[Solved] Need help getting internet/LAN access on OPT1

prdatur

Hello,

I hope somebody can help me.

First of all, my main goal is:
Remove my current router and replace it with the virtual box pfSense machine.

Things which needs to work:

Second Network is connected to my main pc, which is required for fast data transfer rates.
Wireless clients should have access to internet and all my local machines, no matter if it is the pfSense, the main machine or other Wireless clients (If those are configured that somebody should connect :P)
The Linux host it self where the virtualbox runs needs internet and lan access over pfSense (not from the cablemodem direct :P)

First things I tried to check if hardware is not defect:
I started the access point within my linux box and started dnsmasq, also I did the forwardings from wireless ip range to normal lan ip (the lan ip was connected to my original private router which has internet)
This worked, I got an ip from the DHCP server on my linux machine and the forwardings worked.

Second I tried to install pfSense and configure all things.

The Linux box has the current interface config:


auto lo
iface lo inet loopback

#PfSense WAN
auto enp11s0
iface enp11s0 inet static
address 0.0.0.0

#PfSense LAN
auto enp9s0
iface enp9s0 inet static
address 0.0.0.0

# WLAN
auto wlp2s0
iface wlp2s0 inet manual

Just to give the information if it is required, here a cut out of my hostapd.conf, the lines which are not added are just for performance configs:


ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
interface=wlp2s0
driver=nl80211

ssid=**MYSSID**
hw_mode=a
channel=0
max_num_sta=128
auth_algs=1

country_code=CH
ieee80211d=1
ieee80211n=1
ieee80211ac=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=**MYPASS**
rsn_pairwise=CCMP
rsn_preauth=1
rsn_preauth_interfaces=wlp2s0

Now the pfSense config, I will add the screenshots, thing this is the easieset way.
Just a notice about OPT2, I though I need this to get the internet connection from the linux host itself, cause a virtual ip with enp9s0:1 which I tried with a static ip within network 10.10.20.0/24 didn't worked.

About the outbound, I also tried the default settings (auto mode).
It added the 10.10.20.0 and the 10.10.30.0 network correctly but the internet access didn't worked, so to make sure it has overall access, I switched to manual mode and added the any to any rule, which also didn't helped :(

In any case I have internet access on my main pc which is connected to the LAN port enp9s0.

I have no glue why I do not get internet or local lan access from my wifi clients.
My main pc has internet access through pfSense.

What works:
When I ping from my main pc to 10.10.20.1 (default gateway) it pings correctly.
When I ping from my main pc to 10.10.30.1 (default gateway for wireless clients) it pings correctly
When I ping from my main pc to 10.10.30.200 (connected smartphone) it pings correctly.
When I ping from the smartphone to 10.10.20.1 (default gateway of LAN) it pings correctly.
When I open a browser from the smartphone to pfSense ip 10.10.20.1 it WORKS

What not works:
When I ping from smartphone to 10.10.30.1 (wireless default gateway) it pings VERY FAST with network unreachable
When I ping from smartphone to 10.10.20.100 (my main pc) it just dont get a response.
When I open a browser from the smartphone to google or something else: Does not work

I do not know what I am doing wrong. I hope somebody can help me.

If any information is needed, please let me know.

Additional, my second problem: Getting my local linux pc to have access to internet / LAN
I tried the virtual Ip and a adapter tab0 with "tunctl -t tap0" (This I really checked again what it is, but I assume it is a virtual internal controller or internal tunnel)
With the tab0 adapter I could get access to the pfSense machine, but not to the internet.
If anybody knows also how I do this, this would be really nice.

best regards,
PrDatur
![network .png](/public/imported_attachments/1/network .png)
![network .png_thumb](/public/imported_attachments/1/network .png_thumb)

interface_assignments.png_thumb

interface_wan.png_thumb

interface_lan.png_thumb

interface_opt1.png_thumb

interface_opt2.png_thumb

nat_outbound.png_thumb

nat_rules_wan.png_thumb

nat_rules_lan.png_thumb

nat_rules_opt1.png_thumb

nat_rules_opt2.png_thumb

viragomann

@prdatur:

What works:
When I ping from the smartphone to 10.10.20.1 (default gateway of LAN) it pings correctly.

What not works:
When I ping from smartphone to 10.10.30.1 (wireless default gateway) it pings VERY FAST with network unreachable

So you can ping from a wireless client to pfSense LAN IP, but not to the WLAN IP? ???
That makes no sense.

@prdatur:

Additional, my second problem: Getting my local linux pc to have access to internet / LAN
I tried the virtual Ip and a adapter tab0 with "tunctl -t tap0" (This I really checked again what it is, but I assume it is a virtual internal controller or internal tunnel)
With the tab0 adapter I could get access to the pfSense machine, but not to the internet.

Give your virtual LAN bridge an IP, then you're able to access the local host by this address.

Outbound NAT with generally static port is not a good idea.
There is no need to use manual outbound NAT in your setup. I recommend to swith back to automatic rule generation.

prdatur

Hello and thanks for your answer.

@viragomann:

So you can ping from a wireless client to pfSense LAN IP, but not to the WLAN IP? ???
That makes no sense.

I know that this makes no sense but this is the result what I get when I ping to 10.10.30.1 (OPT1 IP)


1|shell@zerolte:/ $ ping 10.10.30.1                                            
PING 10.10.30.1 (10.10.30.1) 56(84) bytes of data.
From 10.10.30.105: icmp_seq=1 Destination Port Unreachable
From 10.10.30.105: icmp_seq=1 Destination Port Unreachable
From 10.10.30.105: icmp_seq=1 Destination Port Unreachable
From 10.10.30.105: icmp_seq=1 Destination Port Unreachable

And those lines are REALLY fast and many :P I didn't saw those fast unreachable messages in my life, I let it run for about 5 seconds and it produced 11544 entries.

Ping to LAN IP


130|shell@zerolte:/ $ ping 10.10.20.1                                          
PING 10.10.20.1 (10.10.20.1) 56(84) bytes of data.
64 bytes from 10.10.20.1: icmp_seq=1 ttl=64 time=9.83 ms
64 bytes from 10.10.20.1: icmp_seq=2 ttl=64 time=16.3 ms
64 bytes from 10.10.20.1: icmp_seq=3 ttl=64 time=10.5 ms
64 bytes from 10.10.20.1: icmp_seq=4 ttl=64 time=13.6 ms

Ping to internet


1|shell@zerolte:/ $ ping 8.8.8.8                                               
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
32 packets transmitted, 0 received, 100% packet loss, time 31045ms

That's why I was posting this thread, I have no glue what I am doing wrong.

@viragomann:

Give your virtual LAN bridge an IP, then you're able to access the local host by this address.

What do you mean with virtual lan bridge? Which bridge?
Which way should I go with? The virtual ip (enp9s0:1) or the "tunctl -t tab0" thing?
Sorry for now I do not know what this tunctl command does, If this is the way I should go, then I will check it out and learn what it does.
Anyway, I am not soooo much deep into networking, I know basic stuff, but I think not so much as I need for this, but I want to learn it. That's also a small reason why I try this.
Could you also give me some example configurations how I can get this to work?

@viragomann:

Outbound NAT with generally static port is not a good idea.
There is no need to use manual outbound NAT in your setup. I recommend to swith back to automatic rule generation.

I know that I do not need the manual outbound NAT, cause I assume in normal circumstate my setup should be just the a regular thing and automatic mode should be fine. I just wanted to make sure that
I do not miss an outbound NAT entry, so I tried to set it to any->any for testing. But yes I will change it back to auto mode.

However the manual mode can not be the problem, due to the fact that my main pc on which I currently write still has access to the internet (connected to LAN Port directly.)

Is there anything what I can do, or do you see any errors what can cause my problem?

best regards,
PrDatur

viragomann

For networking set up a bridge at your local host, which uses the enp9s0 device, give it an IP address and connect the pfSense LAN interface to this bridge. So your local host is connected to the LAN network and is addressable by given IP.
Sorry, I can't give detailed hints, I'm not familiar with ubuntu.

No, the outbound NAT doesn't cause your problem, but you shouldn't use generally static port if you have more then one internal hosts that have WAN access.
If one host has a connection established to WAN at port xy and another one accidentally also want to use this port, the connection will fail.

prdatur

@viragomann:

For networking set up a bridge at your local host, which uses the enp9s0 device, give it an IP address and connect the pfSense LAN interface to this bridge. So your local host is connected to the LAN network and is addressable by given IP.
Sorry, I can't give detailed hints, I'm not familiar with ubuntu.

THANKS, this works like a charm.
I just added in my interfaces:


# Bridge
auto br0
iface br0 inet static
address 10.10.20.101
netmask 255.255.255.0
gateway 10.10.20.1
dns-nameservers 8.8.8.8
bridge_ports enp9s0
bridge_fd 0

And instead of assigning enp9s0 as the bridged adapter 2 in virtualbox I used the br0 bridge interface.
My Main pc and the localhost are now connected to the internet and see each other (Test was an ssh with putty into local host where the virtualbox runs).

So one problem is solved the other still exists.

Do you see any errors for the OPT1 interface or do you have any hints how I can get it to work that my WLAN clients bridged to OPT1 can also have such smooth and nice connection to WAN and LAN?

best regards,
PrDatur

prdatur

YES, I finally solved it.

I really need to learn to not do too much things :P
What I have done now is. I removed the OPT1 adapter and also this crazcy "tunctl -t tab0" thing adapter which was bridged to OPT2.
Then I just changed in hostapd.conf


bridge=br0

And let the br0 bridge as it is (I did not add the wlp9s0 adapter to the bridge, because I read that hostapd will add it on its own).

After that change, nothing worked again, my local host did not had internet access anymore and also no LAN. I assumed that it was the bridge, because I had similar problems before. But I just wanted to make sure that it is not a problem with old interface states and also maybe the crazy tab0 thing is left somewhere.
I rebooted the local host, started pfSense box, reset the interfaces so the I just have em0 and em1 for WAN and LAN bridged to enp11s0 and enp9s0.

This did the trick, also with the nice side effect, that also my wireless clients are also in the same network as everything (10.10.20.0/24).

I really thank you viragomann for the hint with the bridge and to bring me to the idea, to just try the hostapd bridge mode again :).

best regards,
PrDatur