No WAN to LAN Throughput

incurablegeek

This is the 2nd time I installed pfSense, the first time being without problems

I added 2 more INTEL NIC's (all 4 NIC's identical Intel NIC's) and then installed pfSense 2.1.3. Manually assigned WAN to em0 and Lan 1 to em1 - did not install VLAN's for 2 other NIC's at this time (NIC's not used at this time; just installed).

Setup went smoothly but there is no throughput from the WAN to the LAN and out to my CISCO SG-300 Managed Switch.

Result: No network and no Internet Access from Comcast Business Class modem to Network Appliance to Cisco Switch to Computers.

What am I doing wrong? (perhaps the attached snippet will help)

Note: Since pfSense has a built-in NAT I wouldn't think I need to manually enter IP addresses (that would be silly).


stephenw10

When you add NICs that have the same driver the order they are in may change. Which NIC is em0, for example, is down to the order they are detected in. Don't assume what was your previous LAN will still be that.

Is the pfSense box receiving an IP from Comcast on it's WAN?

Steve

incurablegeek

Steve,

That's an interesting point. Although I installed 4 identical Intel NIC's, I put the WAN in the lowest (geographically) NIC, so I could go up 1, 2, 3 for VLAN's. During setup I connected only the WAN line and manually set it at em0, then I connected the single LAN line (will do VLAN's later) in the 2nd from the bottom card and manually assigned that em1. Result: No throughput.

Now here's a thought. How about I take out all the NIC's I don't intend to use (what I did before), leaving only 2, 1 for WAN and 1 for the LAN?

Later, as I install WAN's I can put the NIC's in one by one. Would that work better?

Btw, thanks for your assistance and your time!  :)

divsys

If I understand what your trying to accomplish - get your NICs to number logically (em0, em1,…) in the same order as their physical placement in the box (bottom to top) you may have a few issues.

As Steve mentioned, the logical order depends on how FreeBSD (and the BIOS) "finds" the cards.  This often has nothing to do with their physical order, depends on the hardware and can be rather bizarre at times.  I've seen motherboards that force the middle of three slots to be the first acquired and labelled as "em0" (or whatever driver is used).

There may be a way to force the order that you want (I've never dug into those details in FreeBSD), but probably the simplest thing to do is plug all the cards in and label them as to em0, em1,em2,em3 on the outside so you handle your later VLANs.  Waiting till later won't help as Steve mentioned, the system may well reorder your cards when you plug a new one in.

The simplest way to find out which physical card corresponds to which logical one is to use the console and watch as you connect/disconnect a live ethernet cable into each card.  You should see a status message on the console saying "Interface em0 up"  (em1, etc) as you plug in the cable.

KOM

For what it's worth, Windows does a similar kind of bizarre NIC numbering.  We get Dell servers with 4-6 NICs each, and the NIC numbering on the back of the server bears absolutely no relation to the NIC number Windows gives it.  Plugging the cable into NIC1 on the server leads to Windows telling me that Local Area Connection #3 is live, for example.  Same with SCSI cards.  I have some users with optical jukeboxes, and I wish I had a dollar for ever time they added a SCSI HBA and their jukebox disappeared because Windows decided to arbitrarily renumber the SCSI bus.

incurablegeek

@divsys

what your trying to accomplish - get your NICs to number logically (em0, em1,…) in the same order as their physical placement in the box (bottom to top) you may have a few issues.

As Steve mentioned, the logical order depends on how FreeBSD (and the BIOS) "finds" the cards.  This often has nothing to do with their physical order, depends on the hardware and can be rather bizarre at times.  I've seen motherboards that force the middle of three slots to be the first acquired and labelled as "em0" (or whatever driver is used).

Now that is interesting. I just found a way around that and although my OCD is not entirely satisfied I have the NIC's at least in geographic order. What I did: I went back, did a reinstall, and this time did auto, plugged in the WAN to the lowest NIC (geographically) and and then the same (auto) for the LAN, result being the WAN came up em1 and the LAN coming up em0. I can live with that.

Now I have throughput, although not at first. I had to go back and tell Windows 7 (Ultimate) that my network was not Public (defaulted to that when I set up the pfSense) but instead was Work. Took a minute or two of course but now everything is coursing nicely through the pfSense box to the Cisco Managed Switch and on to the computers in my network.

You guys are really great and I appreciate all of you for having patient with me.

Final question, if I might: Later when I set up VLAN's would I be wiser to do that in the pfSense Network Appliance or on the Cisco Managed Switch? If you say the pfSense box (which I think makes more sense), then it looks like I won't be needing the somewhat expensive Cisco Switch.

stephenw10

You have said you didn't setup the other NICs because you din't want to setup VLANs at that point but you don't need to use VLANs. You can assign the other 2 em NICs as additional interfaces, they will appear as OPT1 and OPT2.
Is there some specific reason you wanted to use VLANs

Steve

divsys

Final question, if I might: Later when I set up VLAN's would I be wiser to do that in the pfSense Network Appliance or on the Cisco Managed Switch? If you say the pfSense box (which I think makes more sense), then it looks like I won't be needing the somewhat expensive Cisco Switch.

Er, you need both actually…..

VLANS let you pass different VLAN ID'd traffic through one NIC card.  Your VLAN compatible switch is then needed to separate that traffic out to different ports as required.  As Steve mentioned, if you've got enough free NIC cards in your pfsense box to handle all the subnets you'll need, then you can ignore VLANS.  Otherwise you have to configure pfsense AND the switch together to make VLANs work.

incurablegeek

Now I am embarrassed.  :-[

No excuse. Subnets, not VLAN's.

For security purposes would it behoove me to traffic directly out of the pfSense Network Appliance via 3 separate LAN NIC's or via the 10-port managed switch?

What I want to do:

1. Keep intruders out of my network
2. Control access amongst my computers (4 workstations and a data storage server)
3. Use the NAT to hide the IP of my individual computers from the outside world

You know, I took both the Cisco beginning and advanced classes (simultaneously, if you can believe that) and did well on the tests but really only succeeded in confusing myself with tons of theory. Unfortunately in the real world, I'm still helpless. Quite frankly, the Cisco classes went much deeper than I really wanted and after reading, yellow highlighting and taking notes on 2,000 plus pages, all I am is confused. I had debated prepping for the CCNA Security certificate but then that too is way beyond my needs. Right now I am just spread too thin, but my area of expertise being language acquisition using math and logic. A computer guy by choice; an educator by profession.

So please forgive my idiocy.

+++++++++++++++++

I need to give pfSense the time it deserves, meaning I really need to read more and digest it. I'll come back later when I won't waste your time with such "hold my hand please" questions.

Apologies to all.

KOM

No need for apologies or embarrassment.  When I first started with pfSense, I was pretty dumb.  Now after using it for a few months and reading/helping in these forums, I'm just slightly less dumb than when I started.  Baby steps!

divsys

I'll second KOM's remarks: there are no stupid questions  ;)

The theory is nice, but like someone else's buy line says -

Theoretically, theory and practice are the same. Practically they're not.

If you're willing to try your solutions in the real world and do a little research yourself, we're willing to help.

Welcome to pfsense!  :)

incurablegeek

You people are so very kind and have helped me more than you will ever know.

As I mentioned, I took both the Cisco Routers 1 and 2 simultaneously. The instructor was excellent and on a par with the best instructors I had in university. However, I had a number of family obligations at the same time and although I went through the entire Cisco 1 and 2 curricula as well as the very fine Odom books, I came away with only a superficial understanding of networking.

So how did you and setting up pfSense on my Network Appliance help me? Well, I've decided to go back and take the Cisco 2 class again and then get the CCNA Security certificate. I have no interest in working in Cisco but I do want to really, really know this stuff.

I hate being ignorant. So I will do something about it. Thanks guys!

stephenw10

Same sentiment from me. It's always better to ask questions than to struggle on alone for fear of saying the wrong thing.  ;)

Since you have 4 NICs you can have a 1 WAN and 3 LAN setup (without using VLANs). 3 internal interfaces, 3 separate subnets with whatever firewall rules you choose to put in to filter traffic between them.
You might choose to put any servers on one subnet, wireless clients on another and everything else on the last for example.

If you want more segregation, firewall rules between each machine for example, you can add further interfaces using VLANs and your switch.

Steve