Noob needs help please!



  • Hey guys,

    I'm building my first firwall using PFSense. I'm using an old E-machine with a Pentium 4 2gig processor and 2 gigs of ram. PF Sense is installed on the hard drive. I have the PFSense with SNORT up and running using 2ea Gigabit network cards and the WAN and Lan are running great, both are installed in the two PCI slots on the Motherboard.

    Heres my issues I trying to add the onboard nic (Realtec) as OPT1, the systems allows it to be added, I have setup the IP, DHCP Server and firewall rules. Under status everything looks fine.  For safe measure I rebooted the system, OPT1 still shows good under status. The issue is you cannot connect to it, ping it or anything, zippo. I was thinking a possible a bad on board controller, so I disabled it in the Bios and ran down and bought Gigabit card for the one remaining PCI slot I have left, guess what, exact same issue. I even ran down and exchanged the card for another and it acts the same way. I tried the card in a windows machine and it worked fine, so it isn't the card and it leaves me to believe theres nothing worng with the onboard nic either. I have even borrowed a card from another system and zippo same issue, system see it, lets me configure it but you can't connect to it. Any Ideas??? All the cards are listed in the hardware campatability list. Here's my config.

    WAN - DHCP

    Lan- IP 192.168.1.1

    OPT1 - IP 192.168.1.3

    Both are on the same subnet and the mask is 255.255.255.0

    Forgot to mention the in all caese the nic does reconize weather it's connected or not (UP or Down status)

    Any help would be greatly appreciated!



  • what's the purpose of your Opt1? For another WAN or for additional LAN? why it is in the same subnet with your LAN?



  • @jikjik101:

    what's the purpose of your Opt1? For another WAN or for additional LAN? why it is in the same subnet with your LAN?

    It will be for a wireless router used as an access point. Already tried using the wireless Tutorials, thought it would be better to try a basic Lan port to figure out what the problem is, but nothing has worked. What do you suggest?



  • If you have wireless ap and want to have it in same subnet just connect that device to switch and forget to use wan port, use only lan ports

    if you want to have all different subnets, then opt1 should have all different ip subnet and connect ap from lan ports to pfsense opt1 nic. setup dhcp from opt1



  • disable the dhcp of your wireless router first to act it as an ap. connect a cable from the wireless router lan port to your pfsense LAN.

    sir metu already answered your question.



  • @jikjik101:

    disable the dhcp of your wireless router first to act it as an ap. connect a cable from the wireless router lan port to your pfsense LAN.

    sir metu already answered your question.

    I have been using the router as an access point for months, connected to a cheap netgear firewall, it has been working great, thats not the problem. The port on the PFsense fire wall is configured and status shows everything is in order but you cannot connect to it in anyway what so ever, through wireless, Lan connection, etc. The reason I'm building this is cost and the netgears throughput is horribly slow.



  • If you connect it to lan swith you shoud have connectivity?
    If this is the case, you have no allowing rules in opt1 then.

    Pfsense quick 101:
    Lan is only nic which has auto rule to allow traffic anywhere
    Other nics should have rules to allow traffic
    rules work on ingress -> if you want that opt1 works differently no matter where that traffic is sent, you put the rule on opt1



  • @Metu69salemi:

    rules work on ingress -> if you want that opt1 works differently no matter where that traffic is sent, you put the rule on opt1

    And if you change firewall rules you should also reset states: Diagnostics -> States, click on Reset states tab.



  • Highroller

    You have a basic network problem. You cannot have two ports on a router within the same address space. The router will not know which port to route traffic out of. I would guess that the router will always route traffic out of the lowest cost port (Meaning the fastest). If you would like to use a wireless router as a access point and keep the IPs in the same address space, you have a couple of things that you can do. Take your access point and connect it to your switch. Disable the DHCP in your wireless router and then connect from switchport to a switchport on the back of your wireless router. I would also manually assign the lan side of your access point an IP within the address space of your LAN NIC on your pfsense box so that way you can manage it going forward.

    If you have 3rd party software on your wireless router like DD-WRT then all you have to do is Bridge your LAN and WAN ports and then connect your wireless router to your switch like normal, that is to say connect from switchport to Wan port on your wireless router and your done!

    Another way you can do this is to bridge your two LAN NICs (Meaning put them in the same broadcast domain) that should accomplish what you are trying to do also. Then just connect from your second LAN NIC from the PfSense box to the switchport on the back of your wireless router. Make sure again that you have the DHCP disabled and that you assign the LAN side of your wireless a IP within your LANs IP range so you can manage it.

    If you don't care about what IPs your wireless router gets, then just make another LAN in the PFsense box for your second NIC for example 192.168.2.1 /24 and you should be good. Remember Disable DHCP and connect from switch to LAN side of your wireless router not WAN side, and assign the LAN IP of your wireless router so that it is in the same address space of your second NIC. For example in this case you could assign the wirless router 192.168.2.2. Remember to make your rules on the Pfsense box to allow traffic out of this interface. I would also set the DHCP to be something like 192.168.2.100 - 199.

    Just some quick trouble shooting tools if you are using Windows you can drop to the dos prompt and try to ping the interface with the command "ping 192.168.x.x" replace x with your IP, if you get no response then use the command "arp -a" to see if you have a layer 2 connection. If you cannot see the MAC of the NIC on your PfSense box then you have a bigger issue. You probably are on a different broadcast domian.

    Hope this helps.



  • @mikeisfly:

    Another way you can do this is to bridge your two LAN NICs (Meaning put them in the same broadcast domain) that should accomplish what you are trying to do also. Then just connect from your second LAN NIC from the PfSense box to the switchport on the back of your wireless router. Make sure again that you have the DHCP disabled and that you assign the LAN side of your wireless a IP within your LANs IP range so you can manage it.

    It's not quite that simple, but there's a thread in the Networking section about doing this.  Really, though, it's only worthwhile if you want to do different firewall rules for wired and wireless.  Otherwise plugging it into the switch is easier.



  • @mikeisfly:

    Highroller

    You have a basic network problem. You cannot have two ports on a router within the same address space. The router will not know which port to route traffic out of. I would guess that the router will always route traffic out of the lowest cost port (Meaning the fastest). If you would like to use a wireless router as a access point and keep the IPs in the same address space, you have a couple of things that you can do. Take your access point and connect it to your switch. Disable the DHCP in your wireless router and then connect from switchport to a switchport on the back of your wireless router. I would also manually assign the lan side of your access point an IP within the address space of your LAN NIC on your pfsense box so that way you can manage it going forward.

    If you have 3rd party software on your wireless router like DD-WRT then all you have to do is Bridge your LAN and WAN ports and then connect your wireless router to your switch like normal, that is to say connect from switchport to Wan port on your wireless router and your done!

    Another way you can do this is to bridge your two LAN NICs (Meaning put them in the same broadcast domain) that should accomplish what you are trying to do also. Then just connect from your second LAN NIC from the PfSense box to the switchport on the back of your wireless router. Make sure again that you have the DHCP disabled and that you assign the LAN side of your wireless a IP within your LANs IP range so you can manage it.

    If you don't care about what IPs your wireless router gets, then just make another LAN in the PFsense box for your second NIC for example 192.168.2.1 /24 and you should be good. Remember Disable DHCP and connect from switch to LAN side of your wireless router not WAN side, and assign the LAN IP of your wireless router so that it is in the same address space of your second NIC. For example in this case you could assign the wirless router 192.168.2.2. Remember to make your rules on the Pfsense box to allow traffic out of this interface. I would also set the DHCP to be something like 192.168.2.100 - 199.

    Just some quick trouble shooting tools if you are using Windows you can drop to the dos prompt and try to ping the interface with the command "ping 192.168.x.x" replace x with your IP, if you get no response then use the command "arp -a" to see if you have a layer 2 connection. If you cannot see the MAC of the NIC on your PfSense box then you have a bigger issue. You probably are on a different broadcast domian.

    Hope this helps.

    Mikeisfly,

    I can’t thank you enough! This solved my connection issue. THANK YOU!

    Now, the reasoning behind this. This connection is for my son, in the past he has cause me a lot of grief with viruses and other issues, that have effected my network. I would like to totally segregate this connection from the rest of my network. Now at this point to get the system up the firewall rule is passing all.

    He plays online computer games, plays online Xbox, uploads and downloads youtube videos and other things of this nature. With this in mind, what should I pass and what should I block to protect my network? And how do I segregate this wireless connection from the rest of my network?

    My network consists of a media server and 4 desktops, all wired. Internet connection is 10mbs Cable service.

    I have a managed Netgear 108 switch, I think that’s the model, anyway it is a managed 8 pot gigabit switch. Trashing the Netgear 318 firewall due to throughput issues.

    Thanks again



  • @Highroller:

    Mikeisfly,

    I can’t thank you enough! This solved my connection issue. THANK YOU!

    Now, the reasoning behind this. This connection is for my son, in the past he has cause me a lot of grief with viruses and other issues, that have effected my network. I would like to totally segregate this connection from the rest of my network. Now at this point to get the system up the firewall rule is passing all.

    He plays online computer games, plays online Xbox, uploads and downloads youtube videos and other things of this nature. With this in mind, what should I pass and what should I block to protect my network? And how do I segregate this wireless connection from the rest of my network?

    My network consists of a media server and 4 desktops, all wired. Internet connection is 10mbs Cable service.

    I have a managed Netgear 108 switch, I think that’s the model, anyway it is a managed 8 pot gigabit switch. Trashing the Netgear 318 firewall due to throughput issues.

    Thanks again

    If you're running the wireless AP on a separate nic with it's own dhcp(not bridged), it's already segregated from your wired network.  You'll be able to connect to it from the wired network, but not vice versa.

    As for blocking things, it really depends on how much you want to have to mess with it.  You could go the standard router route and just block all inboud(the default) and allow all outbound.  If you're worried about your son getting a virus, try installing HAVP.  You can also add squidgard to help block malicious urls.



  • Guy's I want to thank you for all the help!

    Problem solved, it was a simple matter of Firewall rules. Everything is working. Now I just have to figure out what firewall rules to apply to keep things safe.

    Thanks again!



  • What do you mean by safe?

    if you want a good way of blocking sites, you can try squidguard, ipblock or countryblock. Snort is also a good thing but I found it "complicated".


Locked