PFSense can ping LAN + all external WAN, but not laptop client (virtualbox pfs)



  • Hi,

    have this setup (network map/notes below – SUPER REVAMPED, 100% clean, I guarantee you no headaches):

    https://docs.google.com/presentation/d/1tkv4f54K9KuRVhPLdwBzgcaeBpYM4kzgtFTgbtkMA_w/edit?usp=sharing

    I am using DSL modem with PPPoE, so it the setup isn't as easy as with just cable. My problem is:

    WiFi clients can't connect to WAN, no matter what. They can ping almost anything LAN, even 8.8.8.8!
    Clients can actually search Google, even (Google DNS), but can't go beyond that. It isn't just old cache, I can search for "asfasffsaafga" and something new will show, signifying some sort of WAN access.
    It's strange.. thoughts? I want to blame NAT rules? or DMZ?

    (Ignore all comments below – I completely changed my network setup)


  • Netgate Administrator

    Your pfSense WAN is set as /8 which means it includes a whole load of public addresses as well as the 192.168.0.X subnet. Should be /24.

    Steve



  • changed all 10.0.0.x/8 network to 192.168.0.x/24 .. still no dice. pfsense (virtualbox) /server can ping WAN, but laptop client cannot.


  • Netgate Administrator

    This is probably not the cause of your problem, I'm still staring at your diagram trying to analyze it.  ;)

    However you already had a 192.168.0.X subnet in the diagram, did you change that too?

    Also the issue I pointed out above was not with the 10.0.0.0/8 subnet. In your diagram you have screenshot showing the pfSense interfaces. It shows the pfSense WAN interface, em0, has the address 192.168.1.012/8. That is the problem. The /8 there is much too wide a subnet mask. It's invalid.

    Can you ping the wifi router from pfSense? Is the wifi router setup to allow access to it's gui from the wifi interface? Some devices block that by default.

    Steve



  • @stephenw10:

    This is probably not the cause of your problem, I'm still staring at your diagram trying to analyze it.  ;)

    However you already had a 192.168.0.X subnet in the diagram, did you change that too?

    Also the issue I pointed out above was not with the 10.0.0.0/8 subnet. In your diagram you have screenshot showing the pfSense interfaces. It shows the pfSense WAN interface, em0, has the address 192.168.1.012/8. That is the problem. The /8 there is much too wide a subnet mask. It's invalid.

    Can you ping the wifi router from pfSense? Is the wifi router setup to allow access to it's gui from the wifi interface? Some devices block that by default.

    Steve

    Hiya,

    I actually fixed that issue – I'm closer, but no cigar:

    I have an external IP now on WAN.
    I can ping the wifi router from pfsense (and WAN, and..anything!)
    The wifi setup is for captive portal .. but don't want to turn on a captive portal until everything is 100% working BEFORE I implement that.

    So my ultimate goal is just to have wifi captive portal, starbucks style. wifi talks to pfsense, blocks wan traffic until logged in/accept button clicked, then access to WAN ~

    So captive portal is OFF, so why can wifi client ping pfsense, ping 8.8.8.8, ping 192.168.0.1 (pfsense), ping 192.168.1.1 (dsl router), ping 192.168.0.2 (wifi AP), but not ping WAN (yahoo.com, etc)?
    Random note: I can't ping the server's physical nic (192.168.1.25), but I can ping the wifi nic (192.168.0.25)

    Here is latest pfsense dashboard – should be looking a LOT better:

    Right now, it's this:


    192.168.0.x Laptop wifi client >>

    192.168.0.2 wifi AP (DHCP off, so passes to PFS) >>

    Windows 7 > Virtualbox with pfsense, WAN external address via PPPoE
    (originally 192.168.1.1 from physical NIC bridge @ 192.168.1.25)
    // LAN 192.168.0.1 from wifi NIC bridge @ 192.168.0.25] >>

    PFSense can ping ANYWHERE (yahoo.com ... routers...etc),
    WiFi client can ping 8.8.8.8, any router, any LAN, but not any WAN (yahoo.com).


    ![2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png_thumb](/public/imported_attachments/1/2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png_thumb)
    ![2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png](/public/imported_attachments/1/2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png)



  • I can't make sense of the diagram you linked to, but from your descriptions, the WiFi side is just an ordinary LAN-style subnet - client devices connect to it, get DHCP from pfSense, use pfSense as their upstream gateway.
    In that case WiFiGW should be removed - WiFiGW just happens to be the management IP address of the WiFi Access Point. In fact the AP is just a bridge between the wireless clients and wired LAN, it is not a gateway to anywhere (from pfSense point of view).


  • Rebel Alliance Global Moderator

    Yeah that diagram was just horrific - it was like something a ADHD kid on crack my draw ;)

    Why do you have wan bridge and wlan bridge??
    " 192.168.1.25 (WAN bridge, connected to 192.168.1.1) / 10.0.0.25 (WLAN bridge, connected to 10.0.0.1)"

    There shouldn't be any bridges??  This is really turn on pfsense, connect AP to your lan = done..



  • @johnpoz:

    Yeah that diagram was just horrific - it was like something a ADHD kid on crack my draw ;)

    Why do you have wan bridge and wlan bridge??
    " 192.168.1.25 (WAN bridge, connected to 192.168.1.1) / 10.0.0.25 (WLAN bridge, connected to 10.0.0.1)"

    There shouldn't be any bridges??  This is really turn on pfsense, connect AP to your lan = done..

    Oh whoops I haven't updated the chart – ignore that and just look at my status for now. Bridge was originally because someone from another thread said I needed it O__o (didn't help). It was when I first started.

    It's that simple with cable, but it's not cable -- have to deal with pppoe and NAT because it's DSL. It's also virtualbox, so it's all emulated. Going to sleep i'll post more tmw. I'm guessing something bad to do with the NAT

    ![2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png](/public/imported_attachments/1/2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png)
    ![2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png_thumb](/public/imported_attachments/1/2014-11-24 23_39_19-pfsense.smartlaunch - Status_ Dashboard.png_thumb)


  • Netgate Administrator

    Yes, the gateway on the wifi interface is incorrect. pfSense should only have gateways on it's WAN connections. However the usual problem there is that the bad gateway becomes the default gateway which breaks routing but your clients are able to ping out to 8.8.8.8 for example. It's wrong and should be removed but probably isn't the cause of your issue which seems to be DNS related.

    What are your cleints using for DNS? I would expect it to be the pfSense LAN IP. Is it being handed out correctly via DHCP?

    The fact that you can't ping the virtualbox host machine could be a VB config problem or simply that the pfSense is pinging from a different subnet and the windows firewall is blocking that.

    It seems odd to me that you would have an IP on the wifi NIC that isn't the pfSense LAN address. Is it not bridged to the pfSense VM?

    Something else odd. Unless you have setup an interface to allow it, and it looks like you haven't, you should not be able to ping the DSL router at 192.168.1.1. The PPPoE connection should tunnel through that making it not routable.

    Another thing. You diagram shows the wifi router operating some sort of DMZ mode. It should be bridging wifi to ethernet and not routing at all.

    Steve



  • @stephenw10:

    Yes, the gateway on the wifi interface is incorrect. pfSense should only have gateways on it's WAN connections. However the usual problem there is that the bad gateway becomes the default gateway which breaks routing but your clients are able to ping out to 8.8.8.8 for example. It's wrong and should be removed but probably isn't the cause of your issue which seems to be DNS related.

    What are your cleints using for DNS? I would expect it to be the pfSense LAN IP. Is it being handed out correctly via DHCP?

    The fact that you can't ping the virtualbox host machine could be a VB config problem or simply that the pfSense is pinging from a different subnet and the windows firewall is blocking that.

    It seems odd to me that you would have an IP on the wifi NIC that isn't the pfSense LAN address. Is it not bridged to the pfSense VM?

    Something else odd. Unless you have setup an interface to allow it, and it looks like you haven't, you should not be able to ping the DSL router at 192.168.1.1. The PPPoE connection should tunnel through that making it not routable.

    Another thing. You diagram shows the wifi router operating some sort of DMZ mode. It should be bridging wifi to ethernet and not routing at all.

    Steve

    Hi, I completely changed my network layout (similar, yet better after more research… this new network map is also SUPER clean; I edited OP):

    https://docs.google.com/presentation/d/1tkv4f54K9KuRVhPLdwBzgcaeBpYM4kzgtFTgbtkMA_w/edit?usp=sharing

    WiFi clients are connecting via DHCP and the DNS assigned is 8.8.8.8/4.4.4.4 by pfsense.

    I can ping the virtualbox host machine now as well. I also tested firewall off. Same issue, still.

    As for odd IP, are you saying that my server's wifi IP should be static to 192.168.0.1 (same as pfsense LAN)? I'll try that (yes it's bridged).

    As for pinging DSL router, I removed the bridge to allow this. I thought I needed this a while back.

    Ok I turned off DMZ. DMZ should also be off on DSL too? I'm getting mixed posts about what to do with DMZ (maybe just DSL, if any).

    Even though my network changed, the direction you gave me REALLY helps .. I'll test around and get back to you. Let me know if you notice anything about my new layout, if you have time. Thanks mate (and other contributors)


  • Rebel Alliance Global Moderator

    Why do you say em1 and wan, and em0 and wan??  Do you still have them bridged in pfsense?

    Dude I run this same sort of setup, but my server is running esxi not virtualbox.

    And yes that drawing is much easier to understand.  But you have no networks listed on it?  If your going to double nat from your ISP device, ie pfsense gets a rfc1918 address on its wan - then yes you can put pfsense wan IP into the dmz mode of the isp device.

    But none of pfsense interfaces should be bridged to anything.  Do you mean the virtualbox interfaces are bridged with the physical nics of the host?  If so then yes that is correct, you do not want any natting or host only networks in the virtualbox.



  • @johnpoz:

    Why do you say em1 and wan, and em0 and wan??  Do you still have them bridged in pfsense?

    Dude I run this same sort of setup, but my server is running esxi not virtualbox.

    And yes that drawing is much easier to understand.  But you have no networks listed on it?  If your going to double nat from your ISP device, ie pfsense gets a rfc1918 address on its wan - then yes you can put pfsense wan IP into the dmz mode of the isp device.

    But none of pfsense interfaces should be bridged to anything.  Do you mean the virtualbox interfaces are bridged with the physical nics of the host?  If so then yes that is correct, you do not want any natting or host only networks in the virtualbox.

    OH, typo, yes the physical is WAN, the wifi is LAN. Virtualbox, yes – VB interfaces are bridged with the physical nics.

    Speaking of which, on the host-side (windows 7 server), I'm sure it matters HOW I'm connected (since i'm bridging the connections with virtualbox as em0 WAN, and em1 LAN0) ... right now my WAN physical NIC has a static IP of 192.168.1.25 with gateway 192.168.1.1 (DSL router) ... and LAN wifi NIC has static IP of 192.168.0.25 with gateway 192.168.0.2 (wifi AP). This is correct... correct?

    "No networks listed on it" If you look at 2nd page (slide), it shows the network details: my 192.168.1.0 network (wifi/pfsense) and 192.168.1.1 (DSL).

    Do I need to make a virtual IP address because DSL is on a separate network, or something special to share the internet/WAN with wifi clients connecting?

    Something is weird in pfsense that if I use PPPoE, and go to "gateway" section, I'll see my DSL auto made... but if I click on it again, do nothing but click save, it'll say "NOT IN NETWORK RANGE" (because it has a public address).... is there something I can do about this? I have a suspicion that this may contribute to no WAN.


  • Netgate Administrator

    With a PPPoE connection the gateway is allowed to be outside the subnet of the interface where as other types, static/DHCP etc, it is not. If you try to define the gateway manually pfSense will complain as you've found. This is not a problem. The fact that your pfSense VM can check for updates proves that it has WAN side connectivity.

    When using a virtual machine host and bridging interfaces I do not normally expect the host OS to use those interfaces. I can see how it might use the WAN NIC but there seems to be no reason that it should be using the LAN NIC. I would not expect that to have an IP. If you want to pfSense VM to firewall connections to the host as well then the host should not have an IP address on either WAN or LAN. Instead you add a further virtual NIC that the host OS uses to talk to the pfSense VM. VirtualBox has a special interface type for doing that but I have to admit getting that setup right has tripped me up the few times I've used VirtualBox.

    Steve