Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Need help getting internet/LAN access on OPT1

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      prdatur
      last edited by

      Hello,

      I hope somebody can help me.

      First of all, my main goal is:
      Remove my current router and replace it with the virtual box pfSense machine.

      Things which needs to work:

      • Second Network is connected to my main pc, which is required for fast data transfer rates.
      • Wireless clients should have access to internet and all my local machines, no matter if it is the pfSense, the main machine or other Wireless clients (If those are configured that somebody should connect :P)
      • The Linux host it self where the virtualbox runs needs internet and lan access over pfSense (not from the cablemodem direct :P)

      First things I tried to check if hardware is not defect:
      I started the access point within my linux box and started dnsmasq, also I did the forwardings from wireless ip range to normal lan ip (the lan ip was connected to my original private router which has internet)
      This worked, I got an ip from the DHCP server on my linux machine and the forwardings worked.

      Second I tried to install pfSense and configure all things.

      The Linux box has the current interface config:

      
      auto lo
      iface lo inet loopback
      
      #PfSense WAN
      auto enp11s0
      iface enp11s0 inet static
      address 0.0.0.0
      
      #PfSense LAN
      auto enp9s0
      iface enp9s0 inet static
      address 0.0.0.0
      
      # WLAN
      auto wlp2s0
      iface wlp2s0 inet manual
      
      

      Just to give the information if it is required, here a cut out of my hostapd.conf, the lines which are not added are just for performance configs:

      
      ctrl_interface=/var/run/hostapd
      ctrl_interface_group=0
      interface=wlp2s0
      driver=nl80211
      
      ssid=**MYSSID**
      hw_mode=a
      channel=0
      max_num_sta=128
      auth_algs=1
      
      country_code=CH
      ieee80211d=1
      ieee80211n=1
      ieee80211ac=1
      wpa=2
      wpa_key_mgmt=WPA-PSK
      wpa_passphrase=**MYPASS**
      rsn_pairwise=CCMP
      rsn_preauth=1
      rsn_preauth_interfaces=wlp2s0
      
      

      Now the pfSense config, I will add the screenshots, thing this is the easieset way.
      Just a notice about OPT2, I though I need this to get the internet connection from the linux host itself, cause a virtual ip with enp9s0:1 which I tried with a static ip within network 10.10.20.0/24 didn't worked.

      About the outbound, I also tried the default settings (auto mode).
      It added the 10.10.20.0 and the 10.10.30.0 network correctly but the internet access didn't worked, so to make sure it has overall access, I switched to manual mode and added the any to any rule, which also didn't helped :(

      In any case I have internet access on my main pc which is connected to the LAN port enp9s0.

      I have no glue why I do not get internet or local lan access from my wifi clients.
      My main pc has internet access through pfSense.

      What works:
      When I ping from my main pc to 10.10.20.1 (default gateway) it pings correctly.
      When I ping from my main pc to 10.10.30.1 (default gateway for wireless clients) it pings correctly
      When I ping from my main pc to 10.10.30.200 (connected smartphone) it pings correctly.
      When I ping from the smartphone to 10.10.20.1 (default gateway of LAN) it pings correctly.
      When I open a browser from the smartphone to pfSense ip 10.10.20.1 it WORKS

      What not works:
      When I ping from smartphone to 10.10.30.1 (wireless default gateway) it pings VERY FAST with network unreachable
      When I ping from smartphone to 10.10.20.100 (my main pc) it just dont get a response.
      When I open a browser from the smartphone to google or something else: Does not work

      I do not know what I am doing wrong. I hope somebody can help me.

      If any information is needed, please let me know.

      Additional, my second problem: Getting my local linux pc to have access to internet / LAN
      I tried the virtual Ip and a adapter tab0 with "tunctl -t tap0" (This I really checked again what it is, but I assume it is a virtual internal controller or internal tunnel)
      With the tab0 adapter I could get access to the pfSense machine, but not to the internet.
      If anybody knows also how I do this, this would be really nice.

      best regards,
      PrDatur
      ![network .png](/public/imported_attachments/1/network .png)
      ![network .png_thumb](/public/imported_attachments/1/network .png_thumb)
      interface_assignments.png
      interface_assignments.png_thumb
      interface_wan.png
      interface_wan.png_thumb
      interface_lan.png
      interface_lan.png_thumb
      interface_opt1.png
      interface_opt1.png_thumb
      interface_opt2.png
      interface_opt2.png_thumb
      nat_outbound.png
      nat_outbound.png_thumb
      nat_rules_wan.png
      nat_rules_wan.png_thumb
      nat_rules_lan.png
      nat_rules_lan.png_thumb
      nat_rules_opt1.png
      nat_rules_opt1.png_thumb
      nat_rules_opt2.png
      nat_rules_opt2.png_thumb

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @prdatur:

        What works:
        When I ping from the smartphone to 10.10.20.1 (default gateway of LAN) it pings correctly.

        What not works:
        When I ping from smartphone to 10.10.30.1 (wireless default gateway) it pings VERY FAST with network unreachable

        So you can ping from a wireless client to pfSense LAN IP, but not to the WLAN IP?  ???
        That makes no sense.

        @prdatur:

        Additional, my second problem: Getting my local linux pc to have access to internet / LAN
        I tried the virtual Ip and a adapter tab0 with "tunctl -t tap0" (This I really checked again what it is, but I assume it is a virtual internal controller or internal tunnel)
        With the tab0 adapter I could get access to the pfSense machine, but not to the internet.

        Give your virtual LAN bridge an IP, then you're able to access the local host by this address.

        Outbound NAT with generally static port is not a good idea.
        There is no need to use manual outbound NAT in your setup. I recommend to swith back to automatic rule generation.

        1 Reply Last reply Reply Quote 0
        • P
          prdatur
          last edited by

          Hello and thanks for your answer.

          @viragomann:

          So you can ping from a wireless client to pfSense LAN IP, but not to the WLAN IP?  ???
          That makes no sense.

          I know that this makes no sense but this is the result what I get when I ping to 10.10.30.1 (OPT1 IP)

          
          1|shell@zerolte:/ $ ping 10.10.30.1                                            
          PING 10.10.30.1 (10.10.30.1) 56(84) bytes of data.
          From 10.10.30.105: icmp_seq=1 Destination Port Unreachable
          From 10.10.30.105: icmp_seq=1 Destination Port Unreachable
          From 10.10.30.105: icmp_seq=1 Destination Port Unreachable
          From 10.10.30.105: icmp_seq=1 Destination Port Unreachable
          
          

          And those lines are REALLY fast and many :P I didn't saw those fast unreachable messages in my life, I let it run for about 5 seconds and it produced 11544 entries.

          Ping to LAN IP

          
          130|shell@zerolte:/ $ ping 10.10.20.1                                          
          PING 10.10.20.1 (10.10.20.1) 56(84) bytes of data.
          64 bytes from 10.10.20.1: icmp_seq=1 ttl=64 time=9.83 ms
          64 bytes from 10.10.20.1: icmp_seq=2 ttl=64 time=16.3 ms
          64 bytes from 10.10.20.1: icmp_seq=3 ttl=64 time=10.5 ms
          64 bytes from 10.10.20.1: icmp_seq=4 ttl=64 time=13.6 ms
          
          

          Ping to internet

          
          1|shell@zerolte:/ $ ping 8.8.8.8                                               
          PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
          ^C
          --- 8.8.8.8 ping statistics ---
          32 packets transmitted, 0 received, 100% packet loss, time 31045ms
          
          

          That's why I was posting this thread, I have no glue what I am doing wrong.

          @viragomann:

          Give your virtual LAN bridge an IP, then you're able to access the local host by this address.

          What do you mean with virtual lan bridge? Which bridge?
          Which way should I go with? The virtual ip (enp9s0:1) or the "tunctl -t tab0" thing?
          Sorry for now I do not know what this tunctl command does, If this is the way I should go, then I will check it out and learn what it does.
          Anyway, I am not soooo much deep into networking, I know basic stuff, but I think not so much as I need for this, but I want to learn it. That's also a small reason why I try this.
          Could you also give me some example configurations how I can get this to work?

          @viragomann:

          Outbound NAT with generally static port is not a good idea.
          There is no need to use manual outbound NAT in your setup. I recommend to swith back to automatic rule generation.

          I know that I do not need the manual outbound NAT, cause I assume in normal circumstate my setup should be just the a regular thing and automatic mode should be fine. I just wanted to make sure that
          I do not miss an outbound NAT entry, so I tried to set it to any->any for testing. But yes I will change it back to auto mode.

          However the manual mode can not be the problem, due to the fact that my main pc on which I currently write still has access to the internet (connected to LAN Port directly.)

          Is there anything what I can do, or do you see any errors what can cause my problem?

          best regards,
          PrDatur

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            For networking set up a bridge at your local host, which uses the enp9s0 device, give it an IP address and connect the pfSense LAN interface to this bridge. So your local host is connected to the LAN network and is addressable by given IP.
            Sorry, I can't give detailed hints, I'm not familiar with ubuntu.

            No, the outbound NAT doesn't cause your problem, but you shouldn't use generally static port if you have more then one internal hosts that have WAN access.
            If one host has a connection established to WAN at port xy and another one accidentally also want to use this port, the connection will fail.

            1 Reply Last reply Reply Quote 0
            • P
              prdatur
              last edited by

              @viragomann:

              For networking set up a bridge at your local host, which uses the enp9s0 device, give it an IP address and connect the pfSense LAN interface to this bridge. So your local host is connected to the LAN network and is addressable by given IP.
              Sorry, I can't give detailed hints, I'm not familiar with ubuntu.

              THANKS, this works like a charm.
              I just added in my interfaces:

              
              # Bridge
              auto br0
              iface br0 inet static
              address 10.10.20.101
              netmask 255.255.255.0
              gateway 10.10.20.1
              dns-nameservers 8.8.8.8
              bridge_ports enp9s0
              bridge_fd 0
              
              

              And instead of assigning enp9s0 as the bridged adapter 2 in virtualbox I used the br0 bridge interface.
              My Main pc and the localhost are now connected to the internet and see each other (Test was an ssh with putty into local host where the virtualbox runs).

              So one problem is solved the other still exists.

              Do you see any errors for the OPT1 interface or do you have any hints how I can get it to work that my WLAN clients bridged to OPT1 can also have such smooth and nice connection to WAN and LAN?

              best regards,
              PrDatur

              1 Reply Last reply Reply Quote 0
              • P
                prdatur
                last edited by

                YES, I finally solved it.

                I really need to learn to not do too much things :P
                What I have done now is. I removed the OPT1 adapter and also this crazcy "tunctl -t tab0" thing adapter which was bridged to OPT2.
                Then I just changed in hostapd.conf

                
                bridge=br0
                
                

                And let the br0 bridge as it is (I did not add the wlp9s0 adapter to the bridge, because I read that hostapd will add it on its own).

                After that change, nothing worked again, my local host did not had internet access anymore and also no LAN. I assumed that it was the bridge, because I had similar problems before. But I just wanted to make sure that it is not a problem with old interface states and also maybe the crazy tab0 thing is left somewhere.
                I rebooted the local host, started pfSense box, reset the interfaces so the I just have em0 and em1 for WAN and LAN bridged to enp11s0 and enp9s0.

                This did the trick, also with the nice side effect, that also my wireless clients are also in the same network as everything (10.10.20.0/24).

                I really thank you viragomann for the hint with the bridge and to bring me to the idea, to just try the hostapd bridge mode again :).

                best regards,
                PrDatur

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.