Fresh install blocking connections



  • Alright, I know this is a firewall box, but it'd be nice if I could at least connect to configure. Been trying various configurations for over a week now and can't even get into the webConfigurator yet…

    So, here's my setup: my internet connection comes in, goes into a combination router/modem box. Off of one of the LAN jacks from there I have an old laptop, where I've installed pfsense with default settings, set to WAN-only on the ethernet connection. All other computers are connected directly to this same router, so right now the pfsense is just another node on my LAN. What I want to do eventually is set it up to broadcast a second, secure wifi network, and have the existing open one as a guest network. Problem is, pfsense can connect to the outside internet (tested with ping and links using the pfsense shell) but there is no connection between the pfsense box and my other network systems. For example, I have a home theater system that I access via a web interface. Every other system on my network is able to access that web interface. But if I try from the pfsense system, it just says host not found. If I try to connect to the pfsense box through the webConfigurator or SSH from another system, it just hangs with no response. I tried googling, got suggestions to try 'pfctl -d', but that didn't change anything. All other instructions I'm finding assume you already have access to the webConfigurator. I tried loading the webConfigurator via links as well, but all it will let me access is the initial setup wizard, and after going through that my WAN connection just disappears and I have to redo the 'assign interfaces' and 'set interface(s) IP address' steps.

    How the heck do you get into the webConfigurator?


  • Netgate Administrator

    So you are only assigning one interface in the initial pfSense setup? Normally that would then allow any connections on it. As soon as you have more than one interface connection to the WAN interface is blocked by default. SSH is disabled by default anyway. Since 'pfstl -d' didn't help I would think this is a routing problem. Is the box receiving it's IP by DHCP? Is it receiving the correct details? The fact that is can't ping other systems in the network seems odd. Is that true for all other local machines?

    Please post the output of ifconfig  at the console.

    What hardware is in the laptop?

    Steve



  • OK…that's how it seemed to imply it would work...so I'm not just doing something stupid I guess. Good to know.

    I set up one interface, a Broadcom BCM4401-B0 Fast Ethernet nic.

    It is being assigned an IP properly from DHCP of 192.168.1.11. Top line above the menu is:
    WAN (wan)  -> bfe0  -> v4/DHCP4: 192.168.1.11/24

    ifconfig gives:

    bwn0: flags=8803 <up,broadcast,simplex,multicast>metric 0 mtu 2290
        ether 00:16:44:c1:.a:91
        media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
    bfe0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=80008 <vlan_mtu,linkstate>ether 00:22:19:db:4f:f4
        inet 192.168.1.11 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::222:19ff:fedb:4ff4%bfe0 prefixlen 64 scopeid 0x2
        nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
    enc0: flags=0<> metric 0 mtu 1536
    pflog0: flags=100 <promisc>metric 0 mtu 33192
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        nd6 options=3 <preformnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1</preformnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud></vlan_mtu,linkstate></up,broadcast,running,simplex,multicast></up,broadcast,simplex,multicast>
    

    Actually though…now that I've tried this again, it looks like it is able to ping other hosts on my network by IP, but it cannot access them by hostname like the rest of my systems. And no other hosts can access it in any way.


  • Netgate Administrator

    Hmm.
    The fact that you can't ping by host name is not surprising though it depends on how your upstream router is configured. Do you have some sort of local domain controller that clients log in to?

    Perhaps you have some IP conflict? Your client machines are all in the same subnet as the pfSense WAN?

    You could try enabling SSH from the console menu, option 14.

    Are you using 2.1? I confess I've not tried this type of single interface setup in 2.1 yet, maybe the behaviour has changed though I can't imagine why.

    The fact that you can connect to the initial setup wizard but then are dumped back at the assign interfaces menu in the console implies it's encountering some sort of error. That usually only happens if the interfaces have changed, bfe0 was removed for example, or the config file cannot be read for some reason, it's corrupted or removed.

    Just as an aside the bwn(4) wifi adapter in that laptop will not support hostap mode so you'll not be able to use it as an access point directly.

    Steve



  • No local domain controller or anything like that, all in one subnet. The pfsense is one of six boxes connected to the same generic consumer router, being handed out IPs by DHCP, and it's the only one having any sort of problems.

    I did try enabling ssh before trying to connect with ssh, but as I said the connection just hangs. No timeout, no refused, no login prompt…nothing at all.

    I am using 2.1; I may try installing an older version today to see if that works any better. And to clarify, I'm not placed directly into the assign interfaces menu after doing the wizard; it just seemed to unassign the interface after going through the setup wizard. Of course, I'm running it through Links which was having some very obvious compatibility issues...

    Thanks for the tip about my card not being supported too. It says it supports access point mode in Linux so I figured it'd be fine; but I have a few spare USB cards I can try as well; I'll figure something out :)


  • Netgate Administrator

    When you say 'Links' I thought you meant accessing the page via URL rather than IP but do you mean Lynx?
    If so then anything could be happening! Much of the webgui relies on javascript, I doubt Lynx would work well with it. Internet Explorer doesn't work that well with it!  ;)

    Steve



  • Yeah, links/lynx; the version pfsense has installed is called links.

    Tried 2.0.3, both the amd64 and i386 versions, both have the exact same behavior. Swapped the setup of the interfaces and I can connect another PC directly to the pfsense one via ethernet and get into the webconfigurator that way though. Unfortunately the USB nics I have don't work either (it doesn't even detect them; probably just not enabled but they're rtl cards that are apparently unsupported – rtl8192cu), so I'm gonna have to get a new network card at some point anyway...


  • Netgate Administrator

    @urza9814:

    Swapped the setup of the interfaces and I can connect another PC directly to the pfsense one via ethernet and get into the webconfigurator

    This implies you had two interfaces setup. In which case that's the expected behaviour.
    As I said if you have just one interface it will be named WAN and will allow access to the webgui on that interface. As soon as you add another interface, it will be named LAN, then access will be only via the LAN interface and everything on WAN will become blocked.
    In that situation you need to add a firewall rule to WAN to allow access to the webgui if that's what you want to do.

    Steve



  • Well…I swapped the one I had from WAN to LAN, and to do that I was forced to add the second one as WAN.

    Anyway, I've scrapped the bare metal plan for now since none of my wireless hardware is supported and am installing it on a KM. And it's working quite well, so I'll probably just go that route now...


Log in to reply