Cant access pfSense web interface with new IP

Hyperion

Good day all...

I have imported my existing pfSense XML file to my new Netgate 4200 Firewall.
After doing some adjustment on the interface ports (due to interface mismatch), I have rebooted the FW.

Thru Putty I have monitored the reboot of pfSense.

Within Putty it now shows the IP accordingly, but I can not login to the web interface with that IP and Port.

Any suggestions why?

THX for any assistance, much appreciated.

the other

@Hyperion hey there,
nice piece of writing (Hyperion) btw... ;)

Are you trying http or https?
What error does your browser show?
Anti-lockout-rule active?

Hyperion

@the-other Trying with http & https

Browser ERR = Error: Connection failed
An error occurred when connecting to 192.168.1xx.x

How can I check if the Anti-lockout rule is active, if not logged in to the web interface?

the other

@Hyperion
anti-lockeout rule is enabled by default out of the box...so unless you manually changed that it should be in place...preventing a lock out.
here are some ideas:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html

Hyperion

My fault.. the title is misleading.

The proper title would be: cant connect to new IP after importing XML file into FW

The Doc provided by User "the other" unfortunately didnt help: https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html

What am I trying to do:

1. I am connected to FW via Putty
2. within Putty pfSense shows LAN IP: 192.168.1xx.1/24
3. I am trying to access the pfSense web console via LAN IP address
   Browser ERR = Error: Connection failed
   An error occurred when connecting to 192.168.1xx.x
4. I am trying with http to Port 24 & 80 and https to Port 24 & 443
   all not working, the login page of the web interface not showing up.

If anyone has any idea on how to solve this I would highly appreciate any support.

Gertjan

@Hyperion said in Cant access pfSense web interface with new IP:

I am connected to FW via Putty

Using a serial port, accessing pfSense using the console port, right ?

@Hyperion said in Cant access pfSense web interface with new IP:

ithin Putty pfSense shows LAN IP: 192.168.1xx.1/24

Lol - hiding RFC1918 you are aware that we all use these :

** Welcome to Netgate pfSense Plus 24.03-RELEASE (amd64) on pfSense ***

  Current Boot Environment: 2403_Beta_20240326
     Next Boot Environment: 2403_Beta_20240326

 WAN (wan)     -> ix3    -> v4/DHCP4: 192.168.10.4/24
                            v6/DHCP6: 2a01:cb19:dead:beef:92ec:77ff:fe29:392a/64
 LAN (lan)     -> igc0   -> v4: 192.168.1.1/24
                            v6/t6: 2a01:cb19:dead:beef:92ec:77ff:fe29:392c/64
 IDRAC (opt1)  -> igc2   -> v4: 192.168.100.1/24
 PORTAL (opt2) -> igc1   -> v4: 192.168.2.1/24
 VPNS (opt3)   -> ovpns1 -> v4: 192.168.3.1/24

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart GUI
 3) Reset admin account and password  12) PHP shell + Netgate pfSense Plus tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

@Hyperion said in Cant access pfSense web interface with new IP:

I am trying to access the pfSense web console via LAN IP address
Browser ERR = Error: Connection failed

You are skipping a very important step - or not telling us that you did it :
On the device you want to access pfSense, do :

C:\Users\Gauche>ipconfig /all

.......

Carte Ethernet Ethernet :

   Suffixe DNS propre à la connexion. . . : bhf.tld
   Description. . . . . . . . . . . . . . : Intel(R) Ethernet Connection (11) I219-LM
   Adresse physique . . . . . . . . . . . : A4-BB-6D-BA-16-A1
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv6. . . . . . . . . . . . . .: 2a01:cb19:dead:beef::c7(préféré)
   Bail obtenu. . . . . . . . . . . . . . : lundi 22 juillet 2024 13:33:27
   Bail expirant. . . . . . . . . . . . . : mardi 23 juillet 2024 20:18:26
   Adresse IPv6 de liaison locale. . . . .: fe80::daa9:bcf8:99cd:717e%11(préféré)
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.1.6(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : lundi 22 juillet 2024 13:34:48
   Bail expirant. . . . . . . . . . . . . : mercredi 24 juillet 2024 07:15:25
   Passerelle par défaut. . . . . . . . . : fe80::92ec:77ff:fe29:392c%11
                                       192.168.1.1
   Serveur DHCP . . . . . . . . . . . . . : 192.168.1.1
   IAID DHCPv6 . . . . . . . . . . . : 346340205
   DUID de client DHCPv6. . . . . . . . : 00-01-00-01-26-59-DF-8D-A4-BB-6D-BA-16-A1
   Serveurs DNS. . .  . . . . . . . . . . : 2a01:cb19:dead:beef:92ec:77ff:fe29:392c
                                       192.168.1.1
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé
   Liste de recherche de suffixes DNS propres à la connexion :
                                       bhf.tld

This shwos me that your device got an IP, in the valid betwork, and a DNS ( ! ) and a gateway ( ! ) both, 192.168.1.1 = pfSense.
This shows that everything on the DHCP side is working well.

On the pfSEnse console - use 'admin mode' (option 8) :

[24.03-RELEASE][root@pfSense.brit-hotel-fumel.net]/root: sockstat -4 | grep 'nginx'
root     nginx      69034 5   tcp4   *:443                 *:*
root     nginx      69034 7   tcp4   *:80                  *:*
root     nginx      68828 5   tcp4   *:443                 *:*
root     nginx      68828 7   tcp4   *:80                  *:*
root     nginx      68365 5   tcp4   *:443                 *:*
root     nginx      68365 7   tcp4   *:80                  *:*

This command shows that nginx, the GUI web server, is listening on all interfaces, ports TCP 80 and TCP 443.

@Hyperion said in Cant access pfSense web interface with new IP:

after importing XML file into FW

This pfSense config xml file came from the same device ?
If it came from another device, there might be an issue : if the original device had other NIC drivers, this different interface names, the ones called em0 or igc0 or whatever, then interfaces can't be created ... which means firewall can't be created which means .... you can't 'enter' no where ...

Worst case scenario solution : use the xml file to create the setup on your new 4200 from the ground up.
Best case scenario : edit the xml file so the interface reflect then new, 4200 based, NIC interface driver names.

Hyperion

@Gertjan said in

Using a serial port, accessing pfSense using the console port, right ?

USB to RJ45 Console, connected via COM4 to Putty (Serial) - pfSense
RJ45 from Laptop to igc1 = LAN (Port 2 on Netgate)

a) After initial setup of pfSense completed:

connection to default IP 192.168.1.1 = works

b) when logged in to the web interface I import the .XML file
Note: the main FW Hardware is a different type of device than Netgate 4200

c) after .XML has been loaded I assign the Interfaces accordingly
WAN = PPPOE0(igb2)
LAN = igc1
DMZ = igc0
Available network ports = igc2

d) Apply Changes and pfSense reboots

After Reboot
WAN = pppoe0 ->
LAN = igc1 -> 192.168.xxx.x/24
DMZ = igc0 -> 192.168.xxx.1/24

On the device you want to access pfSense, do :
C:\Users\Gauche>ipconfig /all

IPv4: 169.254.xx.xx (prefered)
Sub: 255.255.0.0
NetBIOS over TCP/IP: active
DHCP activé. . . . . . . . . . . . . . : Yes
Configuration automatique activée. . . : Yes
This are all IPs shown

[24.03-RELEASE][root@pfSense.home.arpa]/root: sockstat -4 | grep 'nginx'
root nginx 69475 5 tcp4 *:444 :
root nginx 69168 5 tcp4 *:444 :
root nginx 69150 5 tcp4 *:444 :

THX for your assistance, highly appreciated!

Gertjan

@Hyperion said in Cant access pfSense web interface with new IP:

LAN = igc1 -> 192.168.xxx.x/24
DMZ = igc0 -> 192.168.xxx.1/24

If xxx = xxx then that's a fail.
You mean :

LAN = igc1 -> 192.168.1.1/24
DMZ = igc0 -> 192.168.2.1/24

Right ?

Bingo :

@Hyperion said in Cant access pfSense web interface with new IP:

IPv4: 169.254.xx.xx (prefered)

that's your answer why 'nothing works'.
If not, click on what is 169.254.xx.xx to see what this means - read and understand : your PC can't get an DHCP lease. This means the DHCP server on pfSense isn't working - or isn't set up correctly.
So, starting a browser on a LAN device won't work, because : no valid IP, no DNS, no gateway.

Btw : about the preferred. A device that prefers an IP that is totally unusable for 'networking'.

@Hyperion said in Cant access pfSense web interface with new IP:

root nginx 69150 5 tcp4 *:444 :

Ah, ok, nice to know : you've set the web server port to the none default 444.

@Hyperion said in Cant access pfSense web interface with new IP:

WAN = pppoe0 ->

Your previous device used pppoe ,
My advise : don't import that pfSense config file from the previous device.
Do what I proposed above : use it as a config guide, and set up your 4200 manually.
Might take you a some time, but at least it will work right away.

Hyperion

SOLVED

It was partly my fault.
When importing the .XML file it configures the Interfaces per default of my other main FW Hardware.
That HW uses different assignment identification than the Netgate, therefore I have mismatched the Interface IDs.

Expl.:
Current HW Interface assignment
Port1 WAN = PPPoE0
Port2 LAN = igb1
Port3 DMZ = igb0
Port4 ANP = igb2

Netgate Interface assignment
Port1 WAN = PPPoE0
Port2 LAN = igc2
Port3 opt1 = igc3
Port4 opt2 = igc0