What am i doing wrong ?



  • I am new to pfSense, but have used IPCop for years, so i understand appliance firewalls. My question is this, i install the software fine, run it on its own head unit, KB, and mouse, pre-configure LAN IP and SSH and all of that, and it opens fine in the WebGUI.
    I unhook it from my setup area and plug it inline into the network chain, and i cant get internet access. I can ping it, WebGUI it, SSH it no worries, but no Internet. I know it must be something simple i'm missing, but having run IPCop flawlessly since Version 0.0.01, with no issues, i thought i would have a flawless install of pf-

    I have no idea what im doing wrong, its been so long since i needed to change my firewall, i have brainfade.
    Settings are as follows :

    Step One : Modem : 10.1.1.1 (DHCP allowing upto 10.1.1.5) pfSense picked up 10.1.1.5 by DHCP

    Step Two :Netgear WGR614v6 Wireless Router at 192.168.1.1
    It is configured as DHCP Router and supplies addresses from : 192.168.1.50 - 192.168.1.75  – Modem DHCP allocates 10.1.1.3 to this Router.

    Even after adding fixed addresses to the Wireless Router i get no Internet connection, but can ping SSH and WebGUI the pfSense box.

    I removed the WGR614 from the chain, and set modem directly to em0 network interface - IP : 10.1.1.5
    Set LAN Interface sk0 to 192.168.1 45 and connected my PC via my switch, with no other PC's online, had instant connection to Local Network, but still no Internet.

    I know it's something simple i'm missing, but if i pull any more hair out over this, i will look like Uncle Fester.....can someone please assist me with this ?

    I have tried all i can think of, but still no luck.



  • From your description I can't understand the network config you have.
    You want this sort of chain:
    internet<->modem<->WAN-pfSense-LAN<->switch<->client devices

    At the moment it seems your modem (ADSL, cable, whatever) is not in bridged mode, so it has a private IP address on your side, and gives out DHCP. That is fine to get things going at first. pfSense WAN will get DHCP like you describe.

    Then pfSense LAN interface should be doing the DHCP to LAN clients. Then the LAN clients get DHCP with the gateway set to the pfSense LAN address.

    Not sure what "Netgear WGR614v6 Wireless Router" is all about. If you need it to be your WiFi AP still, then disable DHCP on it, give it a normal IP on your LAN and connect it to the switch. It doesn't need to be a router any more.

    Draw us a network map if you are still stuck.



  • I second Phil's request for a network diagram. Please include interface IP addresses and network masks.

    PERHAPS your WAN interface is set to "Block Private Networks". (It shouldn't be in your case.) See Interfaces -> WAN and scroll down to the Private networks section.



  • You can't even ping 8.8.8.8?

    If you can, its probably a DNS issue.

    If you can't you probably have a private IP on your WAN and that blocked by default.  Need to unblock it in interfaces > WAN > bottom of page..

    If its none of those, post your network diagram, like these guys want.  They are pretty good.



  • @wallabybob:

    I second Phil's request for a network diagram. Please include interface IP addresses and network masks.

    PERHAPS your WAN interface is set to "Block Private Networks". (It shouldn't be in your case.) See Interfaces -> WAN and scroll down to the Private networks section.

    Thanks for the replies guys. I tried to be clear on my description in my 1st post, but it seems i wasnt very good.
    The Block private networks checkbox is not selected, Bogan networks IS selected, i got caught by that one on the first install of pfSense to this box, and made sure i didnt get caught again…but thanks for the suggestion

    The setup at this point in time is :

    Internet -- Modem (10.1.1.1 with DHCP for 5 Addresses only) -- WGR614 Wireless Router (WAN  IP 10.1.1.3 - LAN IP 192.168.1.1  DHCP range 192.168.1.50 -192.168.1.75 ) -- LAN connections from wireless router are single cable to one PC, and single cable to 10/100 Switch for 4 more PC's in another room.

    Modem subnet is 255.0.0.0 all other PC's and devices inline are 255.255.255.0

    At the moment this all works fine, no issues are found.

    The problem arises when i insert the pf box between the modem and the Wireless Router. The pf box gets a WAN IP of 10.1.1.5 and it should see the outside world, it's LAN IP has been changed to 192.168.1.45 as the default is already used by the wireless.

    I CANT alter the wireless LAN IP as everytime i do, it locks me out of the entire GUI and needs a reset to default. Being a Netgear device this is no surprise, it has been this way since the day i bought it, and it even stumped my brother who is an IT Project manager and has forgotten more about computers than i will ever know.

    I tried removing the Wireless Router entirely and connected the modem to the WAN NIC of the pf box, it got an IP of 10.1.1.5 as expected, i connected my cable to the LAN NIC and via my switch i could access the pf Dashboard and all settings no worries, i can also use pUTTY to access the shell. But the outside world is just not there, on the Dashboard page, pf tries to check for updates, but cant access the Internet.

    This leads me to believe its an issue in the modem. It has its firewall turned on, but i can browse fine with the setup i have now, so adding pfSense box should work fine, i would have thought.

    Any thoughts ??

    Thanks Again

    p.s: NEVER BUY NETGEAR.....they are nothing but a headache, and have no support at all from the company....their Tech Support dont want to know anythng if you have an issue to resolve. ABSOLUTELY NO HELP AT ALL



  • You probably have a private IP on your WAN and that is blocked by default.  You need to unblock it in interfaces > WAN > bottom of page.
    Uncheck Block private networks.

    If that is not the problem, I suspect either bad DNS setup or firewall rules on the LAN are not correct.



  • Have a look at Status-Interfaces for your WAN. It needs to have something good for the DNS servers, which should have come along with the 10.1.1.5 DHCP lease. If not, then put a DNS server or 2 in System-General Setup (e.g. the Google DNS Servers 8.8.8.8 and 8.8.4.4)
    Can you "ping 8.8.8.8" from the shell - that would show that IP connectivity works, and therefore the problem is likely just in translating names with DNS.



  • @phil.davis:

    Have a look at Status-Interfaces for your WAN. It needs to have something good for the DNS servers, which should have come along with the 10.1.1.5 DHCP lease. If not, then put a DNS server or 2 in System-General Setup (e.g. the Google DNS Servers 8.8.8.8 and 8.8.4.4)
    Can you "ping 8.8.8.8" from the shell - that would show that IP connectivity works, and therefore the problem is likely just in translating names with DNS.

    Did all this and more, thought i had it working at one point, as i could ping and traceroute from the pf box to various IP's, and the update manager changed from cannot check for update to running the latest version, but still no browsing.
    I rebooted the pf box and my pc 3-4 times each and reset the network adapter in my pc 10 times or more. Each time it came up as pfsense network, showed both local and internet connection, but still no browse. Added my ISP's supplied DNS server IP and the two google ones, nothing helped.
    And all i get now is the network comes up local and internet, then drops out, in under 30 seconds, to local only in the Network and Sharing window on my pc.
    I just can't work it out, nothing i try seems to fix it.



  • Please post a pic of your firewall rules for LAN and WAN, your DHCP settings for LAN and WAN, your general settings page and the gateway status page.


  • LAYER 8 Global Moderator

    What do you mean insert pfsense?

    So you now have this

    internet - NAT Router (not modem modems do NOT NAT) - pfsense - netgear - switch - pc

    And your pfsense of lan is on 192.168.1.0/24 and so is lan of netgear?

    Do not connect your netgear using is wan, connect it via is lan to pfsense and TURN off the netear dhcp server..


  • Netgate Administrator

    192.168.1.45 is still in the 192.168.1.1/24 subnet that your wifi router is probably using. Each segment needs to be a different subnet, try changing the pfSense LAN to 192.168.100.1 for example.

    Steve


  • Banned

    Please, get some system info what you are doing. Basically you want

    • modem as a bridge
    • pfsense with the WAN IP assigned directly
    • AP somewhere on LAN with everything disabled, incl. the WAN, DHCP and whatever. Totally dumbed AP.

  • LAYER 8 Global Moderator

    ^ exactly!  This would be normal common setup..

    If your "modem" (isp connection device) does not support bridge mode and you have to double nat - then ok, but you sure and the hell do not want to add a triple nat to the mix.  Your netgear should be used as just a Access Point.

    Then put wan of pfsense into the dmz of your isp device, and control your forwards at pfsense.



  • Thanks, i am aware of how it's supposed to be, it's just not playing fair with me.
    I know it's a simple thing i have missed and am missing, but it's driving me around the bend….

    I wish i could have the WAP as a standalone, but even following the Netgear instructions on how to set it as one fails....this bloody thing will be the death of me.
    I'm sure i will figure it out one day, but right now it's beginning to piss me off.



  • Well - Do things in baby steps.

    Put the wireless router aside.  Get yourself a cat 5 cable.  Connect that to the LAN of pfsense and your computer. Directly connect your pfsesne WAN to the modem also.  Get that working.

    If you intend to have an OPT1 interface, create that and test it directly connected to your computer.  Get that working.

    Then when modem > pfsense is working perfectly, then add the wireless AP to the picture.

    In my opinion, currently, you can't know what is and is not working.


  • Banned

    And as for Netgear AP, there are tons of alternative much better firmwares, such as DD-WRT, Tomato or OpenWRT. Sadly, for your prehistoric model, the only way is to solder something better than the crappy 1MB chip on the board. Best dumped, frankly. Not worth the waste of time.


  • LAYER 8 Global Moderator

    Yeah its not worth time and effort dicking with older wireless routers if you ask me.  I just picked up a tp-link dual band wdr3600 I believe is the model number for $42 to my door.

    Took all of 30 seconds to put dd-wrt on it.. And now got nice stable N both 2.4 and 5ghz AP – my old reliable wrt54gL was still working - but it was about time I moved to N.. only thing left that was g is my sons old laptop everything else is N.

    As to getting it to work as AP - what do they have you doing.. The thing already has a 192.168.1.1 address right, leave it at that change pfsense to say .254 and turn off netgear dhcp server = bing bang zoom accesspoint.  Just connect it to your switch or pfsense via the netgears LAN port..  Put some tape over the wan port on the netgear you have no use for it if using it as AP.


  • Netgate Administrator

    If you have all three routers in line they must have different subnets between them. Did you try my earlier suggestion?

    Steve



  • @stephenw10:

    If you have all three routers in line they must have different subnets between them. Did you try my earlier suggestion?

    Steve

    Im not sure if i tried all the things everyone suggested so far, i haven't had time in the last couple of days to do much.
    I've had family issues come up , and have had no time for network tinkering, especially when my server 2003 box died and i had to
    spend time getting that fixed.
    I haven't given up, i'm still tinkering, just a few minutes a day instead of the few hours i would normally have.



  • @doktornotor:

    And as for Netgear AP, there are tons of alternative much better firmwares, such as DD-WRT, Tomato or OpenWRT. Sadly, for your prehistoric model, the only way is to solder something better than the crappy 1MB chip on the board. Best dumped, frankly. Not worth the waste of time.

    I know it's old, but once it's set-up. it is stable and does what i need, i rarely use the wireless, it's mainly inline to use it as a second switching device.
    I will be buying a real switch soon, and an dedicated WAP device to replace the Netgear, but each time i save the money for it, something comes up that eats up the savings…
    It's hard to save any cash with the house, car and 5 kids , especially as i'm on a pension.


  • LAYER 8 Global Moderator

    How long does it take to turn off the dhcp server?  That is ALL you have to do to turn that router into a accesspoint, and not use its wan/internet port to connect it to your network.

    You have to uncheck 1 box, and connect it to your network via one of its lan ports vs its wan/internet and shazam its an AP




  • @johnpoz:

    How long does it take to turn off the dhcp server?  That is ALL you have to do to turn that router into a accesspoint, and not use its wan/internet port to connect it to your network.

    You have to uncheck 1 box, and connect it to your network via one of its lan ports vs its wan/internet and shazam its an AP

    I thank you for the post, but seriously, this thing is not a simple matter of unchecking a radio button….its a f**king nightmare this bloody thing, from day one it's been a son of a bitch.....i change one thing in it i can't access it...and have to reset to default...it's a feckin' nightmare....i swear.....but like i said, when i have the time to tinker i will, i have far more important things to think about this week, i have a funeral to organise now, and now a 16 month old grandchild just diagnosed with a hole in her heart. Damn firewall can wait.

    The only reason i have replied to this post is to show i have read all, and am appreciating the assistance...when i can i will get back to the issue, but for now, it's of no importance.


  • LAYER 8 Global Moderator

    Dude I have no idea what you have done in the past - but I am telling you to turn ANY wireless router into an access point is simple disable of dhcp on the wireless router, and connect it via LAN port.  That is it.

    I looked on your routers web ui via emulator and to disable dhcp all that is required is uncheck the enable box and click save..

    I have done this on hundreds of wireless routers.. No matter the make, no matter the brand.  In your setup you don't even have to change the wireless routers lan IP..  Since its on the default network pfsense lan network defaults too.. All you have to do is change pfsense lan IP to not be 192.168.1.1 - make it 192.168.1.254 for example.  As long as you don't have something else already using 192.168.1.254 your ready to go.  Just connect in your wireless router via its LAN PORT to your pfsense lan inteface or a switch connected to your pfsense lan port already.  And you done!

    If this takes you more than 30 seconds then your doing something wrong!



  • @johnpoz:

    Dude I have no idea what you have done in the past - but I am telling you to turn ANY wireless router into an access point is simple disable of dhcp on the wireless router, and connect it via LAN port.  That is it.

    I looked on your routers web ui via emulator and to disable dhcp all that is required is uncheck the enable box and click save..

    I have done this on hundreds of wireless routers.. No matter the make, no matter the brand.  In your setup you don't even have to change the wireless routers lan IP..  Since its on the default network pfsense lan network defaults too.. All you have to do is change pfsense lan IP to not be 192.168.1.1 - make it 192.168.1.254 for example.  As long as you don't have something else already using 192.168.1.254 your ready to go.  Just connect in your wireless router via its LAN PORT to your pfsense lan inteface or a switch connected to your pfsense lan port already.  And you done!

    If this takes you more than 30 seconds then your doing something wrong!

    I did that already and it did nothing, but somehow, its working now, i reset it to default, and suddenly it came up working.
    Stupid thing is, i had done this a dozen or more times already.

    Thanks to all who offered suggestions, everything is working now.



  • Even me?  :-\


  • LAYER 8 Global Moderator

    What do you mean did nothing?  Its not suppose to really do anything - you just turned of its dhcp server.. Do you mean you turned it off and it was still running?



  • @johnpoz:

    What do you mean did nothing?  Its not suppose to really do anything - you just turned of its dhcp server.. Do you mean you turned it off and it was still running?

    Sorry bad explanation on my part, i meant i did all the things you suggested, and it didn't fix the problem.
    I did however get the pf box up and running, it turned out it was a simple fix, the DHCP server in the modem didn't turn off
    when i first unchecked it. I rebooted the modem and DHCP and the SPI firewall in the modem were still turned on,
    i turned them off again, resaved the cfg file for the modem, rebooted and it came up with both SPI and DHCP turned off
    and the pf box was working fine with default install settings. so now it's all good.

    Thanks again to ALL who offered idea's and suggestion's.


  • LAYER 8 Global Moderator

    where did I say anything about turning off anything in your "modem"

    I am glad you feel you have your system up and running - I did not tell you to do ANYTHING with your modem, if you were playing with that you were not following instructions given.  I gave you a screen shot of your netgear for gosh sake..



  • @johnpoz:

    where did I say anything about turning off anything in your "modem"

    I am glad you feel you have your system up and running - I did not tell you to do ANYTHING with your modem, if you were playing with that you were not following instructions given.  I gave you a screen shot of your netgear for gosh sake..

    Sorry didn't mean to offend John, i wasn't saying you told me to do anything to the Modem.
    All i was saying was with all i tried, nothing worked…..but it was ALL MY FAULT ---- my Modem settings
    were the cause of all my issues. It was the DHCP and SPI Firewall settings in the Modem that were giving me
    headaches. IT WAS NOT ANY OF THE ADVICE.


  • Netgate Administrator

    I wouldn't worry about offending johnpoz, I'm sure he can take it!  ;D

    It can be frustrating when people don't appear to be following instruction. However in this thread there were many instructions from many people. I stopped posting because it was just confusing matters. Glad you got it sorted.  :)

    Steve


Log in to reply