• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can't Ping or ssh into pfsense, but ping out works (network uses subnets)

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
11 Posts 3 Posters 8.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    scarrico
    last edited by Dec 21, 2009, 9:58 PM Dec 21, 2009, 9:32 PM

    There are 3 boxes:

    Monitor, Pfsense, CradlePoint

    • Monitor must get his address from DHCP.  It has one ethernet port
    • Pfsense is an embedded install on a soekris with some scripts installed and r/w turned on.  It must look at data on the Monitor.  It has 4 ethernet ports.  It  runs DHCP for the Wan Connection and the Lan connection.  I'm pretty sure the embedded nature of this install is irrelevant for the problem.
    • CradlePoint is a router that allows 3G access with a verizon usb modem.  It has wifi (ultimately turned off), and one ethernet connection.  It can (and does) run DHCP

    After much fussing (mostly problems with DHCP I think) I decided to put
    pfsense on it's own subnet.  Here's what the addresses look like:

    Monitor  –--------------------- Pfsense ------------------ CradlePoint --- 3G web
    192.168.1.202 - 192.168.1.100 - 192.168.0.123 - 192.168.0.1 -- 75.x.x.x

    As you can see the PFsense box has two ip addresses spanning the two subnets.

    Now the good news:  I can ping from the pfsense box to the internet.  I can get stuff off the Monitor to the Pfsense box.

    The bad news:  I can't ping from the CradlePoint to the pfsense box (both 192.168.1.100 and 192.1.123) I can't ssh from the outside world to the pfsense box. (FYI I have port forwarding set up on port 22 -> 7777 since verizon closes port 22 for ip address 192.168.0.123).  I also have a route on the CradlePoint (Destination is 192.168.1.0 gateway is 192.168.0.1 interface is lan).

    I clearly need another route somewhere, what is it?

    1 Reply Last reply Reply Quote 0
    • D
      danswartz
      last edited by Dec 21, 2009, 10:20 PM

      Not clear from your diagram/explanation which is the default route to the internet?

      1 Reply Last reply Reply Quote 0
      • S
        scarrico
        last edited by Dec 22, 2009, 1:10 AM

        By the default route do you mean where is the internet there?  It's goes out the cradlepoint to the 3 G network.  That network is the 192.168.0.X network.  The 192.168.1.x network is internal.

        Thanks!

        Sandra

        1 Reply Last reply Reply Quote 0
        • D
          danswartz
          last edited by Dec 22, 2009, 3:11 AM

          well, inability to ping the pfsense "wan" interface is not automatically a bad indication - that is disabled by default (you did not say you enabled that.)  you have port forwarding set on the 3g router for 7777 => 22 on the pfsense?  and you have an allow rule on the pfsense WAN for port tcp/7777?  and ssh is enabled?  sorry, but you haven't said what you have and haven't set up…

          1 Reply Last reply Reply Quote 0
          • S
            scarrico
            last edited by Dec 22, 2009, 3:19 AM

            I think ping was working before, but I can't be sure.  Is there a line in the config.xml to turn that on?  Also I did turn on the ssh.  That worked before.  I tried telnet to the ipaddress on port 22 and that failed too.  Sorry, I'm still at loose ends here.

            Sandra

            1 Reply Last reply Reply Quote 0
            • D
              danswartz
              last edited by Dec 22, 2009, 3:26 AM

              can the monitor access the outside world?  if the pfsense can access the outside world, this says to me it is not a routing issue.  rather than guess, can you post your rules and NAT?

              1 Reply Last reply Reply Quote 0
              • S
                scarrico
                last edited by Dec 22, 2009, 7:34 AM

                Thank you for your response.  I was having trouble getting into the web configurator.  (I had good connectivity via the serial port.)  I had to come to the conclusion that something was deeply wrong with the configuration so I set the machine back to the factory defaults.  I then could get the web configurator to work!  OK. so I looked at it new and tried the easier (and previously horribly unsuccessful) idea of getting everyone on the same subnet as the cradle point.  This time it worked.

                Here's roughly what I did and anyone who wants to use pfsense as a router or conceptually a switch want's to know this:)

                1. All DHCP was turned off (Both wan issued dhcp and lan issued dhcp).  WAN address is assigned via DHCP from the other router
                2. ssh was turned on
                3. There was some place where I could click make this act like a router.  I did that.
                4. I let addresses inside network route
                5. I configured the lan to allow it to bridge

                Maybe there was more.  Tell me if there is more for me to post to help other poor people in the future:)

                Sandra

                Here is my config.xml (from /cf/conf/config.xml)

                <pfsense><version>3.0</version>
                <lastchange><theme>nervecenter</theme>
                <system><optimization>normal</optimization>
                <hostname>pfSense</hostname>
                <domain>local</domain>
                <dnsallowoverride><username>admin</username>
                <password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
                <timezone>Etc/UTC</timezone>
                <time-update-interval>300</time-update-interval>
                <timeservers>0.pfsense.pool.ntp.org</timeservers>
                <webgui><protocol>http</protocol>
                <certificate><private-key></private-key></certificate></webgui>
                <disablenatreflection>yes</disablenatreflection>
                <dnsserver>8.8.8.8</dnsserver>
                <dnsserver>8.8.4.4</dnsserver>
                <ssh><authorizedkeys></authorizedkeys></ssh>
                <disablefilter>enabled</disablefilter>
                <enablesshd>yes</enablesshd>
                <maximumstates><shapertype></shapertype></maximumstates></dnsallowoverride></system>
                <interfaces><lan><if>vr0</if>
                <ipaddr>192.168.0.122</ipaddr>
                <subnet>24</subnet>
                <media><mediaopt><bandwidth>100</bandwidth>
                <bandwidthtype>Mb</bandwidthtype>
                <bridge>wan</bridge></mediaopt></media></lan>
                <wan><if>vr1</if>
                <mtu><blockbogons><media><mediaopt><bandwidth>100</bandwidth>
                <bandwidthtype>Mb</bandwidthtype>
                <spoofmac><disableftpproxy><ipaddr>dhcp</ipaddr>
                <dhcphostname></dhcphostname></disableftpproxy></spoofmac></mediaopt></media></blockbogons></mtu></wan></interfaces>
                <staticroutes><pppoe><username><password></password></username></pppoe>
                <pptp><username><password><local></local></password></username></pptp>
                <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond>
                <dyndns><type>dyndns</type>
                <username><password></password></username></dyndns>
                <dhcpd><lan><range><from>192.168.1.10</from>
                <to>192.168.1.245</to></range>
                <defaultleasetime><maxleasetime><netmask></netmask>
                <failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></maxleasetime></defaultleasetime></lan></dhcpd>
                <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
                <ovpn><dnsmasq><enable></enable></dnsmasq>
                <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
                <diag><ipv6nat></ipv6nat></diag>
                <bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru></nat>
                <filter><rule><type>pass</type>
                <descr>Default LAN -> any</descr>
                <interface>lan</interface>
                <source>
                <network>lan</network>

                <destination><any></any></destination></rule>
                <bypassstaticroutes></bypassstaticroutes></filter>
                <shaper><ipsec><preferredoldsa></preferredoldsa></ipsec>
                <aliases><proxyarp><cron><minute>0</minute>
                <hour></hour>
                <mday>
                </mday>
                <month></month>
                <wday>
                </wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 newsyslog
                <minute>1,31</minute>
                <hour>0-5</hour>
                <mday></mday>
                <month>
                </month>
                <wday></wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 adjkerntz -a
                <minute>1</minute>
                <hour>3</hour>
                <mday>1</mday>
                <month>
                </month>
                <wday></wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
                <minute>
                /60</minute>
                <hour></hour>
                <mday>
                </mday>
                <month></month>
                <wday>
                </wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
                <minute>1</minute>
                <hour>1</hour>
                <mday></mday>
                <month>
                </month>
                <wday></wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
                <minute>
                /60</minute>
                <hour></hour>
                <mday>
                </mday>
                <month></month>
                <wday>
                </wday>
                <who>root</who>
                <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
                <minute>/5</minute>
                <hour>
                </hour>
                <mday></mday>
                <month>
                </month>
                <wday></wday>
                <who>root</who>
                <command></command>/usr/local/bin/checkreload.sh
                <minute>
                /5</minute>
                <hour></hour>
                <mday>
                </mday>
                <month></month>
                <wday>
                </wday>
                <who>root</who>
                <command></command>/etc/ping_hosts.sh
                <minute>/140</minute>
                <hour>
                </hour>
                <mday></mday>
                <month>
                </month>
                <wday>*</wday>
                <who>root</who>
                <command></command>/usr/local/sbin/reset_slbd.sh</cron>
                <wol><installedpackages><rrd><enable></enable></rrd>
                <revision><description>/services_dhcp.php made unknown change</description>
                <time>1261465505</time></revision></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense>

                1 Reply Last reply Reply Quote 0
                • W
                  wallabybob
                  last edited by Dec 22, 2009, 8:25 AM

                  @scarrico:

                  I also have a route on the CradlePoint (Destination is 192.168.1.0 gateway is 192.168.0.1 interface is lan).

                  I clearly need another route somewhere, what is it?

                  Unfortunately you haven't specified your network masks. But I suspect this route should really be something like
                  Destination is 192.168.1.0/24 gateway is 192.168.0.123
                  That is, to get to the 192.168.1.0/24 network, forward to 192.168.0.123
                  (Forwarding to the IP address of the "lan" interface won't help get a packet to the 192.168.1.0/24 network. The route needs to specify the "next hop" on the path to the destination)

                  @scarrico:

                  The bad news:  I can't ping from the CradlePoint to the pfsense box (both 192.168.1.100 and 192.1.123)

                  It may be just a typing mistake, but 192.1.123 is an invalid IP address so it not surprising you didn't get a ping response.

                  1 Reply Last reply Reply Quote 0
                  • D
                    danswartz
                    last edited by Dec 22, 2009, 12:48 PM

                    Is it possible to set the cradlepoint to be a bridge?  I am not sure I am understanding what you are doing, but it sounds like you are not using pfsense as a firewall anymore, so I am not sure what the point is?  Unless it is serving some other function?  Also, it isn't real useful to post the entire config.xml :)

                    1 Reply Last reply Reply Quote 0
                    • S
                      scarrico
                      last edited by Dec 22, 2009, 3:24 PM Dec 22, 2009, 3:21 PM

                      Responses to the above two posts:

                      First thanks to everyone for their replies!  It's nice to have help here.

                      My network masks were all 255.255.255.0 also known as 24

                      The invalid ip address was in fact a typing error: 192.168.0.123 was correct.

                      The pfsense is really there to do some computing and serve as a switch (basically have two useful addressable physical ethernet ports).  The firewall was a nice to have for improved security.

                      I'm hoping to be able to turn the firewall back on, but we'll see if it still works.

                      Also for the future how does one properly specify the final configuration so others can learn? (Since the config.xml was a bit much)

                      1 Reply Last reply Reply Quote 0
                      • D
                        danswartz
                        last edited by Dec 22, 2009, 3:51 PM

                        If you have changed a small number of items, describe textually what you did (or for rules, post a screenshot of the page).

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received