Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Noob needs help please!

    Scheduled Pinned Locked Moved Hardware
    14 Posts 6 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Highroller
      last edited by

      Hey guys,

      I'm building my first firwall using PFSense. I'm using an old E-machine with a Pentium 4 2gig processor and 2 gigs of ram. PF Sense is installed on the hard drive. I have the PFSense with SNORT up and running using 2ea Gigabit network cards and the WAN and Lan are running great, both are installed in the two PCI slots on the Motherboard.

      Heres my issues I trying to add the onboard nic (Realtec) as OPT1, the systems allows it to be added, I have setup the IP, DHCP Server and firewall rules. Under status everything looks fine.  For safe measure I rebooted the system, OPT1 still shows good under status. The issue is you cannot connect to it, ping it or anything, zippo. I was thinking a possible a bad on board controller, so I disabled it in the Bios and ran down and bought Gigabit card for the one remaining PCI slot I have left, guess what, exact same issue. I even ran down and exchanged the card for another and it acts the same way. I tried the card in a windows machine and it worked fine, so it isn't the card and it leaves me to believe theres nothing worng with the onboard nic either. I have even borrowed a card from another system and zippo same issue, system see it, lets me configure it but you can't connect to it. Any Ideas??? All the cards are listed in the hardware campatability list. Here's my config.

      WAN - DHCP

      Lan- IP 192.168.1.1

      OPT1 - IP 192.168.1.3

      Both are on the same subnet and the mask is 255.255.255.0

      Forgot to mention the in all caese the nic does reconize weather it's connected or not (UP or Down status)

      Any help would be greatly appreciated!

      1 Reply Last reply Reply Quote 0
      • J
        jikjik101
        last edited by

        what's the purpose of your Opt1? For another WAN or for additional LAN? why it is in the same subnet with your LAN?

        1 Reply Last reply Reply Quote 0
        • H
          Highroller
          last edited by

          @jikjik101:

          what's the purpose of your Opt1? For another WAN or for additional LAN? why it is in the same subnet with your LAN?

          It will be for a wireless router used as an access point. Already tried using the wireless Tutorials, thought it would be better to try a basic Lan port to figure out what the problem is, but nothing has worked. What do you suggest?

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi
            last edited by

            If you have wireless ap and want to have it in same subnet just connect that device to switch and forget to use wan port, use only lan ports

            if you want to have all different subnets, then opt1 should have all different ip subnet and connect ap from lan ports to pfsense opt1 nic. setup dhcp from opt1

            1 Reply Last reply Reply Quote 0
            • J
              jikjik101
              last edited by

              disable the dhcp of your wireless router first to act it as an ap. connect a cable from the wireless router lan port to your pfsense LAN.

              sir metu already answered your question.

              1 Reply Last reply Reply Quote 0
              • H
                Highroller
                last edited by

                @jikjik101:

                disable the dhcp of your wireless router first to act it as an ap. connect a cable from the wireless router lan port to your pfsense LAN.

                sir metu already answered your question.

                I have been using the router as an access point for months, connected to a cheap netgear firewall, it has been working great, thats not the problem. The port on the PFsense fire wall is configured and status shows everything is in order but you cannot connect to it in anyway what so ever, through wireless, Lan connection, etc. The reason I'm building this is cost and the netgears throughput is horribly slow.

                1 Reply Last reply Reply Quote 0
                • M
                  Metu69salemi
                  last edited by

                  If you connect it to lan swith you shoud have connectivity?
                  If this is the case, you have no allowing rules in opt1 then.

                  Pfsense quick 101:
                  Lan is only nic which has auto rule to allow traffic anywhere
                  Other nics should have rules to allow traffic
                  rules work on ingress -> if you want that opt1 works differently no matter where that traffic is sent, you put the rule on opt1

                  1 Reply Last reply Reply Quote 0
                  • W
                    wallabybob
                    last edited by

                    @Metu69salemi:

                    rules work on ingress -> if you want that opt1 works differently no matter where that traffic is sent, you put the rule on opt1

                    And if you change firewall rules you should also reset states: Diagnostics -> States, click on Reset states tab.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mikeisfly
                      last edited by

                      Highroller

                      You have a basic network problem. You cannot have two ports on a router within the same address space. The router will not know which port to route traffic out of. I would guess that the router will always route traffic out of the lowest cost port (Meaning the fastest). If you would like to use a wireless router as a access point and keep the IPs in the same address space, you have a couple of things that you can do. Take your access point and connect it to your switch. Disable the DHCP in your wireless router and then connect from switchport to a switchport on the back of your wireless router. I would also manually assign the lan side of your access point an IP within the address space of your LAN NIC on your pfsense box so that way you can manage it going forward.

                      If you have 3rd party software on your wireless router like DD-WRT then all you have to do is Bridge your LAN and WAN ports and then connect your wireless router to your switch like normal, that is to say connect from switchport to Wan port on your wireless router and your done!

                      Another way you can do this is to bridge your two LAN NICs (Meaning put them in the same broadcast domain) that should accomplish what you are trying to do also. Then just connect from your second LAN NIC from the PfSense box to the switchport on the back of your wireless router. Make sure again that you have the DHCP disabled and that you assign the LAN side of your wireless a IP within your LANs IP range so you can manage it.

                      If you don't care about what IPs your wireless router gets, then just make another LAN in the PFsense box for your second NIC for example 192.168.2.1 /24 and you should be good. Remember Disable DHCP and connect from switch to LAN side of your wireless router not WAN side, and assign the LAN IP of your wireless router so that it is in the same address space of your second NIC. For example in this case you could assign the wirless router 192.168.2.2. Remember to make your rules on the Pfsense box to allow traffic out of this interface. I would also set the DHCP to be something like 192.168.2.100 - 199.

                      Just some quick trouble shooting tools if you are using Windows you can drop to the dos prompt and try to ping the interface with the command "ping 192.168.x.x" replace x with your IP, if you get no response then use the command "arp -a" to see if you have a layer 2 connection. If you cannot see the MAC of the NIC on your PfSense box then you have a bigger issue. You probably are on a different broadcast domian.

                      Hope this helps.

                      1 Reply Last reply Reply Quote 0
                      • B
                        Bai Shen
                        last edited by

                        @mikeisfly:

                        Another way you can do this is to bridge your two LAN NICs (Meaning put them in the same broadcast domain) that should accomplish what you are trying to do also. Then just connect from your second LAN NIC from the PfSense box to the switchport on the back of your wireless router. Make sure again that you have the DHCP disabled and that you assign the LAN side of your wireless a IP within your LANs IP range so you can manage it.

                        It's not quite that simple, but there's a thread in the Networking section about doing this.  Really, though, it's only worthwhile if you want to do different firewall rules for wired and wireless.  Otherwise plugging it into the switch is easier.

                        1 Reply Last reply Reply Quote 0
                        • H
                          Highroller
                          last edited by

                          @mikeisfly:

                          Highroller

                          You have a basic network problem. You cannot have two ports on a router within the same address space. The router will not know which port to route traffic out of. I would guess that the router will always route traffic out of the lowest cost port (Meaning the fastest). If you would like to use a wireless router as a access point and keep the IPs in the same address space, you have a couple of things that you can do. Take your access point and connect it to your switch. Disable the DHCP in your wireless router and then connect from switchport to a switchport on the back of your wireless router. I would also manually assign the lan side of your access point an IP within the address space of your LAN NIC on your pfsense box so that way you can manage it going forward.

                          If you have 3rd party software on your wireless router like DD-WRT then all you have to do is Bridge your LAN and WAN ports and then connect your wireless router to your switch like normal, that is to say connect from switchport to Wan port on your wireless router and your done!

                          Another way you can do this is to bridge your two LAN NICs (Meaning put them in the same broadcast domain) that should accomplish what you are trying to do also. Then just connect from your second LAN NIC from the PfSense box to the switchport on the back of your wireless router. Make sure again that you have the DHCP disabled and that you assign the LAN side of your wireless a IP within your LANs IP range so you can manage it.

                          If you don't care about what IPs your wireless router gets, then just make another LAN in the PFsense box for your second NIC for example 192.168.2.1 /24 and you should be good. Remember Disable DHCP and connect from switch to LAN side of your wireless router not WAN side, and assign the LAN IP of your wireless router so that it is in the same address space of your second NIC. For example in this case you could assign the wirless router 192.168.2.2. Remember to make your rules on the Pfsense box to allow traffic out of this interface. I would also set the DHCP to be something like 192.168.2.100 - 199.

                          Just some quick trouble shooting tools if you are using Windows you can drop to the dos prompt and try to ping the interface with the command "ping 192.168.x.x" replace x with your IP, if you get no response then use the command "arp -a" to see if you have a layer 2 connection. If you cannot see the MAC of the NIC on your PfSense box then you have a bigger issue. You probably are on a different broadcast domian.

                          Hope this helps.

                          Mikeisfly,

                          I can’t thank you enough! This solved my connection issue. THANK YOU!

                          Now, the reasoning behind this. This connection is for my son, in the past he has cause me a lot of grief with viruses and other issues, that have effected my network. I would like to totally segregate this connection from the rest of my network. Now at this point to get the system up the firewall rule is passing all.

                          He plays online computer games, plays online Xbox, uploads and downloads youtube videos and other things of this nature. With this in mind, what should I pass and what should I block to protect my network? And how do I segregate this wireless connection from the rest of my network?

                          My network consists of a media server and 4 desktops, all wired. Internet connection is 10mbs Cable service.

                          I have a managed Netgear 108 switch, I think that’s the model, anyway it is a managed 8 pot gigabit switch. Trashing the Netgear 318 firewall due to throughput issues.

                          Thanks again

                          1 Reply Last reply Reply Quote 0
                          • B
                            Bai Shen
                            last edited by

                            @Highroller:

                            Mikeisfly,

                            I can’t thank you enough! This solved my connection issue. THANK YOU!

                            Now, the reasoning behind this. This connection is for my son, in the past he has cause me a lot of grief with viruses and other issues, that have effected my network. I would like to totally segregate this connection from the rest of my network. Now at this point to get the system up the firewall rule is passing all.

                            He plays online computer games, plays online Xbox, uploads and downloads youtube videos and other things of this nature. With this in mind, what should I pass and what should I block to protect my network? And how do I segregate this wireless connection from the rest of my network?

                            My network consists of a media server and 4 desktops, all wired. Internet connection is 10mbs Cable service.

                            I have a managed Netgear 108 switch, I think that’s the model, anyway it is a managed 8 pot gigabit switch. Trashing the Netgear 318 firewall due to throughput issues.

                            Thanks again

                            If you're running the wireless AP on a separate nic with it's own dhcp(not bridged), it's already segregated from your wired network.  You'll be able to connect to it from the wired network, but not vice versa.

                            As for blocking things, it really depends on how much you want to have to mess with it.  You could go the standard router route and just block all inboud(the default) and allow all outbound.  If you're worried about your son getting a virus, try installing HAVP.  You can also add squidgard to help block malicious urls.

                            1 Reply Last reply Reply Quote 0
                            • H
                              Highroller
                              last edited by

                              Guy's I want to thank you for all the help!

                              Problem solved, it was a simple matter of Firewall rules. Everything is working. Now I just have to figure out what firewall rules to apply to keep things safe.

                              Thanks again!

                              1 Reply Last reply Reply Quote 0
                              • J
                                jikjik101
                                last edited by

                                What do you mean by safe?

                                if you want a good way of blocking sites, you can try squidguard, ipblock or countryblock. Snort is also a good thing but I found it "complicated".

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.