn off the error on port 1900 on the WAN at Status Firewalllog.
-
What error do you see on the client when you try to ping 8.8.8.8? Do you see that blocked in the firewall log?
-
When I ping 8.8.8.8 I get a "TTL expired in transit" error.I have also included the FireWall logs for the case where the DNS server is set to 192.168.2.1 and 8.8.8.8/8.8.4.4.It seems to be getting through...
-
@Yet_learningPFSense said in 502 Bad Gateway when PFSense connect WAN port.:
I get a "TTL expired in transit"
What is that coming from? The pfSense interface IP? That almost always implies some sort of routing loop though it could be the client ending a very low TTL packet.
-
@stephenw10 This is the error that came back after pinging from a laptop connected to OPT1-TV, which is given the address 192.168.2.11.If it is looping back, should I review my routing settings?I have not configured anything related to routing so far as it is the default in PFSense.
-
Usually when you see a TTL error though it will come back from a specific IP in the route showing where the loop is. For example something like:
ping 172.27.254.93 source 172.21.254.94 PING 172.27.254.93 (172.27.254.93) from 172.21.254.94 : 56(84) bytes of data. 36 bytes from 172.23.56.1 icmp_seq=1 Time to live exceededShows that the router at 172.23.56.1 was trying to route the packet when it arrived with TTL1 and couldn't be routed.
-
ping 172.27.254.93 source 172.21.254.94
with Windows cmd but I seem to get an error.ping to 8.8.8.8 itself remains as allowed in the FireWall log.DNS packets sent to the DNS server from 192.168.2.1 are also allowed, and DNS query packets from 192.168.2.11 to 192.168.2.1 are also going through.Hmmm...where is the disconnect?
