Can't Ping or ssh into pfsense, but ping out works (network uses subnets)



  • There are 3 boxes:

    Monitor, Pfsense, CradlePoint

    • Monitor must get his address from DHCP.  It has one ethernet port
    • Pfsense is an embedded install on a soekris with some scripts installed and r/w turned on.  It must look at data on the Monitor.  It has 4 ethernet ports.  It  runs DHCP for the Wan Connection and the Lan connection.  I'm pretty sure the embedded nature of this install is irrelevant for the problem.
    • CradlePoint is a router that allows 3G access with a verizon usb modem.  It has wifi (ultimately turned off), and one ethernet connection.  It can (and does) run DHCP

    After much fussing (mostly problems with DHCP I think) I decided to put
    pfsense on it's own subnet.  Here's what the addresses look like:

    Monitor  –--------------------- Pfsense ------------------ CradlePoint --- 3G web
    192.168.1.202 - 192.168.1.100 - 192.168.0.123 - 192.168.0.1 -- 75.x.x.x

    As you can see the PFsense box has two ip addresses spanning the two subnets.

    Now the good news:  I can ping from the pfsense box to the internet.  I can get stuff off the Monitor to the Pfsense box.

    The bad news:  I can't ping from the CradlePoint to the pfsense box (both 192.168.1.100 and 192.1.123) I can't ssh from the outside world to the pfsense box. (FYI I have port forwarding set up on port 22 -> 7777 since verizon closes port 22 for ip address 192.168.0.123).  I also have a route on the CradlePoint (Destination is 192.168.1.0 gateway is 192.168.0.1 interface is lan).

    I clearly need another route somewhere, what is it?



  • Not clear from your diagram/explanation which is the default route to the internet?



  • By the default route do you mean where is the internet there?  It's goes out the cradlepoint to the 3 G network.  That network is the 192.168.0.X network.  The 192.168.1.x network is internal.

    Thanks!

    Sandra



  • well, inability to ping the pfsense "wan" interface is not automatically a bad indication - that is disabled by default (you did not say you enabled that.)  you have port forwarding set on the 3g router for 7777 => 22 on the pfsense?  and you have an allow rule on the pfsense WAN for port tcp/7777?  and ssh is enabled?  sorry, but you haven't said what you have and haven't set up…



  • I think ping was working before, but I can't be sure.  Is there a line in the config.xml to turn that on?  Also I did turn on the ssh.  That worked before.  I tried telnet to the ipaddress on port 22 and that failed too.  Sorry, I'm still at loose ends here.

    Sandra



  • can the monitor access the outside world?  if the pfsense can access the outside world, this says to me it is not a routing issue.  rather than guess, can you post your rules and NAT?



  • Thank you for your response.  I was having trouble getting into the web configurator.  (I had good connectivity via the serial port.)  I had to come to the conclusion that something was deeply wrong with the configuration so I set the machine back to the factory defaults.  I then could get the web configurator to work!  OK. so I looked at it new and tried the easier (and previously horribly unsuccessful) idea of getting everyone on the same subnet as the cradle point.  This time it worked.

    Here's roughly what I did and anyone who wants to use pfsense as a router or conceptually a switch want's to know this:)

    1. All DHCP was turned off (Both wan issued dhcp and lan issued dhcp).  WAN address is assigned via DHCP from the other router
    2. ssh was turned on
    3. There was some place where I could click make this act like a router.  I did that.
    4. I let addresses inside network route
    5. I configured the lan to allow it to bridge

    Maybe there was more.  Tell me if there is more for me to post to help other poor people in the future:)

    Sandra

    Here is my config.xml (from /cf/conf/config.xml)

    <pfsense><version>3.0</version>
    <lastchange><theme>nervecenter</theme>
    <system><optimization>normal</optimization>
    <hostname>pfSense</hostname>
    <domain>local</domain>
    <dnsallowoverride><username>admin</username>
    <password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
    <timezone>Etc/UTC</timezone>
    <time-update-interval>300</time-update-interval>
    <timeservers>0.pfsense.pool.ntp.org</timeservers>
    <webgui><protocol>http</protocol>
    <certificate><private-key></private-key></certificate></webgui>
    <disablenatreflection>yes</disablenatreflection>
    <dnsserver>8.8.8.8</dnsserver>
    <dnsserver>8.8.4.4</dnsserver>
    <ssh><authorizedkeys></authorizedkeys></ssh>
    <disablefilter>enabled</disablefilter>
    <enablesshd>yes</enablesshd>
    <maximumstates><shapertype></shapertype></maximumstates></dnsallowoverride></system>
    <interfaces><lan><if>vr0</if>
    <ipaddr>192.168.0.122</ipaddr>
    <subnet>24</subnet>
    <media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype>
    <bridge>wan</bridge></mediaopt></media></lan>
    <wan><if>vr1</if>
    <mtu><blockbogons><media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype>
    <spoofmac><disableftpproxy><ipaddr>dhcp</ipaddr>
    <dhcphostname></dhcphostname></disableftpproxy></spoofmac></mediaopt></media></blockbogons></mtu></wan></interfaces>
    <staticroutes><pppoe><username><password></password></username></pppoe>
    <pptp><username><password><local></local></password></username></pptp>
    <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond>
    <dyndns><type>dyndns</type>
    <username><password></password></username></dyndns>
    <dhcpd><lan><range><from>192.168.1.10</from>
    <to>192.168.1.245</to></range>
    <defaultleasetime><maxleasetime><netmask></netmask>
    <failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></maxleasetime></defaultleasetime></lan></dhcpd>
    <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
    <ovpn><dnsmasq><enable></enable></dnsmasq>
    <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
    <diag><ipv6nat></ipv6nat></diag>
    <bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru></nat>
    <filter><rule><type>pass</type>
    <descr>Default LAN -> any</descr>
    <interface>lan</interface>
    <source>
    <network>lan</network>

    <destination><any></any></destination></rule>
    <bypassstaticroutes></bypassstaticroutes></filter>
    <shaper><ipsec><preferredoldsa></preferredoldsa></ipsec>
    <aliases><proxyarp><cron><minute>0</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 newsyslog
    <minute>1,31</minute>
    <hour>0-5</hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 adjkerntz -a
    <minute>1</minute>
    <hour>3</hour>
    <mday>1</mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
    <minute>
    /60</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
    <minute>1</minute>
    <hour>1</hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
    <minute>
    /60</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
    <minute>/5</minute>
    <hour>
    </hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/local/bin/checkreload.sh
    <minute>
    /5</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/etc/ping_hosts.sh
    <minute>/140</minute>
    <hour>
    </hour>
    <mday></mday>
    <month>
    </month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/local/sbin/reset_slbd.sh</cron>
    <wol><installedpackages><rrd><enable></enable></rrd>
    <revision><description>/services_dhcp.php made unknown change</description>
    <time>1261465505</time></revision></installedpackages></wol></proxyarp></aliases></shaper></syslog></bridge></ovpn></staticroutes></lastchange></pfsense>



  • @scarrico:

    I also have a route on the CradlePoint (Destination is 192.168.1.0 gateway is 192.168.0.1 interface is lan).

    I clearly need another route somewhere, what is it?

    Unfortunately you haven't specified your network masks. But I suspect this route should really be something like
    Destination is 192.168.1.0/24 gateway is 192.168.0.123
    That is, to get to the 192.168.1.0/24 network, forward to 192.168.0.123
    (Forwarding to the IP address of the "lan" interface won't help get a packet to the 192.168.1.0/24 network. The route needs to specify the "next hop" on the path to the destination)

    @scarrico:

    The bad news:  I can't ping from the CradlePoint to the pfsense box (both 192.168.1.100 and 192.1.123)

    It may be just a typing mistake, but 192.1.123 is an invalid IP address so it not surprising you didn't get a ping response.



  • Is it possible to set the cradlepoint to be a bridge?  I am not sure I am understanding what you are doing, but it sounds like you are not using pfsense as a firewall anymore, so I am not sure what the point is?  Unless it is serving some other function?  Also, it isn't real useful to post the entire config.xml :)



  • Responses to the above two posts:

    First thanks to everyone for their replies!  It's nice to have help here.

    My network masks were all 255.255.255.0 also known as 24

    The invalid ip address was in fact a typing error: 192.168.0.123 was correct.

    The pfsense is really there to do some computing and serve as a switch (basically have two useful addressable physical ethernet ports).  The firewall was a nice to have for improved security.

    I'm hoping to be able to turn the firewall back on, but we'll see if it still works.

    Also for the future how does one properly specify the final configuration so others can learn? (Since the config.xml was a bit much)



  • If you have changed a small number of items, describe textually what you did (or for rules, post a screenshot of the page).


Log in to reply