Problems correctly configuring pfSense, please help.



  • Hello all,

    since i had all nite DDOS to box it fried itself. So now i need to install and configure another one on old PC, but i have various problems.

    1. Squid is configured, works fine, but antivirus cannot see HTTPS "eicar" file, it offer me to download. HTTP works vine, for now.
    2. pfBlockerNG loads lists, update them fine but as far i can see it does not filter at all, on dashboard instead numbers of packets i see only "-" ; on all lists.
    3. I really need to someone explain me how to do NAT because i spend 2 days enabling internet on LAN. Now it works, but i dont have a clue what exactly i touched to enable it. Could be that i created an weird rule which alow me internet on lan but bypass everything else, like squid, pfblocker, etc… (ill post screenshot of rules)
    3. Mine gateway drops from time to time, is that common for cheapy realtek network cards? Or it could be that mine modem is about to die too, cause overheating.

    I just hope that im not asking too much :)

    many thnx in advance!


    https://dl.dropboxusercontent.com/u/31483374/Pfsense/logging%20proxy%20settings.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/NAT.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/pfblocker_floating%20rules.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/Pfblocker_services.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/proxy_general%20settings.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/some_squid%20logs.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/SSL%20proxy%20settings.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/transparent_proxy%20settings.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/pfblockerNG%20alerts.png


  • LAYER 8 Global Moderator

    2 days??  Dude pfsense should be on the internet in 2 minutes of setup.  The lan rules is default ANY ANY, as long as it gets an IP on its wan that it can get to the internet with you have nothing else to do to allow clients to get to the internet.

    As to your ddos attack taking out your last box.  Ok ;)

    There is nothing to do to enable nat out of the box.  What I would suggest is before you install any packages is get it working out of the box.  Do you get a public IP on your wan?  Or do you have some nat router/gateway in front of pfsense.  Do you do PPPoE or just dhcp?

    ARe you changing the lan side from default?  Does dhcp work?  Lets get the basics working before you attempt packages that may or may not work with 2.2, etc.  Your trying to run squid out of the box?  Why do you think you need pfblocker?  Because the world is tring to ddos you?  You do understand pfblocker does nothing against a ddos..  Since out of the box all inbound traffic to the wan it blocked anyway.



  • Hello, thank you for reply.

    Yes, it was 2 days, since i was reinstalling it from CD, DVD, USB at least 20 times each and couldn't get internet on LAN. I could see packages, and "you are on latest version" on dashboard. Box has internet. LAN does not. (BTW now it works, dont know how). I couldnt ping or thrace anything after 192.168.1.1. Trace says not reachable. ping says time out, or not reachable. But if you see attachments i placed, and you say that is ok, then o hope internet will work now.

    "Do you get a public IP on your wan?"

    • I have public static IP on WAN which is asignet to me from my ISP years ago. I configure IP and create GW and thats it. DHCP is disabled on WAN interface

    "ARe you changing the lan side from default?"

    • im confused about this. I did static IP on LAN 192.x.x.1 with same GW (it was exactly same like in old box). Enabled DHCP on LAN interface, created ranges ans assigned couple of MAC to bind to specific IP. (Binding was not created when i was struggling foer internet)

    DHCP server works since i got LAN IPs assigned and i see them on lease page as online.

    As for pfblocker i thought it will at least make DDOS less painful. And i simply dont want that whole world can sniff in my network. Its not mandatory, but its nice feature.

    Many thnx for inputs. If you need more screenshots, data im here stalking this post.

    Kind regards.


  • LAYER 8 Global Moderator

    "I did static IP on LAN 192.x.x.1 with same GW (it was exactly same like in old box)."

    You DONT ever set a GW on a LAN interface..  That would turn it into a WAN..  Not sure why this seems to be a common error, the gui never asks to set this, etc.



  • oke, i stated "none" and delete that GW. Now i noticed that i have major problem,… all mine port forwrd is not working at all. When i scan it outside it says filtered. Every single one.

    Arghhh, i mess things up baaaadly!


  • LAYER 8 Global Moderator

    dude its a LAN interface – would would you put as the gateway??

    You sure you were not connecting to that IP like it was WAN interface -- what did you put as the gateway??  Here is how it should look.

    internet --- isp router (1.2.3.4) ---- (1.2.3.5, gw 1.2.3.4)Wan Pfsense LAN (192.168.1.1) ----- (192.168.1.2, gw 192.168.1.1) LAN PC

    So if client PC wants to talk to say google at 8.8.8.8 he sends it to HIS gateway Pfsense LAN, pfsense then NATs that so it looks like it came from 12.3.5 and sends it to the isp on 1.2.3.4.. Then that traffic routes to 8.8.8.8..  When it sends and answer it goes back to 1.2.3.5..  Pfsense says oh that was answer from what 192.168.1.2 wanted and sends it to 192.168.1.2

    This is out of the box setup..  You really don't have to do anything special here, click click and that would be working..

    When you do a port forward you tell pfsense hey if you see traffic to 1.2.3.5 on port X, send that to 192.168.1.x

    You having a gateway on your LAN of pfsense I have not idea what was going on other than its going to NOT really work the way you think it should because pfsense would think that is a WAN connection.



  • LAN does not have GW now as you instructed. Internet is working on box now, no problems. Bit afraid to reboot it, but its working. Trying to port forward but simply it wont open ports. As for other packages, considering port forward, its minor issue now.

    Trying to find why rules are not working at all. Everything inbound is blocked. I see probing of forwarded port on firewall log, its blocked, just i cannot figure it out wha is it.

    Cheers :)

    Oh, yeah, i send you PM too.

    THNX


  • LAYER 8 Global Moderator

    Well out of the box all inbound is blocked..  That is what you would normally want in a firewall ;)

    If port forwards are not working, then you would have to troubleshoot those..  https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • Hello all,

    i sorted all to work fine except pflocker. Can someone please see this printscreens and tell me what caused this?

    Many thnx.

    https://dl.dropboxusercontent.com/u/31483374/Pfsense/Pfblocker_services.png
    https://dl.dropboxusercontent.com/u/31483374/Pfsense/pfblockerNG alerts.png


Log in to reply