How to configure WAN manually in command line mode?

meglio · Jul 27, 2010, 11:02 PM

1. I just installed pfSense on virtual machine over ESXi 4.1 and I want it to act as firewall for all other machines.

2. Our provider does not have DHCP, it only gives us values for
IP, Network, Netmask, Gateway, Broadcast

3. pfSense installation wizard does not allow me to input static WAN configuration
3.1. … and neither to make web gui publicly available

My goal is to configure WAN and to enable web gui available when I type my IP in my browser
from another machine, then I hope to take it from there.

p.s. Very basic knowledge of *nix. No knowledge to freebsd. Very good PHP knowledge.

Can anyone instruct me on what to do in order to solve the problem?

Thanks!
Anton

tommyboy180 · Jul 28, 2010, 12:46 AM

I don't see why you cannot access the webGUI via the LAN IP, configure it, and then put it in production.

hdokes · Jul 28, 2010, 1:03 PM

I believe he is looking to achieve remote access to the webGUI for admin purposes Tommyboy.

I too have set up 2.0 in a vm on ESXi 4.1 and am having a different issue… (posted http://forum.pfsense.org/index.php/topic,27017.msg140655.html#msg140655) however I have successfully configured outside access to the webGUI for this vm pfsense.

Assuming you have your 'live' ip assigned properly to the wan nic.... you need to add a rule under the firewall pull down menu similar to the following:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP * * WAN address 1445 * none HTML remote administration

The port would equate to what ever port you have currently configured as the management port (default is 80 for http)

As Tommyboy mentioned... you should be able to get to the webGUI admin page through the lan IP which is configured initially when installing the firmware to perform the above tasks. Again... the default port is 80 so using something to the effect of http://192.168.0.1 should pop it up when accessing from within the lan.

It should be noted that installing pfsense as a vm under ESXi adds another degree of difficulty to the equation. It is not enough to assign the virtual 'nics' related to the pfsense installation but you also have to insure proper correlation to the physical nics on the host machine or you will never have a complete path. You may be better served by setting pfsense up on an available box (doesn't take much) to provide initial familiarization with the whole process without having the complexities of the host virtual server (ESXi) issues to deal with as well. When installing pfsense it does prompt you for 'adding' the nics you have on the machine provided the vm has been set up with the proper number before installation of pfsense. Once installed you then have a menu of which option 2 allows you to plug in your static IP addresses for WAN and LAN.

If that doesn't get you there please post the configuration of your WAN nic along with your current 'rules' settings under firewall.

Hope that helps

jimp · Jul 28, 2010, 1:17 PM

In 2.0 you can assign a static IP on the WAN (or any other interface) from the console menu, if the GUI isn't an option.

meglio · Jul 28, 2010, 3:42 PM

Hi hdokes and jimp.

The problem is that I'm not familiar to freebsd at all and I do not know how to configure this WAN.

Assuming you have your 'live' ip assigned properly to the wan nic

There is no DHCP server, so I must put all rules in place manually, but I do not know how.

All I have is this:
http://i31.tinypic.com/2h534zo.png

And I must do it manually from here.
Can you please help me?

jimp · Jul 28, 2010, 3:45 PM

The easiest thing to do would be to setup another VM "behind" it on the LAN side and then use that VM to access the GUI to complete the setup properly.

You'd spend a lot less time doing that than trying to work in ways that aren't really intended, and could just cause further problems.

meglio · Jul 28, 2010, 3:51 PM

Thanks, if you say I'll save time - then going to try this.
Will put updates soon…

jimp · Jul 28, 2010, 4:12 PM

It's easy, download an ISO for Damn Small Linux, boot it, use a browser to get to the GUI. Shouldn't take much time at all.

meglio · Jul 28, 2010, 5:31 PM

Ok, I just installed ubuntu on another virtual machine and navigated to 192.168.1.1 and I can see welcome screen - it's first step. Thank you very much for advices.

May I ask you about next configuration? It now asks me on the very first screen:

Hostname
Domain
Primary DNS Server
Secondary DNS Server

… and I'm not sure if I must specify DNS ones given to me by my provider or not?
Also, it's still magic to my brain if I'm free to input any hostname/domain,
or it must be something specific?

P.S. It may be very useful to put notices & tips like answers to my questions above
for newbies like me - on each configuration wizard. I'm developing sites with 5000+ members
and I can confirm that when you do wizards for zero-knowledge users, you save lots of time
by preventing stupid questions in forums etc. This save both user's and site owner's time.
So maybe it's something to ask pfsense developers to do in next versions? Eg, more tips for newbies.

P.P.S. Also, I was surprised that command line installation tool only autodetects WAN by DHCP
and does not allow to input values manually.

Thank you very much for your help,
Anton

hdokes · Jul 28, 2010, 5:37 PM

@meglio:

Hi hdokes and jimp.

The problem is that I'm not familiar to freebsd at all and I do not know how to configure this WAN.

Assuming you have your 'live' ip assigned properly to the wan nic

There is no DHCP server, so I must put all rules in place manually, but I do not know how.

All I have is this:
http://i31.tinypic.com/2h534zo.png

And I must do it manually from here.
Can you please help me?

meglio, unless I am majorly missing something here… you never have to deal with freeBSD directly. PFSense installs with a 'dos' based type menu system. If you have loaded a system with ESXi and you have created a vm then you already have a console from which to see the PFSense menu after installation. From that menu, which you can't avoid as it is the only 'console' interface immediately accessible to you after installing pfsense. From that console interface, selection 1 allows you to define which nics are going to be WAN, LAN, and OPT (if used). Selection 2 then allows you to set static IP's for your local LAN nic and the 'live' IP for the WAN nic.

Again... if you already have an ESXi server configured and running... have already created the vm to accept the pfsense... then you have all you need there to do that which you are looking to do. Have I missed something here? Is the ESXi server already configured and running? Do you already have the vm set up and have you 'installed' the pfsense to it from the booting CD or image? If all these answers are yes... then it is really simple to complete the assigning of IP's to the nics through the menu. Again.. no knowledge of freeBSD is required.

jimp · Jul 28, 2010, 5:38 PM

@meglio:

Hostname
Domain
Primary DNS Server
Secondary DNS Server

… and I'm not sure if I must specify DNS ones given to me by my provider or not?
Also, it's still magic to my brain if I'm free to input any hostname/domain,
or it must be something specific?

DNS can be whatever DNS servers you want. Your ISPs, or others. Many people use OpenDNS or Google DNS (8.8.8.8 / 8.8.4.4)

@meglio:

P.S. It may be very useful to put notices & tips like answers to my questions above
for newbies like me - on each configuration wizard. I'm developing sites with 5000+ members
and I can confirm that when you do wizards for zero-knowledge users, you save lots of time
by preventing stupid questions in forums etc. This save both user's and site owner's time.
So maybe it's something to ask pfsense developers to do in next versions? Eg, more tips for newbies.

Might be something to look into.

@meglio:

P.P.S. Also, I was surprised that command line installation tool only autodetects WAN by DHCP
and does not allow to input values manually.

As I said, this has already been fixed in 2.0, you can enter a static IP manually for WAN. (Though you still can't make a PPPoE or PPTP WAN from the command line yet)

meglio · Jul 28, 2010, 5:49 PM

@hdokes:

Selection 2 then allows you to set static IP's for your local LAN nic and the 'live' IP for the WAN nic.

Yes, I do have access to console (look at my screenshot provided), but I do not have option to set the 'live ip for the WAN' from command line console.

@hdokes:

1. Is the ESXi server already configured and running?
2. Do you already have the vm set up and have you 'installed' the pfsense to it from the booting CD or image?
3. If all these answers are yes… then it is really simple to complete the assigning of IP's to the nics through the menu. Again.. no knowledge of freeBSD is required.

1. yes.
2. installed from cd, but not configured WAN static IP. But I think that now I'll be able to do it with access from another virtual machine in the same network.
3. Maybe I missed something? I'm not running version #2 and, again, I cannot set live ip from that console
Anyway, thanks for your advices!

@jimp:

As I said, this has already been fixed in 2.0, you can enter a static IP manually for WAN. (Though you still can't make a PPPoE or PPTP WAN from the command line yet)

Will you recommend me to keep stable 1.x version and will it be safe & quick (and without additional administration troubles) to update to the 2.x version when it becomes stable?

Thanks to all your fast answers, this really helps me a lot!

jimp · Jul 28, 2010, 5:52 PM

@meglio:

@jimp:

As I said, this has already been fixed in 2.0, you can enter a static IP manually for WAN. (Though you still can't make a PPPoE or PPTP WAN from the command line yet)

Will you recommend me to keep stable 1.x version and will it be safe & quick (and without additional administration troubles) to update to the 2.x version when it becomes stable?

Thanks to all your fast answers, this really helps me a lot!

I'd stay on 1.2.3 for production networks. Upgrading to 2.0 when it's released will be recommended at that point, but not just yet.

meglio · Jul 28, 2010, 6:11 PM

Ok, going through wizard…
It asks me IP address for WAN and there is dropdown with /1, /2, /3 etc after IP address.

If my public IP address group (given to our server) is x.x.x.240/28,
so:
240 - netmask
241 - gateway
242 - used for ESXI management traffic
254 - used for IPMI control (KVM over LAN port)

That means that I want to manage by my pfSense only traffic from x.x.x.243 to x.x.x.253

Can you advice me on what to setup in this IP Address field for WAN configuration?

Thanks,
Anton

hdokes · Jul 28, 2010, 6:14 PM

My bad meglio,

I thought you were installing pfsense 2.0 on ESXi. It allows you to send both IP's… LAN and WAN. The ESXi environment is one I am setting up with a mirror image of a few of our servers with pfsense2.0 as a vm firewall on the same server with the intent of exercising it and trying to 'break' a basic configuration of the 2.0. I just need someone to respond to my issue now of tying the lan to the wan for internet traffic that I have in another post from yesterday.

I concur regarding sticking with the 1.xx version until 2.0 has been blessed for 'live' duty.

hdokes · Jul 28, 2010, 6:21 PM

@meglio:

Ok, going through wizard…
It asks me IP address for WAN and there is dropdown with /1, /2, /3 etc after IP address.

If my public IP address group (given to our server) is x.x.x.240/28,
so:
240 - netmask
241 - gateway
242 - used for ESXI management traffic
254 - used for IPMI control (KVM over LAN port)

That means that I want to manage by my pfSense only traffic from x.x.x.243 to x.x.x.253

Are you looking for the pfsense box to be the primary firewall for all other devices on your LAN? If so… you do not want the other devices to have 'live' IP addresses provided by your ISP... rather... you want one live IP, x.x.x.242 to be assigned to the wan side of your pfsense box. do not worry about the others at this time... if anything you might use them for DMZ purposes or to set up another unique network with it's own firewall. All devices on your LAN should have private IP's, ex. 192.168.x.x assigned to them and pointing (gateway) to 192.168.x.1 which should be the IP on the LAN nic of the PFSense setup. Your WAN gateway should point to the IP of the next device up the chain (typically x.x.x.241) which should be the modem/router from your provider. Allow me to repeat.... having live IP's on your internal devices defeats the purpose of your firewall.

meglio · Jul 28, 2010, 7:15 PM

hdokes, our configuration must be as follow:

We have only one ESXi host and we want to use pfSense as firewall for all virtual machines,
except for few IP addresses (explained next):

242 - used for ESXI management traffic - does not need to be filtered by firewall (is this correct thinking?)

254 - used for IPMI control (KVM over LAN port) - this also must be outside pfsense for sure,
because we need access to IPMI even when server is down and virtual machines are not running.
So there is no sense for pfsense to even listen to this ip address.

Then 243 to 253 we want to divide into 2 logic groups with different approach.

GROUP 1.
Say 10 machines under 243 and 10 machines under 244 - these machines do no host sites
and thus we can use your approach above (internal IPs).

GROUP 2.
Each virtual machine hosts different site or is owned by different user - needs to use
one or few IP addresses between 245 and 253, so each IP from this group
must be translated and routed exactly to one machine and must be not available for other machines at all.

meglio · Jul 29, 2010, 4:54 PM

Any ideas?