SOLVED!! OK, throw the noob a bone with setting interface IP numbers



  • OK, so I'm a noob but I'm competent.  Competent (as in I'm an IT help desk geek) but nowhere near "edumicated" on this pfSense thing.  Anyhow, I grabbed an old Dell GX260, 2.4 MHz, 512 RAM, 40G HD, burned the latest copy of the 32 bit version to cd and did the install without a hitch.  Right, too easy I'm thinking.  I'm getting spanked setting the interface IP addresses in the console.  I"ve tried a few dozen times and between not knowing and just making stupid mistakes from not paying attention  ::), I still can't get my connection going.  So here are the specs:

    I have the TWC cable coming in to the Motorola Surfboard Modem and the modems IP is 192.168.100.1
    That goes into a Linksys WRT-160nl router that I ported over to DD-WRT set at 192.168.1.1
    All of all my rigs run through that directly or through two switches downstream of that.
    IPCONFIG shows the Gateway 192.168.1.1 and the IPv4 Address 192.168.1.102
    pfSense shows WAN on the onboard Intel network adapter at EM0 running through DHCP and the LAN on a NIC rl0  set to 192.168.1.102/24.
    pfSense 2.2.1
    Full install on the HD

    I pulled these IP numbers directly from the router:
    WAN IP  97.102.56.141 
    LAN IP  192.168.1.1

    WAN
    Subnet Mask  255.255.240.0 
    Gateway  97.102.48.1 
    DNS 1  65.32.5.111
    DNS 2  65.32.5.112

    LAN

    Start IP Address  192.168.1.100 
    End IP Address  192.168.1.149

    I can't make a clean connection to ping anything or hit the webConfigurator.  I attached some pix of the IPCONFIG and the rig showing the console page just in case I confused anyone.  I know it's me and not a tech issue.  I'm just not getting it or I'm mixing up what something is vs what it should be and I'm sure I'm not entering the correct values.  I made it through setting up FreeNAS today so I'm sure I can get this down pat but, I don't know, aside from not being a network guy, maybe I've been sitting in this chair too long…  Any help someone could provide would be much appreciated.

    Thanks,

    Tom






  • Where did you plug in pfSense WAN and LAN ports? Your setup does not make sense, you have same IP 192.168.1.102 assigned to pfSense LAN and to Windows box. You can only access pfSense web GUI via LAN port and not WAN.

    Restore your Windows box settings to what you had before. Plugin pfSense box LAN to the switch or directly to your Linksys router. Assign IP to pfSense LAN that is not used by anything else in 192.168.1.0/24 range.



  • Sorry, I forgot to mention how things were hooked up.  I have the WAN as the modem going directly into the onboard network port on the pfSense box and then the LAN going from the pfSense box NIC, directly to the routers input port.  Trust me, I would never set two devices to the same IP on purpose so I completely disconnected all the connections to the firewall, I reset the pfSense box to 192.168.1.0 and connected the LAN side directly to the router.  I can ping it and I can get to the webCongiurator (THANKS! but wow, did I open a whole new ball of wax after logging in to there…)

    Anyhow, when I go back to placing it the pfSense box directly downstream of the Modem, as the first device in the chain, I get nothing.  I can't ping it because I lost the connection.  Frustrated, not only because I'm over my head but I'm not even sure where to focus on my search for the mistake.  Obviously, the numbers I'm inputting into the firewall console are not the proper ones for a connection, but I'm too inexperienced to ascertain what's what in the  proper configuration.  I'm probably making it worse by thinking I'm so smart by getting all the numbers from the router and thinking I can just set the system up using that.  I keep plugging the numbers into the console thinking (hoping) I'll get lucky.  It's a steep learning curve.  I did DD-WRT on the router many years ago and knew next to nothing about it.  I learned a lot even if it was the hard way.  The other day, I tackled FreeNAS and squeaked my way through that configuration.  This might be a little tougher...

    What I do know are these two things:
    The router is set at 192.168.1.1
    The firewall is set at 192.168.1.0
    Both can be pinged when both are downstream of the router (no hardware firewall).

    Everything after that, I'm just regurgitating off the routers status page:

    WAN
    IP Address 97.102.56.141 
    Subnet Mask 255.255.240.0 
    Gateway 97.102.48.1

    LAN
    IP Address 192.168.1.1 
    Subnet Mask 255.255.255.0

    I think maybe I step away for a bit, go wash the breakfast dishes, make the kids and I lunch and come back with a clear mind.


  • Netgate Administrator

    Ok, it's slightly hard to say exactly because you've moved things around a bit here but it looks like there are a few fundamental things you have incorrect. I apologise if I've mis-read this  ;).
    1: All the network segments must be in a different subnet. That means you must use something other than 192.168.1.X for the pfSense if you're using it on the DD-WRT device LAN.
    2: 192.168.1.0/24 and 192.168.1.1/24 are in the same subnet. And infcat you can't use .0 because that's the network address.

    Also you Motorola device is a router not a modem if it is handing out 192.168.100.X addresses on it's internal interface.

    The rl interface is 10/100 so it probably isn't auto-MDIX. You may need a cross-over cable to connect it directly to your laptop, check for link leds.

    Here is what you should be aiming at:

    Set the Motorola device as a real modem so it hands out your public IP to the pfSense WAN address via DHCP.
    Set the pfSense  LAN address to something so far unused so you don't get locked out of it during setup like 192.168.200.1/24.
    Set the DD-WRT device to access point only mode and connect it to the pfSense LAN.

    There are many variations you could use here but having a single NAT instance in the chain is desirable. Just make sure you have a different subnets on each segment.

    Steve



  • Steve,
      Thanks for the inputs.  Pretty easy to see I'm not very network savvy with my choice of addresses WRT subnets.  I'll fix that straight off.  It's pretty clear now, that is my number one problem to correct.  My apologies for moving things around in my attempts to get things going.  Like they say, "Garbage in-garbage out".  I was just spinning my wheels.  Especially in light to your advice, I'm way off even for just taking pot shots.  I gave your mail a quick read and then took another break.  Sort of a, "Wow, I'm not even close" kind of moment.  I'm going to review it again now, start fresh and see what I can do.  At least on the next post, hopefully, I have most of the numbers set up properly.  Perhaps not exact, but in the same ballpark so to speak.

    Thanks for pointing out the issue with rl0.  I'll check the link lights and I have a stash of crossover cables if needed.

    "Set the pfSense  LAN address to something so far unused so you don't get locked out of it during setup like 192.168.200.1/24".  Can do easy…  First thing at that.

    I may be wrong but I'm fairly certain my Linksys/DD-WRT mashup is handing out the DHCP especially since I just went in (uh, ok, tinkering) and confirmed it's set to DHCP server, set the number of users to 100 and set the starting address.  Actually, setting the starting address is originally what I was looking for and the rest just came into view.  I opened up the range of addresses.  Now set from 192.168.1.100 to 192.168.1.198.  They were sort of all over and I wanted to just keep them in check in one specific range to keep things straight while troubleshooting.

    "Set the DD-WRT device to access point only mode and connect it to the pfSense LAN."  Funny you should mention that.  While I was in the DD-WRT setup (looking for more info) I came across that setting.  Under advanced routing, it's set as "Gateway" and I started to wonder, if at some point, that needs to be set to "router" since the pfSense box is now upstream…  Honestly, it was just a thought but glad you mentioned it since I "bumped" into it, I can connect the dots on that one.

    No apologies please.  If you misread something it's because I wasn't clear or rambling in my angst of trying to get things moving.  :o
    Actually, it's kind of self critiquing that once I get this done (like a dog with a bone right now) I better get back in school and learn networking properly and stop kludging my way through in this fashion.

    Tom



  • OK, first thing I did was look at this from the big picture and I realized, I'm making this far too difficult.  I removed the router (DD-WRT setup issues and changes) and the  10 port switches out of the loop.  I connected the modem directly to the firewall WAN and then the firewall LAN directly to a computer.  Now, it's just a matter of those two boxes.

    I set the PFSense box LAN address (as per Steve's post) to 192.168.200.1/24

    After connecting all the hardware, I can ping and reach the webConfigurator (dashboard page image attached)

    Question:  Should I be entering a value when the pf Sense console asks me this? 
    For a WAN, enter the new LAN IPv4 upstream gateway address
    For a LAN, press ENTER for none:

    IF so, what do I use for the IPv4 upstream gateway address?

    I said yes when it asked for the start and end addresses for the IPv4 client address range.  I used: 192.168.200.3 to 192.168.200.99.  Is that acceptable?

    When I do IPCONFIG on the windows box, I get this:

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : localdomain
      Link-local IPv6 Address . . . . . : fe80::247d:6a4c:3382:cc23%11
      IPv4 Address. . . . . . . . . . . : 192.168.1.187
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.1.1

    I did release/renew several times trying to make a connection but no luck.  Also, as often as that was done, the subnet mask and the default gateway are exactly the same as they were in the past.  Coincidence or a holdover?  I certainly do not know.  Especially that default gateway.  That worries me.  That was the IP address to the router and the router was the one handing out IP addresses.  I flushed the DNS also but still, no change.  Now that I write all that, I'm thinking as to what Steve said and when I set the IPv4 address to 200.1 that was for when I had the router so he wanted them on different subnets.  Now, without a router, for testing purposes, I moved the firewall's IPv4 address back to 192.168.1.1 (no router sharing that IP this time) and set the IP range accordingly.  No change.  Still no connection at the workstation.  I set things back to the way Steve requested.

    Since I can ping the Configurator, I'm thinking (if I haven't mucked up the IP addresses again) that I have some settings to adjust via the GUI.  Does pfSense default to basic access or complete lockdown?

    I've simplified the setup but am no closer to a basic firewall.  Troubling at best….

    As always, any advice is appreciated.  Don't forget, I'm just scratching the surface of network commands and concepts.  I'm more dangerous than empowered at this point.

    Thanks,

    Tom

    ![pfSense Dashboard Initial.JPG](/public/imported_attachments/1/pfSense Dashboard Initial.JPG)
    ![pfSense Dashboard Initial.JPG_thumb](/public/imported_attachments/1/pfSense Dashboard Initial.JPG_thumb)



  • The first issue I see is that you have no IP on the WAN interface. This is usually assigned by your ISP via DHCP, which will also take care of the WAN gateway settings. You may need to reset the modem or even have pfSense clone the MAC address of whatever used to be connected to the modem to get this working.



  • Hmmn,  I completely overlooked that the console wasn't showing DHCP for the WAN.  Thanks for pointing that out.

    BINGO!  It's got one now!  Nice call sir.

    On a side note, all the IP's shown under IPCONFIG have also changed.  Now they reflect the proper inputs from the console.

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : localdomain
      Link-local IPv6 Address . . . . . : fe80::247d:6a4c:3382:cc23%11
      IPv4 Address. . . . . . . . . . . : 192.168.200.3
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : fe80::1:1%11
                                          192.168.200.1

    Sadly, still no connection.  This gets weirder with each hurdle…
    Still, at least the WAN to firewall section is working.  Now for the LAN.  I have link lights and activity on both network ports so that's good.  I can get to the GUI so that's up.  I can ping the pfSense box from the console so that's up.  I can ping the firewall from the windows box.  Windows box took the first available IP from the range I provided the console.  I can't ping yahoo.com from windows command prompt so I can ping internally but not externally.  What would that be from this point?  Hmmmnnn, not sure what's left.  If I have a good IP and can ping internally, would that be an issue with the firewall blocking me going out?  Anyone?



  • Sounds like DNS is broken. Can you ping 8.8.8.8?

    If you can then turn on the DNS forwarder service in pfSense and see if that helps.



  • Yes, I can in fact ping both the firewall and 8.8.8.8.



  • I rebooted the console, closed and logged back into the GUI, reset the modem and guess what???  BOO-YA! I'M IN LIKE FLINT!

    FWIW, when I went to select DNS forwarding, it disallowed me saying DNS Resolver was using that port.  I was looking around the menu for that and just happened to look at the network icon in the tray and it was clean.  Even after going to a web page, I had to ping something via command prompt just to be sure.

    Now that I know it works for one machine, I can take my time to research the router/DD-WRT settings but at least the basic config is set and running hot.  Great way to end the day.  Thanks to EVERYONE who took the time to share their knowledge and experience.  It was a rough day but I appreciate all for their time and help.

    Thanks,

    Tom


  • Netgate Administrator

    The DNS resolver is the default option in 2.2.x. The forwarder should be disabled. The resolver is the better choice is almost every circumstance.

    Good job.  :)

    Steve



  • Good to know.


Log in to reply