Need advice on setting up firewall

infosecguy · Jan 18, 2013, 6:02 PM

Ok so I need some assistance setting up my firewall and figure this would be the best place =)

Here is my equipment:
My acer tower with 3 nics
a netgear wireless router
If need be I can use my 2950 cisco switch
last but not least my comcast cable modem

I have all of the wan information I need.(Just in case I need to set it static for some reason)

I understand WAN is done via DHCP
but it keeps telling me that no link is enabled when it says the link is up after I plug in the cable.

Can someone shoot me a general config idea for this set up and should all this equipment work well together?

wallabybob · Jan 18, 2013, 9:20 PM

@infosecguy:

should all this equipment work well together?

Probably. A more specific answer will require more specific information about the equipment.

@infosecguy:

but it keeps telling me that no link is enabled when it says the link is up after I plug in the cable.

I presume you have the software installed to the hard drive, you have booted from the hard drive, assigned interfaces through the console and are now accessing the system through the web GUI. Correct?

What says "the link is up" (web page? which web page?)

infosecguy · Jan 18, 2013, 10:08 PM

Thank you for your response. I will work on it a little later tonight and give more detail.

infosecguy · Jan 20, 2013, 5:24 AM

Ok so after tinkering around with this awesome firewall, I think I can talk some pf sense lingo now.

Alright so here is my set up:

An acer tower
amd athlon dual core
2GB RAM
3 nics:
re0 RealTek 8168/8111 B/C/CPd?DP/E PCIe Gigabit Ethernet
msk0 Marvell Technology group Ltd. Yukon EC Ultra Id 0xb4 Rebe 0x03
re1 Realtek 8169/8169S/8169SB(L)/8110S/8110SB(L) Gigabit Ethernet

sooo

WAN –-> msk0
LAN------>bridge0
Opt1----->re1
Opt2----->re0
Lan works great and all the packages I installed work awesome.

The only problem is my netgear n300 doesn't seem to like my set up. Since my Acer is now acting as my router I have a cable going from my re1 interface to my cisco 2950 (I have no vlans configured) Now that I think of it... creating vlans on my switch may solve my problem...

Anywho when I try to get a dhcp address or set a static address for my wireless interface it runs huge amounts of scrolling text across the screen. I actually just found out leaving it plugged in to my re1 nic and then connected to any lan ports on the router. That is the only cable I have going to the n300.

Also just so everyone knows I turned off dhcp and set a static IP and did one other step I was told to do... (Sorry a bit tired cant remember what it was)

Overall, that's how my bridge came to be on the lan interface between the two interfaces.

One last thing, I always get this message on boot AP #1 (PHY# 1) failed! which could be part of my problem.

Let me know if you need more detail. Thanks everyone =)

wallabybob · Jan 20, 2013, 6:22 AM

@infosecguy:

One last thing, I always get this message on boot AP #1 (PHY# 1) failed! which could be part of my problem.

This could mean one of your NICs is disabled. Please post the output of pfSense shell commands:```
dmesg
ifconfig

stephenw10 · Jan 20, 2013, 1:08 PM

I could be wrong here, I've never seen this myself, but some brief googling seems to say that

AP #1 (PHY# 1) failed!

implies a problem initialising the 2nd CPU core. That could be a problem but it shouldn't cause any network issues.

It isn't clear to me why you created the bridge. Bridges often cause people to get into difficulty though.
Please explain this.

You are using the Netgear N300 just as a Wifi access point?

@infosecguy:

Anywho when I try to get a dhcp address or set a static address for my wireless interface it runs huge amounts of scrolling text across the screen.

Could be any number of things, try to capture some of it if you can, but if it happens when you plug in the N300 I would guess it's an IP conflict.

Steve

infosecguy · Jan 20, 2013, 3:30 PM

That would make sense that one of the cores isn't initializing considering I found it funny that my cpu usage is at 100 percent most of the time. Is there any way to fix that?

@Wallabybob I'll have to run the shell commands later on today when I have time. Then I will post them, thank you for your help =)

@stephenw to my understanding in order to make this set up work I have to bridge them so they can talk to each other correctly because I technically can't make it a true access point. Thank you for input on this matter. I'm gonna have to run a packet capture too..

I'll put a tap in between my n300 and my wireless interface and see what i get for a packet capture… Thanks for all the input. I'll get back with you all soon. =)

stephenw10 · Jan 20, 2013, 7:04 PM

People use a bridge to add wifi when they need the access point to be on the same subnet as LAN but are using a separate interface for it. This happens when you use a wifi card as an access point in the pfSense box. The only other time you would need that is if you need the access point to be on the same subnet as LAN but still need to filter traffic between them.
If you don't need the AP to be on the same subnet then just connect it to your other NIC directly.
If you don't need to filter traffic then just connect it to your switch on LAN.

100% cpu usage is not good but it could a number of things. Please run 'top -SH' from the CLI (press Q to quit) and paste the result here.

Steve

infosecguy · Jan 20, 2013, 7:42 PM

Oh wow I feel dumb now about bridging I should know better….anyways after finding that out I disabled the other interface I was using and I bridged the LAN/WAN interface then connected the n300 to cisco switch (where my lan is connected to) and now my wireless are getting dhcp but cant get out to the net. Wonder what I am missing... ill work on it later on today. Thanks so much for making me realize that =)

stephenw10 · Jan 20, 2013, 8:31 PM

Hmm, OK.
Why have you bridged WAN and LAN? :-\

If you are able to post the stuff Wallabybob asked for this will be much easier.

Steve