Weird DHCP/Firewall issue



  • Hi all

    Managed to set a pfsense box up with relatively little issue, got the Wireless AP functioning (rather well I might add), DHCP works perfectly on the Wireless, but for some odd reason, I cannot get DHCP addresses (its all setup correctly afaik), and Internet access on the LAN Interface is no go

    So heres my situation:

    WAN is a PPPoE Link, works fine
    LAN is controlled by re0 connected to a Gigabit Switch
    WLAN is controlled by ath0 working as an AP

    WAN Link works, WLAN Link works, but not the LAN

    Ive been racking my brains trying to work it out. My partner wants me to leave the server in, as when i told her about the QoS and how I had it setup, her response was GOOD (means I cant leach all the net by myself)

    Any suggestions or input as to what Im missing is greatly appreciated


  • Netgate Administrator

    By default the LAN inteface will have DHCP enabled on 192.168.1.1/24 and already has firewall rules in place to allow internet access.
    Clearly you have already configured various things in pfSense when you added the WLAN interface. How did you do that if you can't access LAN?
    Can you give us some more details, what subnets you are using, what hardware etc.

    Steve



  • Hardware being used:

    Sun Ultra20
    Onboard nVidia NIC (For WAN - PPoE)
    2xRealtek 10/100/1000 (LAN & OPT1)
    1xAtheros 54m Wireless NIC (OPT2)

    re0 is using 192.168.10.0/24
    OPT1 is using 192.168.20.0/24
    OPT2 is using 192.168.30.0/24

    I noticed that I could obtain Wireless access and Authentication easily, retrieve an IP, but the moment I went to retrieve an IP via my HTPC (Running from LAN), that it would retrieve an IP, but not be allowed through to the net

    Yet if i went static IP for the HTPC, it went straight through, net access a plenty


  • Netgate Administrator

    Ok, all looks good.
    Have you changed any of the DHCP settings or the default LAN firewall rules?
    Check the firewall logs to see if anything is being blocked there.
    Check the DHCP server is handing out useful DNS and gateway information.

    Steve



  • Couple possibilities come to mind for that description.

    1. You have the IP you're being assigned from DHCP defined statically somewhere, creating an IP conflict.
    2. You have a rogue DHCP server on something else and are pulling an IP it that isn't correct to get you online.

    check ipconfig/all to see which DHCP server you're getting an IP from. If it's the right DHCP server, ping its LAN IP, then check Diag>ARP table to ensure the correct MAC is listed on that IP. If it's different from the MAC of that host, you have an IP conflict.



  • Ok here's a roundup of what I have done since posting

    Added in a few case fans, and some general server cleaning

    I thought it would have had to be something I might have overloaded the amount of Firewall/NAT rules, and quite simply, where I was allowing traffic with one rule, it seemed like I was cancelling out them with another.

    I decided to reinstall from scratch, and it was the best idea I could have ever done

    recabled the Man Cave (where my partner lets me keep the server, mwahaha), and moved the server to its new spot, changed the IP Addressing scheme

    LAN is now 192.168.2.0/24
    OPT1 is now 192.168.3.0/24
    OPT2 is now 192.168.4.0/24 <–-- This is the IP Range the next server I install will be going into (FreeNAS)

    Created a copy of the Default Allow LAN to Any rule across LAN, OPT1, OPT2, bridged the 3 together

    Walked out to my HTPC (which had the issues before retrieving an IP/Accessing the net), and checked to see if it could see the outside world

    SUCCESS!

    Grabbed my laptop, and proceeded to check the Wireless AP I had setup, to make sure I had the settings right. It was retrieving an IP, but not authenticating.

    Swapped around the Regulatory settings, and BAM, Net Access via wireless restored. Then walked out and checked the XBox360 to see if it could communicate to XBOX Live. Success, uPnP was working as expected, and it signed on within seconds (First time i tried it, it wouldnt do it, I kept running into issues, lol)

    So then it just left me to fine tune the QoS rules, so that everyone in the household is happy. Got that working now, so Im stoked.

    So in essence, after a lot of hair tearing, cursing, and a few beers, i worked out where my issue was, reinstalled it, and got it going.

    Its now running HAVP as a parent for Squid, Snort, BandwidthD, uPnP & Wireless AP, sitting in the Man Cave happily humming away

    Thanks to those who offered suggestions to where I might have been wrong. LOL, I did feel a bit stupid afterwards when I saw it all running and thought why didnt I get this installed this way the first time


  • Netgate Administrator

    @Nutterpc:

    recabled the Man Cave

    :D What better way to spend easter Sunday.

    @Nutterpc:

    LAN is now 192.168.2.0/24
    OPT1 is now 192.168.3.0/24
    OPT2 is now 192.168.4.0/24

    Created a copy of the Default Allow LAN to Any rule across LAN, OPT1, OPT2, bridged the 3 together

    I'm glad you have it all running and to a certain extent 'if it aint broke don't fix it' but this probably isn't the right way to do this.

    Why and how have you bridged the interfaces?

    If you really need them to be bridged you should probably have one subnet/DHCP server across the bridge.
    Alternatively if you simply need to access one subnet form another you shouldn't need to bridge the interfaces, pfSense will route traffic between them.

    Steve



  • Hehehe, tell me about it, Easter Long Weekend was the only time I was able to get this server running  :D

    But as to bridging the interfaces, that was the thing i had read on a few other peoples posts on the forums, as to how they've had issues, and how they got everything they wanted working "As they want it"

    I ended up crashing out on the foldout bed that night (didnt sleep till late the next morning, and yes, i have a spare bed in the mancave for that reason ;D)

    But now I have it all running, I dont want to stuff anything else up, as the XBOX360 is functioning as expected (uPnP & Port Forwarding through Pfsense as it needs it successfully), and my FetchTV is also working, the only things I am doing now is just fine tuning, like the network stack to better suit the connection (ADSL1 7610/384)

    My partner is also pleased that now I've set everything up and verified it all works, that I cant hog all the bandwidth now,  :( she doesnt want me to change anything, hehehehe

    Ive got a few documents I picked up from looking round the net on what I can do to better fine tune my connection, so it should be interesting

    Main thing I wanna change is the squid stuff, but I'll fix that when i get home


Log in to reply