[pfSense] pfSense box not visible from LAN, only from WAN
Hi, I'm a new pfSense user and just set up my first box, which is a wireless access point. The problem is that I can't ping my pfSense box (or use the web configurator) from the LAN side, but both work from the WAN. Here are some details about my setup: WAN: ethernet, IP assigned via DHCP LAN: wireless in AP mode, no IP configured, but obtained via DHCP from the WAN bridge: bridges WLAN and LAN interfaces, no IP configured I can connect to the access point and the hosts get an IP address. If I scan the network from the LAN (wireless connection) I get this result: 10.101.101.1 (gateway) 10.101.101.32 (the host I'm scanning from, LAN) 10.101.101.63 (some other host, WAN) more hosts… However, if I scan the network from the WAN I get this result: 10.101.101.1 (gateway) 10.101.101.28 (the pfSense box) 10.101.101.63 (the host I'm scanning from, WAN) more hosts… I have no firewalls rules, except one per interface, which permits all traffic. I can provide more information if necessary, just let me know. How can I make the pfsense box visible from the LAN side? Am I doing something wrong or is this expected? Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
On 2013–05–08 Chris Bagnall wrote: > On 8/5/13 7:41 pm, Marco wrote: > >no IP configured > > This would be your problem. This was the problem, indeed. I set the LAN to DHCP and I can see the pfSense box and access the web configurator. > >How can I make the pfsense box visible from the LAN side? Am I doing > >something wrong or is this expected? > > I suspect it's expected behaviour. If you want to use pfSense purely > as an access point, then you're probably best off not using LAN at > all (unless you need filtering). Bridge WAN with your WLAN interface > and LAN becomes effectively redundant. I think I didn't make myself clear, sorry. The LAN *is* the WLAN. I have just two interfaces, one ethernet (WAN) and one WLAN (LAN), and then a bridge across both (OPT1). Thanks for the very quick response. It works now. Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
On 2013–05–08 b...@todoo.biz wrote: > I am not sure what you are precisely trying to do… This box is a replacement for an old Debian AP I set up a few years ago which worked flawlessly but died recently. It did not do any filtering, it was just a bridge between wired and wireless network using hostap and bridge-utils to provide wireless internet access for about a dozen users. Since everybody is talking about pfSense I thought I could give it a try for this setup. > But if your idea is to have a neutral wireless AP, you will want to: > > 1. bridge the WAN and WLAN together. That's what I did. The missing IP address (I still don't know why this is necessary, but nevermind) on the WLAN network was the cause of my trouble. It's working now. > 2. deactivate all firewalling on your box (advanced network or > firewall settings). That's what I did. > 3. In case you want to filter, you might want to change the > settings in advanced so that you filter on the bridge rather than > on each interface (in the sysctl pane). When time permits I will definitely look into the features pfSense provides to improve the network quality. I'm especially interested in prioritizing skype traffic. That has been the biggest problem in the past. During the peak hours video calls are not possible. Maybe the traffic shaper could be of help. On the other hand I read that skype is very hard to shape. Thank you too for the response. Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense box not visible from LAN, only from WAN
On 2013–05–08 b...@todoo.biz wrote: > I am not sure what you are precisely trying to do… But if your > idea is to have a neutral wireless AP, you will want to: > > 1. bridge the WAN and WLAN together. > > 2. deactivate all firewalling on your box (advanced network or > firewall settings). > > 3. In case you want to filter, you might want to change the > settings in advanced so that you filter on the bridge rather than > on each interface (in the sysctl pane). > > > If you have console access to the FW, use the "pfctl -d" command > line to deactivate the FW - It'll ease your job ! Sorry, I was too quick. It only “somehow” works. Here's the current situation: I changed the WLAN (LAN) interface from no IP address to DHCP and I could see the pfSense box from the WLAN. Then I changed the cabling from the test setup to the original one. In particular, I unplugged the pfSense box from the WAN for a few seconds to remove a switch. After this change, I couldn't access the pfSense box any more. I plugged the switch again and got a new DHCP lease for the WLAN (LAN) interface. It showed 0.0.0.0 as IP. I don't know why, but it worked anyway. I can access the pfSense box from the WLAN *until I remove the cable again*, which I definitely need to do to remove the switch. Then I decided to use a static IP instead of DHCP, which worked, it survived the removal of the switch and I still have access to the pfSense box. I don't know if the randomly selected IP may collide with the IPs distributed by the DHCP server, so this solution might not be optimal. Anyway, all hosts see the IP of the pfSense box and my randomly selected one. All hosts in the WLAN (LAN) can see all other hosts in the WAN, including pfSense box, but they can't see each other. Why can't the hosts in the WLAN see each other? Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Hosts in LAN can't see each other
Hi, as described in another post a few days ago, my setup is as follows: ethernet -> WAN WLAN -> LAN OPT1 -> bridge(WAN,LAN) The firewall is switched off and communication from LAN to WAN works flawlessly. But the hosts in the LAN (wireless) can't see each other. They can only see the hosts in the WAN including the pfSense box. What do I need to configure that the hosts in the LAN can communicate with each other? Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hosts in LAN can't see each other
On 2013–05–13 Matthias May wrote: > >What do I need to configure that the hosts in the LAN can > >communicate with each other? > > Did you perhaps disable the checkbox "Allow intra-BSS communication" ? Thanks, that was the nudge in the right direction I was hoping for. It's working now. Regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] AR9280 network adapter not working
Hi, I can't get my wireless access point to work. I have an Atheros AR9280, a chip which appears to be well supported. After activating the interface the network is not visible from other hosts and I get the following log entries. I'm not sure if that's related to the actual problem. kernel: ath0: unable to reset hardware; hal status 14 kernel: ath0: ath_chan_set: unable to reset channel 3 (2422 MHz, flags 0x480), hal status 14 kernel: ath0: ath_chan_set: unable to reset channel 4 (2427 MHz, flags 0x480), hal status 14 kernel: ath0: ath_chan_set: unable to reset channel 5 (2432 MHz, flags 0x480), hal status 14 kernel: ath0: ath_chan_set: unable to reset channel 8 (2447 MHz, flags 0x480), hal status 14 kernel: ath0: ath_chan_set: unable to reset channel 9 (2452 MHz, flags 0x480), hal status 14 kernel: ath0: ath_chan_set: unable to reset channel 10 (2457 MHz, flags 0x480), hal status 14 kernel: ath0: ath_chan_set: unable to reset channel 12 (2467 MHz, flags 0x680), hal status 14 kernel: ath0: unable to reset hardware; hal status 14 What is "hal status 14"? Furthermore, if I go to the "Status → Wireless" tab and do a "Rescan", no neighbouring networks show up. It might be a hardware issue or just a configuration error. I'd be glad if someone could help me to debug this. System -- 2.1-RELEASE (amd64) built on Wed Sep 11 18:17:48 EDT 2013 FreeBSD 8.3-RELEASE-p11 Interface Configuration --- IPv4 Configuration Type : Static IPv4 IPv4 address: 10.0.30.1 Standard: 802.11b Channel : Auto Antenna settings: Default Default Mode: Access Point SSID: foobar Enable Hide SSID: no - no encryption (yet) - Let me know if I should provide more information. Best regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AR9280 network adapter not working
On 2013–12–11 Marco wrote: > I can't get my wireless access point to work. I have an Atheros > AR9280, a chip which appears to be well supported. After activating > the interface the network is not visible from other hosts and I get > the following log entries. I'm not sure if that's related to the > actual problem. After a reboot the error vanished and the network adapter seems to work. I didn't change a thing, maybe the network setup requires a reboot, I'm not sure. Anyway, I can't reproduce the problem any longer. Sorry for the noise. Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] mDNS queries from pfSense fail
Hi, I have installed and configured the Avahi package. The pfSense box successfully publishes its services via mDNS. However, I can't run any queries from the pfSense box. # avahi-browse --all Failed to create client object: Daemon not running The daemon is in fact running: avahi-daemon: running [pfsense.local] (avahi-daemon) /usr/pbi/avahi-amd64/bin/dbus-daemon --system Why does the connection to the daemon fail and what does it take to get mDNS resolution working? System info: pfSense: 2.1-RELEASE Avahi: 0.6.29 pkg v1.02 Best regards Marco ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Hostname resolution of OpenVPN-connected clients
Hello, we use pfSense since quite a while with success and are very happy overall. Recently we set up OpenVPN and are facing a DNS issue. Hosts in the LAN can be addressed using the hostname (thanks to “Register DHCP leases in the DNS Resolver”) which is working perfectly fine. Hosts on the OpenVPN network can also resolve hosts in the LAN. However, from the LAN the OpenVPN-connected hosts cannot be reached (only via IP address, not via hostname). Research shows¹ that VPN-connected clients don't register their hostnames in the DNS which is unfortunate and would probably solve the issue we face. The answer seems to be¹: > Would have to statically assign them via client overrides and manually add > to DNS forwarder for them to resolve. This would work for static hosts that are always on the VPN, but this wouldn't work for mobile hosts (e.g. employee's laptops) which have a different IP address, depending on whether they are connected to the LAN or connected via OpenVPN. How to access the mobile hosts via the same hostname regardless if they are connected to the LAN or VPN? Marco ¹ http://serverfault.com/a/361103/102215 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Hostname resolution of OpenVPN-connected clients
On Wed, 11 Nov 2015 15:22:40 + Espen Johansen wrote: > I think you have to set up a radius server and assign ip based on the > user. That way they will be "static" and then add DNS entries to that > static IP. I've never dealt with RADIUS. Seems like a bit like overkill to just get the DNS working. But I'll read up what it takes to implement RADIUS. Thanks for the response. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Hostname resolution of OpenVPN-connected clients
On Wed, 11 Nov 2015 09:50:30 -0500 Vick Khera wrote: > On Wed, Nov 11, 2015 at 2:46 AM, Marco wrote: > > > How to access the mobile hosts via the same hostname regardless if > > they are connected to the LAN or VPN? > > > > Via some form of dynamic DNS perhaps? It seems it should be possible > to have the openvpn client run some script that will register its > current IP into a BIND server via RFC2136 update. That could work. The client VPN client for sure knows the hostname and the IP address. But I have no clue how to implement that. I guess this is not a very unique problem and I assume that others already solved it. > Setting up BIND 9 to manage a dynamic zone is not very difficult. Do I need an additional BIND instance besides the unbound that's already running on the pfSense box? Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Hostname resolution of OpenVPN-connected clients
On Thu, 12 Nov 2015 10:42:30 -0800 Geoff Nordli wrote: > Not sure how many clients you are going to have, About half a dozen. Growing. But still, overall a very small deployment here. RADIUS seems to be designed for larger enterprises with hundreds or thousands of clients and might not justify the administrative overhead and cost for us. > but Openvpn allows you to assign an IP address to a specific > client. Look at the ipp.txt file. This is supported through the pfSense GUI as well¹. But that doesn't solve the fundamental problem we face. Which is that we cannot reliably access the clients. Via IP address doesn't work (even if it's fixed on the VPN) because the hosts (laptops) connect do different parts of the network and get assigned different addresses. So we have to address them via hostname. This works like a charm thanks to the “Register host names in DNS” feature, except when they connect via VPN. Hence this post. Marco ¹ http://serverfault.com/a/361103/102215 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Hostname resolution of OpenVPN-connected clients
On Sat, 14 Nov 2015 04:37:34 + Espen Johansen wrote: > Bsed on your need I think you should convert to l2tp. > > https://doc.pfsense.org/index.php/L2TP/IPsec Thanks. I'll have a look at it. Maybe it's a better fit for us. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Disable DHCP domain-name request
We receive the interface network configuration on the WAN via DHCP. This works, however somehow our ISP or the modem pushes a domain name to the pfSense box which is undesirable. I assume that the DHCP client requests the domain name. I have set our domain name in System → General Setup → Domain But it still keeps appearing in the network. So the solution would be to remove the “domain-name” part from the requests list. There is the form field Interfaces → WAN → DHCP client configuration → Advanced → Request Options What I want to do is to remove “domain-name” from this list. But it's empty. Therefore I assume it's using some default values. How can I remove the “domain-name” from the DHCP request list without altering anything else? Or if this is the wrong approach, how to ignore the domain being pushed on the network by the ISP? Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Disable DHCP domain-name request
On Fri, 20 Nov 2015 15:23:20 -0700 WebDawg wrote: > Where does it appear? E.g. on the WLAN connected hosts. The pfSense box itself has the correct domain name. > You can specify domain names on each interface served by the > pfSense DHCP server... I have set the domain name in System → General Setup and also in the DHCP server setting, which seems redundant. However, on a connected host the full qualified domain name is still set to the ISP provided domain name. Running “hostname” on the pfSense box returns the correct one, though. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Disable DHCP domain-name request
On Fri, 20 Nov 2015 13:15:58 -0500 Moshe Katz wrote: > As far as I can tell, if you set a domain name manually in "System: > General Setup", pfSense will ignore any domain name that comes back > with the DHCP request. I have set the domain name there. It seems redundant, but I've also set the domain name in the DHCP server setting. However, on a connected host the full qualified domain name is still set to the ISP provided domain name. Running “hostname” on the pfSense box returns the correct one, though. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Disable DHCP domain-name request
On Mon, 23 Nov 2015 15:44:42 -0800 Dave Warren wrote: > > Delete all leases from Status -> DHCP leases, restart dhcp service > > and retry ... > > That's not necessary and would be incorrect behaviour if it were > happening. I just confirmed here with my pfSense installation, new > options are applied without removing the old lease in all expected > cases, including the Domain Name field. Thanks for confirming. > I tested via a Domain Name change against an automatic renewal and > manual renewal, as well as a "release/renew" cycle; in all cases the > client was aware of the new settings immediately after the DHCP > operation completed. > > Now admittedly some broken clients won't reflect all changes > immediately; some of our VoIP phones will update DNS servers as soon > as they renew, but won't update timezone information until the next > reboot, but this is a client deficiency and nothing you do in pfSense > (including removing the old lease) will make a difference, and it > only causes issues on specific hardware, but if you capture and > analyze the packets, you'll see correct data was sent by the DHCP > server. Thanks for the thorough answer. It seems it's not pfSense that is at fault, but the client itself. I'll fire up wireshark and check what's being transmitted to confirm. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Disable DHCP domain-name request
On Wed, 25 Nov 2015 07:58:38 +0100 Marco wrote: > Thanks for the thorough answer. It seems it's not pfSense that is at > fault, but the client itself. I'll fire up wireshark and check > what's being transmitted to confirm. Indeed, the correct domain is passed to the client. That confirms it's a client issue and has nothing to do with pfSense. Thanks for the quick and professional help and the pointer into the right direction. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Port forwards don't work on one machine
Hi, I have set up port forwarding multiple times in the past and it has always worked. But I now have a machine that fails to forward a port. No clue why. Maybe I'm missing the obvious here. My network: Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1) For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG, used IPs instead of aliases. 1) The port forward from the WAN to 10.0.30.21 is set up. https://i.imgur.com/V8vlN1Z.png 2) A corresponding WAN rule is created as well: https://i.imgur.com/N7ulwha.png On another machine this already is enough to get it working. But not on this one. Nmap shows “filtered”. 3) Confirming the port 8000 is actually open on 10.0.30.21: https://i.imgur.com/KcaSP6T.png Yes, it is. 4) Now testing from the external IP: https://i.imgur.com/QnWQuIO.png Nope! Again using an external service: https://i.imgur.com/v4KaivE.png No, James! 5) States: https://i.imgur.com/Rf1kjbf.png 6) Packet capture: https://i.imgur.com/xT3qFXW.png I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting > Common Problems > > 1. NAT and firewall rules not correctly added (see How can I forward ports > with pfSense?) I guess it's all correct, works on another machine. > Hint: Do NOT set a source port not set > 2. Firewall enabled on client machine nope > 3. Client machine is not using pfSense as its default gateway pfSense is the default gateway > 4. Client machine not actually listening on the port being forwarded It is, see https://i.imgur.com/KcaSP6T.png > 5. ISP or something upstream of pfSense is blocking the port being forwarded I guess the states table and packet capture should be empty if that's the case, right? > 6. Trying to test from inside the local network, need to test from an outside > machine Tested both, see https://i.imgur.com/QnWQuIO.png https://i.imgur.com/v4KaivE.png > 7. Incorrect or missing Virtual IP configuration for additional public IP > addresses No clue, haven't configured anything virtual. > 8. The pfSense router is not the border router. If there is something else > between pfSense and the ISP, the port forwards and associated rules must be > replicated there. True, pfSense is not the border router, ISP provided “NAT gateway” is. Device is configured to forward everything to the pfSense box, though. > 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be > added both to and from the server's IP in order for a port forward to work > behind a Captive Portal. nope > 10. If this is on a WAN that is not the default gateway, make sure there is a > gateway chosen on this WAN interface, or the firewall rules for the port > forward would not reply back via the correct gateway. WAN is default gateway > 11. If this is on a WAN that is not the default gateway, ensure the traffic > for the port forward is NOT passed in via Floating Rules or an Interface > Group. Only rules present on the WAN's interface tab under Firewall Rules > will have the reply-to keyword to ensure the traffic responds properly via > the expected gateway. didn't configure floating rules > 12. If this is on a WAN that is not the default gateway, make sure the > firewall rule(s) allowing the traffic in do not have the box checked to > disable reply-to. not the case > 13. If this is on a WAN that is not the default gateway, make sure the master > reply-to disable switch is not checked under System > Advanced, on the > Firewall/NAT tab. not the case > 14. WAN rules should NOT have a gateway set, so make sure that the rules for > the port forward do NOT have a gateway configured on the actual rule. see https://i.imgur.com/N7ulwha.png > 15. If the traffic appears to be forwarding in to an unexpected device, it > may be happening due to UPnP. Check Status > UPnP to see if an internal > service has configured a port forward unexpectedly. If so, disable UPnP on > either that device or on the firewall. UPnP is not used I guess I'm missing the obvious here, since port forwards are rather straightforward in pfSense and have never given me troubles in the past. A nudge in the right direction is appreciated. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Sun, 11 Feb 2018 12:42:34 -0800 Chris L wrote: > > On Feb 11, 2018, at 11:12 AM, Marco wrote: > > > > 6) Packet capture: > > > >https://i.imgur.com/xT3qFXW.png > > What interface is that taken on? WAN > Take one on the interface the destination server is connected to > (WLAN?) and test again. done: https://i.imgur.com/CJbaVp6.png The first two lines show the external IP access to the 8000 port, then comes the pfSense port test. > While you’re capturing also do another Diagnostics > Test Port > from the local pfSense itself. Please include the capture of both > events (from outside and using test port.) done, see above. > It looks like the server is not responding. Why does this work then?: https://i.imgur.com/KcaSP6T.png I can access it locally and pfSense can also access it. Testing from my laptop now. Actual server is a real machine on another network. Thanks for the quick response. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Sun, 11 Feb 2018 20:46:41 + "Joseph L. Casale" wrote: > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris > L Sent: Sunday, February 11, 2018 1:43 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] Port forwards don't > work on one machine > > > What interface is that taken on? Take one on the interface the > > destination server is connected to (WLAN?) and test again. While > > you’re capturing also do another Diagnostics > Test Port from the > > local pfSense itself. Please include the capture of both events > > (from outside and using test port.) > > > > It looks like the server is not responding. > > I'd also suggest running a capture on the destination, if it's > actually receiving traffic and/or sending it elsewhere (routing rule) > this will provide some insight. I ran a wireshark on the destination and it received packets when “port testing” from the pfSense, but not when using external access (e.g. canyouseeme.org) Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 10:21:08 -0600 Steven Spencer wrote: > On 02/11/2018 03:29 PM, Marco wrote: > > On Sun, 11 Feb 2018 20:46:41 + > > "Joseph L. Casale" wrote: > > > >> -Original Message- > >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > >> Chris L Sent: Sunday, February 11, 2018 1:43 PM > >> To: pfSense Support and Discussion Mailing List > >> Subject: Re: [pfSense] Port forwards don't > >> work on one machine > >> > >>> What interface is that taken on? Take one on the interface the > >>> destination server is connected to (WLAN?) and test again. While > >>> you’re capturing also do another Diagnostics > Test Port from the > >>> local pfSense itself. Please include the capture of both events > >>> (from outside and using test port.) > >>> > >>> It looks like the server is not responding. > >> I'd also suggest running a capture on the destination, if it's > >> actually receiving traffic and/or sending it elsewhere (routing > >> rule) this will provide some insight. > > I ran a wireshark on the destination and it received packets when > > “port testing” from the pfSense, but not when using external access > > (e.g. canyouseeme.org) > > > > Marco > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > Marco, > > Just curious, but what is the target machine's OS? The actual server is FreeBSD, but I run the tests with a Linux laptop as the behaviour is the same. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 11:59:09 -0600 Steven Spencer wrote: > On 02/12/2018 11:43 AM, Marco wrote: > > On Mon, 12 Feb 2018 10:21:08 -0600 > > Steven Spencer wrote: > > > >> On 02/11/2018 03:29 PM, Marco wrote: > >>> On Sun, 11 Feb 2018 20:46:41 + > >>> "Joseph L. Casale" wrote: > >>> > >>>> -Original Message- > >>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > >>>> Chris L Sent: Sunday, February 11, 2018 1:43 PM > >>>> To: pfSense Support and Discussion Mailing List > >>>> Subject: Re: [pfSense] Port forwards > >>>> don't work on one machine > >>>> > >>>>> What interface is that taken on? Take one on the interface the > >>>>> destination server is connected to (WLAN?) and test again. While > >>>>> you’re capturing also do another Diagnostics > Test Port from > >>>>> the local pfSense itself. Please include the capture of both > >>>>> events (from outside and using test port.) > >>>>> > >>>>> It looks like the server is not responding. > >>>> I'd also suggest running a capture on the destination, if it's > >>>> actually receiving traffic and/or sending it elsewhere (routing > >>>> rule) this will provide some insight. > >>> I ran a wireshark on the destination and it received packets when > >>> “port testing” from the pfSense, but not when using external > >>> access (e.g. canyouseeme.org) > >>> > >>> Marco > >>> ___ > >>> pfSense mailing list > >>> https://lists.pfsense.org/mailman/listinfo/list > >>> Support the project with Gold! https://pfsense.org/gold > >> Marco, > >> > >> Just curious, but what is the target machine's OS? > > The actual server is FreeBSD, but I run the tests with a Linux > > laptop as the behaviour is the same. > > > > Marco > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > I know you've stated that you have no firewall on these machines. So > iptables -L shows empty on the Linux laptop Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination > No selinux in play on the Linux > laptop No selinux in use. > I looked at your screen shots and I can't see anything that leaps > out at me. We have a number of PfSense firewalls in use (15) > within our organization and I've used port forwarding on every one > of them and have never run into a problem-unless the receiving > machine refuses the connection. Same here. Not that I'm a network expert, but I've set up five pfSense installations and port forwarding has always been an easy task which worked by just configuring the NAT rule. If the receiving machine refuses the connection, I would not be able to successfully "port test" it from the pfSense box and I would see incoming packets with wireshark (I believe). Therefore, I suspect an issue with the port forwarding. > I've been bitten by selinux before and more recently, by firewalld. Not installed and (therefore I hope) not used. Thanks for the support and confirming that it's not something obvious. Will investigate later. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 14:12:53 -0500 James Ronald wrote: > What is the default gateway of the destination (is there a route back > to pfSense)? pfSense is the default gateway of the destination. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Sun, 11 Feb 2018 15:23:43 -0800 Chris L wrote: > > On Feb 11, 2018, at 1:29 PM, Marco wrote: > > > > On Sun, 11 Feb 2018 20:46:41 + > > "Joseph L. Casale" wrote: > > > >> -Original Message- > >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of > >> Chris L Sent: Sunday, February 11, 2018 1:43 PM > >> To: pfSense Support and Discussion Mailing List > >> Subject: Re: [pfSense] Port forwards don't > >> work on one machine > >> > >>> What interface is that taken on? Take one on the interface the > >>> destination server is connected to (WLAN?) and test again. While > >>> you’re capturing also do another Diagnostics > Test Port from the > >>> local pfSense itself. Please include the capture of both events > >>> (from outside and using test port.) > >>> > >>> It looks like the server is not responding. > >> > >> I'd also suggest running a capture on the destination, if it's > >> actually receiving traffic and/or sending it elsewhere (routing > >> rule) this will provide some insight. > > > > I ran a wireshark on the destination and it received packets when > > “port testing” from the pfSense, but not when using external access > > (e.g. canyouseeme.org) > > > > Are the packets going out pfSense LAN? To what MAC/IP address? You mean when scanning from outside? I ran a Packet Capture on pfsense on the WLAN side (settings: interface WLAN, port 8000) and got nothing. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Mon, 12 Feb 2018 20:45:55 + Steve Yates wrote: > Just to double check the config, so the pfSense router is set as the > DMZ of the ISP router? No clue if the ISP device has a concept of DMZ. I configure it as “Exposed Host”, so all communication is actually forwarded to the pfSense box. I've set up numerous of those devices in different locations and that was always sufficient. > Have you tried deleting the rule and re-adding? On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP devices' config and also start off with a vanilla pfSense config. I'm not really used to debugging with pfSense, especially the logging features. What's the best way to check if that packet is blocked by pfSense somehow? I tried Status → System Logs → Firewall → Normal View → Advanced Log Filter I checked “Block”, then entered Port: 8000 and “Apply Filter” and it shows “No logs to disply”. That means that the packet is not blocked by an implicit or explicit firewall rule, right? Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Wed, 14 Feb 2018 18:07:42 -0500 WebDawg wrote: > It is most likely the ISP device. Indeed, it was. I redid the whole pfSense config and the issue persisted. Then I redid the ISP device config and it worked. In the end I changed nothing, same config as before, but now it works for some magical reason. Thanks to all of you for the support and sorry for the noise (of having nothing to do with pfSense). Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Host override without host part
Hi, I need assistance setting up a host override. I successfully set up a host override for the www host: # Services → DNS → Resolver → General Settings → Host Overrides # works fine www.foobar.com → 10.0.10.10 However, I also need an override for the domain part: # how to do that? foobar.com → 10.0.10.10 I can't leave the host part empty. Pfsense doesn't allow for that. Any ideas? Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Host override without host part
On Thu, 12 Apr 2018 09:52:31 -0400 Vick Khera wrote: > > However, I also need an override for the domain part: > > > > # how to do that? > > foobar.com → 10.0.10.10 > > > > I can't leave the host part empty. Pfsense doesn't allow for that. > > Any ideas? > > > > Works for me. pfSense 2.4.3. It does indeed. I tried to leave it empty and got an error message. No clue what I did. Works as expected. Sorry for the noise and thanks for the quick response. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold