Unable to Access WebGUI

kejianshi

Well, I know the rest of the answer also.  Remember I said there was more to do?
BTW - I'm not with the PFsense crew, but I did stay in a holiday inn express last night.
I do think they have come up with a great thing. 
They are smarter than me with this though.  This would be their "lite work".

For the next part, we need to make some changes to you LAN port on pfsense and also your client VMs.
I'll type abit about that after I take the kid for a walk.  I just rebuilt a dryer for last hour…  So exciting.

amer1canparatrooper

Ha!  You're funny.

Anyway, I appreciate you working me through this and being so giving.  Maybe I can figure out a way to buy you lunch.

More tinkering to do with this after work tomorrow.

Again Sir, thank you much.

phil.davis

pfSense is a firewall - it defaults to keeping out the nasties on the public internet side.

a) When there is WAN and LAN, then everything originating on WAN is blocked by default. In production, this is always what you want (then you add rules to open up the specific things that you want outside internet to be able to access).

b) When there is just WAN (unusual/special config), then access is allowed to webGUI (and a few ports - I won't try to specify them exactly here) on WAN.

So, you can get in when there is just WAN. When you add LAN, then the webGUI "anti-lockout" rule moves to LAN, and you lose access from WAN. This is usually what you want.

To keep WAN access, then, before adding the LAN interface, add pass rules of your own on WAN to allow the things you want. (For ease in testing, allow all, but in production if the WAN faces the real internet, don't do that!)

stephenw10

Could easily end up with 'too many chefs' in this thread and just confuse things further but let me just say that everything you have described is exactly what I would expect to see. Your setup is behaving perfectly, you don't have any random weirdness to deal with.  ;)

Kejianshi seems to have this under control.  :)

Steve

kejianshi

Well - Next step, as I see it, will be getting his VMs that are to be client to the PFsense un-bridged from the Host's network and on the internel network.  I'd like to see the client VMs get DHCP from intnet and I'd like to see intnet given a sane subnet.  After the VM clients can access the pfsense LAN side he can close the gaping security holes that are there just to give him gui access from the host machine.  Then he should be able to admin his system from the VM clients same as any network using pfsense (Still the issue of double NAT - Talk converting to typical pfsense setup later)

amer1canparatrooper

Hey guys.

Well, got to do some more tinkerin'  ;D

As per kejianshi:

@kejianshi:

Well - Next step, as I see it, will be getting his VMs that are to be client to the PFsense un-bridged from the Host's network and on the internel network.  I'd like to see the client VMs get DHCP from intnet and I'd like to see intnet given a sane subnet.

Yes, this is my intent.  Ideally, I'd just like to get it up and running (making em1 a dhcp server) so that I can create my own internal network of VM servers and hosts.

@phil.davis:

To keep WAN access, then, before adding the LAN interface, add pass rules of your own on WAN to allow the things you want. (For ease in testing, allow all, but in production if the WAN faces the real internet, don't do that!)

Phil, truly, I need to do more research.  I'm amazed at all the options and the ability to modify all the granular specifics.  My window to do this will largely be this weekend, however, I'm having trouble adding the pass rule.

I tried under advanced > Disable webConfigurator anti-lockout rule > added the LAN > and then was unable to access the WebGUI again.

Also, I went to firewall > rules > Single Host or Alias > 192.168.1.203 > and yet I was still unable to access the WebGUI.

Again, just to get this up and running, what would I change in within the WebGUI in order to turn on LAN intnet (DHCP node) for my LAN guests and still be able to access the WebGUI?

Cheers gents.

kejianshi

Well - Earlier, I gave you a couple of commands to shut down and then reactivate the firewall rules if you ever locked yourself out with a firewall rule change.  So, if you locked yourself out, use:

pfctl -d

Then go into the web gui and change back whatever firewall rule you changed that locked you out.

Then.

pfctl -e

Next, to get your intnet on your pfsense handing out DHCP, you will need to go to your Interfaces > LAN
Make sure its static type.

Then give it an IP like 10.14.73.1 / 24    (Thats just a random IP.  Pick anything you like in the private IP range)

Make sure gateway = none.

Make sure you are applying setting.

Then you have to go into services > DHCP server

click the LAN tab.  Check the activate DHCP button.

Now give an DHCP range like 10.14.73.50 - 10.14.73.200

(This determines the start and end point for IPs auto assigned by DHCP  Later you can add static IPs above and below this range if you like)

Apply settings…

Now, you have a DHCP server and a sane IP range for a LAN

To be sure this doesn't cause issues, make sure the LAN Ethernet interface you added in your isn't bridged.  You want that one internat network.  (intnet)

Now, to get the other VMs to get their IPs from pfsense you will also have to change their network adapter setting to internal also with same name (intnet).

Assuming you do all those things and don't typo and no crazy unknown circumstances, you should have a network.

Should be able to access the pfsense web gui from your VM's web browsers.

phil.davis

Again, just to get this up and running, what would I change in within the WebGUI in order to turn on LAN intnet (DHCP node) for my LAN guests and still be able to access the WebGUI?

Before enabling LAN, add a pass rule to WAN, and might as well enable SSH:
a) Add an alias for ports HTTP (80), HTTPS (443) and SSH (22) - e.g. call it MgmtPorts
b) Add rule on WAN: Pass, IPv4, protocol any, source WAN net, port any, destination WAN address, port MgmtPorts.
c) System->Advanced, Admin Access, Enable Secure Shell.

Now you can always come from the WAN network side to the webGUI, or ssh in to the WAN side and get a command prompt.

Now enable the LAN side.

amer1canparatrooper

Bang!  Bingo!  Kaboom!!!

That got it guys.  Cheers to all of you.

I have successfully been able to pass the intnet to my virtual machines and can also access the WebGUI from both my host/guest machines.

I noticed that I had to turn off the firewall after I had added the LAN, but no biggie.  Now that I have the bridge from WAN to LAN, I can now do some experimenting and also take a few classes on working with settings and advanced configurations.

I'm so happy.  It's truly cool to be able to now have a firewall/router that I can tinker with, set up rules, keep the bad guys out, etc.  This is going to be fun now that I have the box up and running and can now feed the internet off to my servers/hosts.  What's also cool is that I will be able to discover some of the more advanced aspects of networking, for which I only have a foundation currently as a professional.

Thank you all.  Thank you all again.  Now that you all have been giving to me, I hope that I can return to others the same.

kejianshi

I'm excited too.  Not as excited as you, but excited…
Makes me remember my first time.
I was nervous - and so alone...
(No forums to help me with my first build)

I'm glad it turned out well.

Eventually, you should use a different hypervisor.  Your current setup is only as secure as the OS that is hosting it.
Thats yet another adventure in learning with some sort of "bare metal" / "thin" hypervisor.

amer1canparatrooper

Cheers kejianshi.  I owe you lunch man.  Be excited that your knowledge made the light turn on  ;D