New pfsense 2.1 install - questions



  • Hello,

    I bought an Alix pfsense f/w box from LinITX last week and have been setting it up for my home network this weekend. PFsense is great so far and I am very happy - with features and the interface. Well done to all involved - it's excellent.

    A question came up yesterday - I couldn't get my LAN internet working - no access - and I was pulling my hair out for quite a while.

    I had this :

                        192.168.1.1    192.168.1.10        10.19.130.1
                          static         static              static
                  -----------                ---------------------
    internet -----| modem   |----------------|   pfsense f/w     |-----
                  -----------                ---------------------
              ISP/DHCP                      WAN                 LAN
    

    The ADSL modem is NOT in bridge mode (need to check if I can use PPPoE on pfsense), DHCP server off and I set everything as a static IP (other than the modem WAN gets a DHCP IP from ISP).

    No f/w rules added - default LAN was to allow everything. WAN had blocking bogons ticked only.

    But no internet access from LAN - and no "ping" 192.168.1.1 from f/w GUI.

    Loads of logging of :

    arpresolve: can't allocate llinfo for 192.168.1.1
    

    in firewall log (every 2 seconds).

    Looking over thr forums, I came to the conclusion that perhaps I needed DHCP - when I set the modem LAN DHCP server ON, and the pfsense f/w WAN to be DHCP, everything started working properly. the f/w WAN is not 192.168.1.100.

    I'm not really sure why this worked now though?

    Lastly - a question over f/w logs. The f/w LAN has the default rule to allow "LAN net" to "any" - but I keep seeing log messages blocking some packets e.g.

    10.19.130.224.58046 > 173.194.41.83.443: Flags [FP.]
    10.19.130.224.35528 > 74.125.132.95.443: Flags [P.]
    10.19.130.224.35528 > 74.125.132.95.443: Flags [P.]
    ... etc.
    
    

    This seems to be to Google's servers from an Android tablet. In the GUI, the reason is :

    @5 block drop in log inet all label "Default deny rule IPv4"
    

    Why the blocks on LAN to any? A search shows some saying this is due to duplicate packets perhaps?

    http://doc.m0n0.ch/handbook/faq-legit-traffic-dropped.html

    Thoughts?

    Lastly  - thanks again for a great firewall.

    Cheers, Alastair



  • I remember having similar problems a long time ago.  You need to put the dsl modem into bridge mode and set the pfsense wan to pppoe. That should solve your issues.



  • @thermo:

    I remember having similar problems a long time ago.  You need to put the dsl modem into bridge mode and set the pfsense wan to pppoe. That should solve your issues.

    Hello,

    As far as problems - do you mean the "arpresolve" and issues accessing the internet?  Things are working just now thankfully - by using DHCP rather than static IP on the WAN - not sure why that made the difference but it did.

    I might try putting the DSL modem in bridge mode sometime soon but need to be careful because I'm up and running and don't want to break it! My ISP uses PPPoA - PPPoE appears to work (checked ISP forums) so I'll try it sometime probably.

    What's annoying me right now are all the f/w logs blocking LAN outgoing e.g.

    
    Nov 17 20:20:00 janus pf: 00:00:02.650455 rule 5/0(match): block in on vr0: (tos 0x0, ttl 64, id 56736, offset 0, flags [DF], proto TCP (6), length 836)
    Nov 17 20:20:00 janus pf:     10.19.130.224.42156 > 173.194.41.72.443: Flags [FP.], seq 1506893025:1506893809, ack 2060903969, win 406, options [nop,nop,TS val 2685505 ecr 406226205], length 784
    

    This happens LAN to internet even though the default rule is to allow LAN to any.

    Cheers, Alastair