Can ping to LAN but not Web Configurator



  • Hi Guys

    I've just installed pfsense, both WAN & LAN interface is up and running.  However, I can't access Web Configurator when I type the LAN IP.

    I can ping the LAN IP, but when I type the same IP in my browser it doesn't bring up the Web Configurator, just a page saying This page can't be displayed.

    Any ideas?

    Thanks


  • Moderator

    Did you enable http or https or did you change the default port? You can look at the console and it will show you what the address and port is set to. You are also able to change it there.

    http(s)://x.x.x.x:xx


  • LAYER 8 Global Moderator

    As other possible problem - you sure the IP your pinging is pfsense and not some other box?  Validate the mac your seeing for that IP your pinging.



  • I didn't change the default port, in fact, I did a Reset to Factory Deafault on the console, I tried the IP it had given me, also the same result, can PING but can't access via Web.

    I'm 100% sure I'm not pinging the wrong machine, the entire setup is right in front of me, Laptop to switch, pfsense LAN interface to switch, WAN interface to router.  I started the ping -t on my laptop and as soon as I unplug the cable on the LAN interface LAN port, it stopped responding and starts to respond when I plug the cable back into the LAN interface LAN port.

    I'm not sure is it because I'm using the Intel NUC unit with two USB network adapter for the LAN/WAN interfaces would cause some problems, but both USB network adapter can be recognized by pfsense.

    Thanks for the reply


  • LAYER 8 Global Moderator

    Ok other thing I could see as problem is that your set to use a proxy on your browser.. and can not get to the proxy or the proxy can not get to the IP your going to, etc.

    I would think maybe your actually connected to wan vs lan sort of thing - but out of the box the wan would not answer ping, etc.



  • eeehm, 100% sure you didn't mix up the WAN/LAN? Just to test… ;-)


  • Netgate Administrator

    Wouldn't be the first time wan and lan have been mixed up. However you shouldn't be able ping the wan (or lan through the wan) and if you're using dhcp on lan it should be obvious you're connected to the correct interface.
    Do you have a subnet conflict?

    Steve


  • LAYER 8 Global Moderator

    " if you're using dhcp on lan it should be obvious you're connected to the correct interface"

    Agree - but if his wan of his pfsense is actually a network where there is another dhcp server, and quite possible its a common 192.168 network since he didn't give us the details of what IP he is trying to connected too.

    To the subnet conflict – hmm he states this "Laptop to switch, pfsense LAN interface to switch, WAN interface to router."

    You don't have the router connected to this switch as well do you?  Where you run into the issue where you have both wan and lan on the same network?

    What browser are you using - I think there was some issues when firefox 31 came out and the cert used for web gui being marked as ca cert?  Also what version of pfsense are you using just so we have full details, etc.



  • Thanks for all the reply.

    To make things more simple.  I even disconnected WAN interface.

    So only the LAN interface has a cable connected to the switch.

    It is a very simple setup now, there are only 2 cables to the switch, one from Laptop, one from Pfsense LAN interface.

    LAN interface IP is 10.0.0.1 , Laptop gets it's IP from Pfsense DHCP , which is 10.0.0.50 (i've set the range from 10.0.0.50-10.0.0.100)

    Laptop can Ping 10.0.0.1 , and from Pfsense console I can also ping 10.0.0.50

    I've tried using IE and Chrome to access 10.0.0.1 but both returned Page is not available

    I've not change the default port at all

    It is very strange …



  • Would you mind showing us the output of ipconfig /all or, if you are using linux, ifconfig ? Also, would you mind showing the IP and cidr of the PFSense interface? That would help a lot.. it sort of sounds like dhcp is handing out the incorrect subnet or something similar.. also, are you trying to connect to the web interface using a dns name, or the ip address directly? (I know a lot of these questions sound pointlessly simple, but they would help rule out a few things..)

    Also, have you tried setting the IP address of your laptop statically and connecting to the pfsense machine? Also, have you enabled SSH and tried connecting through ssh? If you did connect through SSH (or even could connect to ssh using telnet as a test.. ex: telnet 192.168.1.1 22) it would definitely show that you've only having issues with the web interface and not ip/tcp communication..

    Something to mention.. I've run into this issue once before actually. I ended up backing up the configs, setting it to factory defaults, loading just the firewall, nat, and alias configs and then set up wan/lan all over again… Just doing a factory reset and restoring the whole thing didn't fix the problem. To this day I've no idea what the issue could have been, as I am 1000% positive that the basic settings like IP/subnet were identical before and after. It really was beyond frustrating and annoying since I spent 5+ hours on it before I got to the point of re installing. That box is now running like a champ for a 120 user company in the transportation industry, serving out vpn connections and all. :) So don't let this discourage you...



  • I had this once on a fresh install. I re-assigned interface in the console, tried to re-start the web interface in the console without success. Then I simply did a fresh install and the problem was solved…


  • LAYER 8 Global Moderator

    "LAN interface IP is 10.0.0.1"

    Why are you changing the lan IP during the install process?  When did you change it to that..  Did you restart the web from console.  I would suggest fresh install..  Let it come up on default which would be 192.168.0.1 I believe - and then try and get to the web gui.  Once you finish the setup then try changing the IP of your lan interface on pfsense to your 10 address you want.


  • Netgate Administrator

    I agree. There have been issues with changing the LAN subnet during initial install, though I've never seen that personally. The symptoms seem to indicate the webserver is not listening/responding on the correct address/port for whatever reason. It may be possible to diagnose that but it's probably easier to re-install to the standard values and then change it later as John suggests.

    Steve



  • Hi Guys

    Terribly sorry for not getting back sooner, I've been away.

    I've taken some photos of my setup

    As you can see

    WAN is set to UE0 interface with IP 192.168.16.204
    LAN is set to UE1 interface with Default IP 192.168.1.1

    The RED cable is WAN connection
    The BLUE cable is LAN connection, it connects to a switch.  My notebook connects to the same switch.

    The notebook gets IP from PFSense DHCP  with the range from  192.168.1.100 - 192.168.1.150

    I can select option 7 from PFSense console to ping my Laptop.

    As you can see on my notebook screen .. I can also ping the PFSense box, but when I tried the Web Config page 192.168.1.1, I get the error message, if you look  closely to the browser tab, you can actually see the PFSense logo.

    Any idea what might have caused this?  The notebook firewall has been switched off to make things easier.

    Thanks in advance


  • LAYER 8 Global Moderator

    And is your browser using a proxy..  And not set to bypass on local networks that would explain why it can not get to a local address..  If you have not set a proxy, then you have an infection would be my guess.

    Fire up wireshark on the box - what does it show going on the wire..



  • Maybe I just got lost in the reading…

    But if you are trying to reach the web gui on 10.0.0.1

    and your lan address on pfsense is 192.168.1.1

    You will never succeed.

    Can you please attach a photo of the browser error you get when you try to access the web gui also?


  • Netgate Administrator

    You have tried https yes?

    Since you are seeing a pfsense favicon have you ever connected to another pfSense box at that address?

    Steve



  • You know - Something very basic has to be wrong because in default setup, pfsense just works.

    I suggest a reinstall from scratch and maybe even try another computer as client.

    Also, check your cables.


  • LAYER 8 Global Moderator

    I have setup pfsense I don't know how many times going back to very early version 1.x - running devolpment versions, etc. etc.  Hardware and VM from everything to virtualbox, to vmware server 1, vmware server 2, esxi version 3.5 through 5.5

    Have never seen it not just work out of the box.  So here is the thing - is anything else connected to this switch, does the switch have an IP on it or just dumb switch.

    Validate the MAC address pfsense has for its lan interface, and the mac address your pinging.  On pfsense do a netstat do you see the web gui running?

    [2.1.5-RELEASE][root@pfsense.local.lan]/root(7): ps -ax | grep lighty
    46888  ??  S      0:17.64 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf

    [2.1.5-RELEASE][root@pfsense.local.lan]/root(9): netstat -an | grep .80
    tcp6      0      0 *.80                  .                    LISTEN
    tcp4      0      0 *.80                  .                    LISTEN

    [2.1.5-RELEASE][root@pfsense.local.lan]/root(10): ifconfig

    vmx3f1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=403bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,vlan_hwtso>ether 00:0c:29:1e:18:ae
            inet 192.168.1.253 netmask 0xffffff00 broadcast 192.168.1.255

    And again - run wireshark on the box your trying to connect to pfsense on.. What does it show?  I would really look to your browser being setup to use a proxy, and not set to bypass for local network, or infected.  You don't have anything installed on this pfsense install like squid or snort, etc.?  Its clean - and your saying its routing internet traffic - but you can not connect to even run the first setup wizard and change the pfsense password, etc.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,vlan_hwtso></up,broadcast,running,simplex,multicast>



  • Interesting idea that maybe something else is interfering…

    Unplug the switch.  Plug the computer directly into the pfsense LAN with nothing else attached then give it a try.


  • LAYER 8 Global Moderator

    ^ for all we know for his switch he is using some soho routers switch ports and it has an IP of 192.168.1.1, which you would think he would get that web gui.  But when something doesn't work that you think should be working, it takes 2 seconds to validate your actually talking to the correct something.  Have run into duplicate IPs too many times to not validate the mac.

    I would think more likely reason is that his browser is just using some proxy..


  • Netgate Administrator

    Some devices do not redirect to https when you try to use http and behave like this.
    If you had two devices trying to be 192.168.1.1 would you get ping response in both directions? Especially if one of them was the switch.

    Steve


  • LAYER 8 Global Moderator

    no you could get answer to ping

    so from 192.168.1.100 I ping 192.168.1.1 but get mac of say the switch IP..  He answers.  When you ping the 100 from pfsense .1 he pings the mac of .100 and .100 send answer to the mac that asked.


  • Netgate Administrator

    Hmm, yes layer 2/3 difference. The MAC would show though as you've been saying.

    Steve



  • Thanks for all the input guys, really appreciated.

    As suggested, I've taken out the switch, now directly connect my notebook to LAN interface (white cable , UE1 on pfsense), WAN (UE0) still the same Red Cable

    I followed the instructions as shown to me

    I can't confirm the MAC address as the J5 creator doesn't print the MAC on the unit nor the package it came with

    I've checked my Proxy setting to make sure

    I've installed Wireshark and as soon as I go to the pfsense box (192.168.1.1) I get the RED text on Black shown in Wireshark



  • Oh I forgot to mentioned . Yes I've connected to another pfsense box to that address in the past.

    And .. I've also tried connecting using another Desktop PC, same results.

    It is a clean install, it doesn't route internet traffic yet, WAN interface is connected but I can't access internet on my notebook.


  • Netgate Administrator

    Hmm, weird. Looks like the pfSense box is replying but your laptop is ignoring the replies. Perhaps.  :-\

    Are you able to browse other external sites? Ping external addresses? In other words is routing working?

    I notice your WAN interface has auto-negotiated to 10Mb which is odd but shouldn't be causing this.

    Steve


  • LAYER 8 Netgate

    I've installed Wireshark and as soon as I go to the pfsense box (192.168.1.1) I get the RED text on Black shown in Wireshark

    SYN from you
    SYN,ACK from pfSense
    ACK from you should be next.  It's not there so you aren't getting the webConfigurator.



  • So .. just to be sure I'm not doing anything stupid…

    I've wipe & Re-Install PFsense again.

    I selected option 1

    I selected option I

    And it is still not working for some strange reason.

    The routing isn't working either as I can't access external internet.



  • More USB ethernet…

    Trouble shooting these setups is always hard when they are so simple and yet things refuse to work, but I don't like USB ethernet, and I'm sure its working for some people in some installations, but up to this point, its the most likely culprit I've noticed.  You don't have even a single built in NIC?



  • I'm thinking whether it's those USB ethernet adapter is causing it.  I'll see if I can try another brand and see if it makes any difference.


  • Netgate Administrator

    Hard to believe it would work with ICMP but not TCP.
    As Derelict said your client is not responding. This appears to be a client side issue. Yet you say you tried a different client? Different browser?

    Steve


  • LAYER 8 Netgate

    You want to check that "Block private networks" is unchecked on your WAN interface.  I don't know if the installer does that by default if it detects a private WAN address.

    Is that wireshark capture a few messages back taken from the 192.168.1.100 windows client?  If so, you need to figure out why it is not sending an ACK in reply to the SYN,ACK sent by pfSense in the connection process before you waste any more time looking at pfSense.

    Or, as has been mentioned, USB ethernet interfaces: not a fan.  BUT if they're mucking up the works, it should show in the SYN,ACK captured by wireshark.



  • If you look at "Valid interfaces are" the answer is:

    Probably not…


  • LAYER 8 Netgate

    Yeah.  More likely some software firewall or antivirus or ? on the windows pc.


  • LAYER 8 Global Moderator

    You will notice that the connection just kind of dies.. Not only do you see retrans from pfsense you call see retrans from .100 to .1

    It is not answering dns queries either..

    Juts for be complete - how you would verify the mac your pinging is to look in your arp table on the .100 box

    So

    C:>arp -a

    Interface: 192.168.1.100 –- 0xc
      Internet Address      Physical Address      Type
      169.254.7.80          00-26-24-08-8a-ed    dynamic
      169.254.82.185        00-1c-c3-09-05-7a    dynamic
      192.168.1.3          00-0c-29-c8-f2-dc    dynamic
      192.168.1.7          00-0c-29-dd-02-ba    dynamic
      192.168.1.8          00-0c-29-55-4f-95    dynamic
      192.168.1.40          00-1f-29-54-17-14    dynamic
      192.168.1.97          00-26-24-08-8a-ed    dynamic
      192.168.1.98          00-1c-c3-09-05-7a    dynamic
      192.168.1.99          00-06-dc-43-ad-78    dynamic
      192.168.1.253        00-0c-29-1e-18-ae    static
      192.168.1.255        ff-ff-ff-ff-ff-ff    static
      224.0.0.22            01-00-5e-00-00-16    static
      239.255.255.250      01-00-5e-7f-ff-fa    static

    You notice from my workstation that is the mac I saw on my ifconfig..

    Your sniff is odd.. You see 3 different connections to 80..  And yes you see the syn-ack back, but you never send ack?  And actually start the conversation..  And then you just see a bunch of retrans

    You see retrans from pfsense sending his syn-ack because he never got back the ack.. And you see .100 sending back his syn because seems he thinks he never got the syn-ack.

    Need to figure out why your client .100 did not send back ACK to the syn-ack he was clearly sent and seen by wireshark for the 3 different connections you tried to create to http (80)

    Do you have another client you can try?


  • LAYER 8 Netgate

    MACs will also be in your wireshark captures.


  • LAYER 8 Global Moderator

    yeah in there it looks right

    to where he is sending the request for 80


  • LAYER 8 Netgate

    Are these captures taken on .1 or .100?

    It makes a difference because if from .1 we know the SYN-ACK was sent, but not that it was actually received.  If from .100 we know it was sent and received.


  • LAYER 8 Global Moderator

    Have to assume it is taken on .100

    Since he states
    "I've installed Wireshark and as soon as I go to the pfsense box (192.168.1.1) I get the RED text on Black shown in Wireshark"

    I doubt he installed wireshark on the pfsense box ;)


Log in to reply