[pfSense] Installed but no internet

[Lilrich]

Hello Everyone,

I have managed to install pfSense onto an old computer with 2 nic's i can access the web gui and it says that both the nic's are up and sending data.

However i am unable to get access to the internet and i am sure there must be something i haven't done or done wrong. Is anyone able to guide me or show me what i might have missed.

I am not sure where it says what subnet i should be using or how to sucessfully configure the DHCP..

Cheers

Rich

[Detection]

Shot in the dark, but static IPs sound more likely to be supported than DHCP ?

Blatantly should have kept quiet on this one

[Lilrich]

I can hit the gui 192.168.33.1 which takes me to the control panel but if i setup the network settings on the computer to use 192.168.33.1 as the gateway instead of my old modem i get no internet which makes me think i have done something wrong.

Maybe someone with pfSense installed could post some screenshots?

Rich

[+BudMan]

^ what??

If you can access the web interface then clearly your on the lan network.

"I am not sure where it says what subnet i should be using or how to sucessfully configure the DHCP.."

What?? Post a screenshot of your dashboard or interfaces screen

Been running pfsense for years now, currently using 2.0 rc1 and setup the ipv6 development stuff from 2.1, etc.

So lets see the output of your status interfaces screen so we can see what we are working with - feel free to block out the last couple of octets of your wan side.. But need to see that your on public IP on wan, and private on lan, etc.

ok so here is output of dhcp server.. this means that it will hand out IPs between 192.168.1.200 to 239, it will also tell clients to use itself 192.168.1.253 as the dns server, and that local domain is called local.lan

What questions do you have exactly?

[Lilrich]

Budman please forgive me i am trying to learn and i read the documentation i just can't get it to work and some of it is admittedly over my head that is why i came here.

Yes the server is on the lan network as i can access it BUT i can't access the internet when passing traffic through it.

The WAN stuff looks not right to me but i am sure you will be able to tell me what i have done wrong.

[+BudMan]

Well no **** that will never work, you have the same exact network on both the wan and the lan.

Your clearly behind a NAT device with that 192.168.33 (Private) network on the wan side.

What is your pfsense box connected to?

why did you set a /25 bit mask on your lan side??? Where did you get the idea to use 192.168.33 on your lan network??

[Lilrich]

Nothing, i have plugged the modem in to the WAN card and the LAN into the LAN card.

This is what i get.

[+BudMan]

Lan card? And you don't have a modem you have a NAT router, I don't care if they call it a modem or not?? Its doing NAT!! you got a private IP.

What is the model number of the device your psfsense box is plugged into?

And where did you plug the lan side into?? Into the same "modems" lan ports?

goes like this

internet - modem -- <wan> pfsense <lan> -- switch - PCS

You can work with a double nat (private on the wan side of your pfsense) but I highly suggest against it..

but you could do something like this for double nat

pfsense wan = dhcp

192.168.33.?/24

gateway 192.168.1.254 <-- your "modems" IP

lan static

192.168.2.1

netmask 255.255.255.0, 24 bits

dhcp server on pfsense

192.168.2.100 - 200

dns 192.168.2.1 or opendns, whatever

Pfsense is designed to be the NAT router/firewall of your network you do not need another device in front of it doing NAT.. you just need a modem connecting you to the internet, if you have what they are calling a DSL modem, clearly its really a gateway since you getting a private IP on your wan side of your pfsense. You would want to put the device into bridge mode. -- What is the make and model number of what your calling your modem and we can look to see if supports bridge mode, ie it will not longer do nat, and your pfsense box will get a PUBLIC IP on its wan interface.

edti: btw if going to run double nat mode like that, which I do not suggest, then on your "modem" your going to want to put your pfsense boxes wan IP into the DMZ of your "modem".. So want to set it to static or set reservation on your "modem" so it always gives pfsense same IP address on the 192.168.33 network.

[Lilrich]

Your right - the router was still in ROUTER mode

I changed that to modem only mode and this is what i get

No IP At all now.

[+BudMan]

How freaking hard is to post the make and model of the "modem"???? Example I use a Motorola SB6120

Model Name: SB6120

Vendor Name: Motorola

Firmware Name: SB612X-1.0.3.3-SCM00-NOSH

Boot Version: PSPU-Boot 1.0.0.4m1

Hardware Version: 1.0

Serial Number: 1869019126052260<snipped>

Firmware Build Time: Aug 12 2010 13:58:19

Did you power cycle your "modem" before connecting a new device?

Its impossible to help you without knowing what device you plugging into.

Are you DSL - Its less likely to see cable users with a gateway, so I would assume DSL. If so do you have to use PPPoE??

[Lilrich]

Okay okay sorry.

Netgear DG834G

Firmware V3.01.38

Network Type PPPoA

Did you power cycle your "modem" before connecting a new device?

No, i have never done this before so didn't know it was required now.

Are you DSL - Its less likely to see cable users with a gateway, so I would assume DSL. If so do you have to use PPPoE??

ADSL using PPPoA

[+BudMan]

Well with PPPoA, I will have to look if that device supports half bridge mode - cuz I dont believe pfsense supports PPPoA.

Half bridge means you use the gateway device to login, etc. but it puts the public IP on the device behind it. Let me take a look at the manual.

if not you can use the double nat mode I already went over.

btw what version of that router - I see up to v5, with that firmware version guess OLD v1?

From a quick look does not seem to support half bridge.. found this article about doing it with different firmware on the device

http://mybroadband.co.za/vb/archive/index.php/t-139095.html

But if you have to ask about dhcp, and did not know why pfsense was not working - I would HIGHLY suggest you not do anything of the sort.

Your best bet would be to just run in double nat mode.. So put your "modem" how it it was before - setup static IP on pfsense wan to be in that 192.168.33 network. Put that IP into the DMZ of your netgear router.. And then setup lan side of pfsense to be like 192.168.2.0/24

[Lilrich]

Looks like i really have bitten off more than i can chew this time.

Would using PPPoE require something from the ISP?

Edit: V2

[+BudMan]

if your connection is PPPoA, you can not just switch over to PPPoE.

Yeah I would agree this is over your head if you do not even understand basic networking, ie what dhcp is, what a subnet is, etc. What a Private IP is, etc.

[Lilrich]

if your connection is PPPoA, you can not just switch over to PPPoE.

Yeah I would agree this is over your head if you do not even understand basic networking, ie what dhcp is, what a subnet is, etc. What a Private IP is, etc.

I know what a DHCP is and a Subnet just never done much with NAT or anything simillar.

I want to broaden my knowledge on this kind of thing...

[+BudMan]

"I know what a DHCP is and a Subnet just never done much with NAT or anything simillar."

Thats not what this statement says to me

"I am not sure where it says what subnet i should be using or how to sucessfully configure the DHCP.."

But you can still use pfsense in a double nat setup.. Like I said just put its wan IP into the dmz of your netgear and setup a lan side network that is different than your wan network and your good to do. Not best option and you might run into some issues with double nat.. But those are rare - it should work just fine.

As to not done much with NAT?? WTF you think you have been using since you've been connected to your netgear router.. 192.168.33 is a private network, ie a NAT ;)

[Lilrich]

Hey Budman,

Just wanted to let you know i persisted with the problems i was having with my inability to understand basic networking and finally got my pfSense box up and running after lots of reading etc.

I changed the DG834G router into modem only mode which makes it into a modem only device (i think this is called a bridge) so it won't handle any of the authentication etc.

I then went into pfSense and setup the WAN interface on PPPoE and filled in my username and password for the internet - and submitted the changes, looking on the interface status it has now connected to the ISP got my public IP and also pulled the gateway and DNS servers. :woot:

One problem i did come across tho was pfSense seemed to 'cache' my gateway instead of pulling it from the modem so i had to reset the pfSense box back to basics and start again but after that everything is now working and seems to be lots faster than a standard router.

I just need to have a go at getting a web blocking application setup and the ability to block websites based on IP or MAC.

Thanks for all your help and being patient with me

Rich

[+BudMan]

Thought you said you were using PPPoA? But great you got it working.. Yup that is a public IP on your wan side!

If you want to do content filtering just install the squid and squidguard packages - personally don't use them, but tested them on 2.0 and working.

Yeah you'll notice net is prob a lit faster with a real router vs that little box with like 200mhz cpu and 4MB of ram to work with ;)

HAVE FUN!!!

I've been playing with the ipv6 development code lately - its a little buggy still but everything seems to be working other than having some issues the the RRD graphs, etc.

Tell you what you will never go back to a simple soho router now that you have a taste of a full featured router/firewall with some horsepower to play with ;)

edit: if me I would get away from all those isp dns, and just run your own caching recursive server - install the unbound package, and you can even do dnssec -- get borat giving you a thumbs up.

http://test.dnssec-or-not.org/

[Lilrich]

I didn't mean to feel like a 'tool' on the weekend i just really want to try and get my head into some of this networking lark and thought this would be a cool way of jumping right in there.

"Thought you said you were using PPPoA? But great you got it working.. Yup that is a public IP on your wan side!"

Yea i am using PPPoA but i sent a email to the ISP and they said they are using pfSense with PPPoE on the network and it works great, so i gave it a shot and here i am.

"If you want to do content filtering just install the squid and squidguard packages - personally don't use them, but tested them on 2.0 and working."

Thanks :) That is my next task to get Squid up and running, need to sort out some content filtering for the Kids :devil:

I hope never to go back, i am going to get the pfSense book later in the month so i can have a proper read at what this thing can do.

Once again thanks :D

Rich

[+BudMan]

Yeah if your looking to filtering the kids, the squidguard is great and install the reporting package "lightsquid" and you can get full reports of what they are doing... You can prob even log their IM messages with imspector ;)

Looks like the imspector is only on 1.2.3 release - you running 1.2.3 or 2.0? I didn't catch it from any of the screen shots, etc.

[Lilrich]

Interesting :)

I have installed Squid but haven't installed Squidguard yet as i notice it is still BETA.

I am running 1.2.3-RELEASE

Logging the IM Messages seems a bit much...but could be cool just to see that it is possible ;)

[+BudMan]

The squidguard is fine even though says it beta, your really going to want that if you want to filter by categories - you can grab blacklist and then then just pick categories, etc. If you run into issues just let me know, I don't run it since my kids are now 24 and 22 and no longer even at home ;)

But I have played with them, and pretty simple to get running - there was a thread a while back about blocking bbc.co.uk I threw it on to show how easy it is with the right tools - took like 10 min tops to get it all up and running and filtering on specific urls, they wanted to block /news or something but not the main url sort of thing.

Once you feel comfortable with the product in general, 2.0 is stable enough for production use so you might want to move up to that sometime - even before it hits final release.

[Lilrich]

The squidguard is fine even though says it beta, your really going to want that if you want to filter by categories - you can grab blacklist and then then just pick categories, etc. If you run into issues just let me know, I don't run it since my kids are now 24 and 22 and no longer even at home ;)

But I have played with them, and pretty simple to get running - there was a thread a while back about blocking bbc.co.uk I threw it on to show how easy it is with the right tools - took like 10 min tops to get it all up and running and filtering on specific urls, they wanted to block /news or something but not the main url sort of thing.

Once you feel comfortable with the product in general, 2.0 is stable enough for production use so you might want to move up to that sometime - even before it hits final release.

I have installed Squid Squidquard tinysquid just need to configure them and get them up and running.

Will see if i can dig out that link tomorrow and find out how you blocked the BBC :) could be a good starting point.

Yea might give 2.0 a go once i have had a go with this for a while :)

[Lilrich]

When i enable SquidGuard i get this error

Rich

[+BudMan]

What squid did you install 2 or 3? Is squid up and running before you try and start squidguard?

[Lilrich]

Version i would need to check as i went to

General -> Packages and installed from there.

I was under the impression that Squid was up and running....

Rich