Can't ping pfSense WAN interface

[Guest]

Hello guys!

 

I turned my old laptop to a pfSense Firewall. I bought a USB 3.0 Ethernet Adapter, and I set it as WAN interface, everything works fine.

 

WAN (wan) -> ue0 -> v4/DHCP4: 192.168.254.106/24
LAN (lan) -> re0 -> v4: 192.168.1.1/24

But I can't open the Web Interface of the pfSense (192.168.1.1).

 

As I ping my old laptop (192.168.254.106), it responded "Request timed out." I already disabled the AP isolation of my router via Telnet Switch, but no luck.

 

[LIGISTX]

1 hour ago, LanceDdot said:

Hello guys!

 

I turned my old laptop to a pfSense Firewall. I bought a USB 3.0 Ethernet Adapter, and I set it as WAN interface, everything works fine.

 

WAN (wan) -> ue0 -> v4/DHCP4: 192.168.254.106/24
LAN (lan) -> re0 -> v4: 192.168.1.1/24

But I can't open the Web Interface of the pfSense (192.168.1.1).

 

As I ping my old laptop (192.168.254.106), it responded "Request timed out." I already disabled the AP isolation of my router via Telnet Switch, but no luck.

 

Your pinging from the WAN side? Did you disable the default enabled “block bogon” and “block private” address on WAN settings? You will need to disable those if you use pfsense in a lab type environment and want to be able to access the firewall from the WAN side. 
 

Just….  If you end up deploying this with the WAN side actually being your WAN, don’t forget to re-enable those block rules. 

[jagdtigger]

@LanceDdot
You have to make a firewall rule on the WAN interface allowing ICMP ping. By default pfsense drops everything incoming on the WAN interface.

[Alex Atkin UK]

10 hours ago, LanceDdot said:

Hello guys!

 

I turned my old laptop to a pfSense Firewall. I bought a USB 3.0 Ethernet Adapter, and I set it as WAN interface, everything works fine.

 

WAN (wan) -> ue0 -> v4/DHCP4: 192.168.254.106/24
LAN (lan) -> re0 -> v4: 192.168.1.1/24

But I can't open the Web Interface of the pfSense (192.168.1.1).

 

As I ping my old laptop (192.168.254.106), it responded "Request timed out." I already disabled the AP isolation of my router via Telnet Switch, but no luck.

Are you trying to open the web interface actually from the LAN of pfSense?  Because naturally you can't from the WAN side, you wouldn't want any random person on the Internet to be able to brute-force the password.

The ping issue other people have already addressed, you can't fix that until you can get into the UI.

[sphbecker]

I don't have a pfSense instance running right now to test, but it is common on other firewall platforms to not be able to connect to the firewall's far side interface. Meaning that you can't connect to the WAN interface from a LAN IP, and if you have a multisite VPN setup, you likely can't connect to a firewall's LAN IP from another site, even if you can connect to other hosts on the LAN network.

 

Again, I don't know exactly how pfSense manages traffic like that, but a firewall and router operate slightly differently, so things that would work on a router don't always work on a firewall.

[Alex Atkin UK]

12 hours ago, sphbecker said:

Again, I don't know exactly how pfSense manages traffic like that, but a firewall and router operate slightly differently, so things that would work on a router don't always work on a firewall.

A good router should work exactly the same and NEVER allow access to the router UI from the WAN side.

[sphbecker]

4 hours ago, Alex Atkin UK said:

A good router should work exactly the same and NEVER allow access to the router UI from the WAN side.

I disagree with that statement. Like I said, a firewall and router are different devices and act differently. A good firewall should block WAN access by default. A router is more of a logic tool and should do exactly what it is told to do, it doesn't know or care which port is a WAN and LAN port, it should do exactly what it is told to do, nothing more, nothing less.

 

Note: I am talking about a true router, not the SOHO devices that are a hybrid router/firewall/switch/access point. Those things have more in common with a firewall than a true router.

[Alex Atkin UK]

On 1/4/2022 at 4:12 PM, sphbecker said:

I disagree with that statement. Like I said, a firewall and router are different devices and act differently. A good firewall should block WAN access by default. A router is more of a logic tool and should do exactly what it is told to do, it doesn't know or care which port is a WAN and LAN port, it should do exactly what it is told to do, nothing more, nothing less.

 

Note: I am talking about a true router, not the SOHO devices that are a hybrid router/firewall/switch/access point. Those things have more in common with a firewall than a true router.

Define a "true router"?  Pretty sure that all routers include a firewall but not all firewalls are routers.  Routers absolutely DO have defined WAN ports and do firewall it by default.

Not sure why you're excluding SOHO routers seeing as that's what 99% of people are using, were not talking about core routers costing thousands here.

[sphbecker]

1 hour ago, Alex Atkin UK said:

Define a "true router"?  Pretty sure that all routers include a firewall but not all firewalls are routers.  Routers absolutely DO have defined WAN ports and do firewall it by default.

Not sure why you're excluding SOHO routers seeing as that's what 99% of people are using, were not talking about core routers costing thousands here.

You actually have it very backwards. All firewalls contain some kind of basic routing engine, not all routers contain a firewall. A router is simply a device that connects two (or more) different networks segments together.

 

In a setup where the router connects a LAN network to the internet, then the router will need to run NAT and maintain access control rules to block unwanted connections from the public internet. In that fashion, it is functioning as a basic (very basic) firewall.

 

There are plenty of examples in a cooperate network were a router is not an edge device and does not touch the internet at all. More and more the function of routers is being replaced with layer-3 switches, but in a classic 7 layer ISO model, the router is the layer 3 distribution device.

 

Like I said, on a true router, something like a Cisco or Juniper device, it is most important that the router does what it is told to do, nothing more. Professional routers also use routing protocols like BGP, EIGRP, OSPF, etc. to intelligently share known networks and best paths among all routers on the network.

 

Yes, I realize we are not talking about professional routers, but we are talking about professional firewalls, so for you bring up routers out of the blue, and then misdefine them, I think warranted a correction from me. If this had been a question about a Netgear Router, then I wouldn't have bothered saying anything, your comment is reasonable in that context, but not in the context of talking about a professional firewall.

[Alex Atkin UK]

2 hours ago, sphbecker said:

Yes, I realize we are not talking about professional routers, but we are talking about professional firewalls, so for you bring up routers out of the blue, and then misdefine them, I think warranted a correction from me. If this had been a question about a Netgear Router, then I wouldn't have bothered saying anything, your comment is reasonable in that context, but not in the context of talking about a professional firewall.

We were strictly talking about SOHO edge devices here, its you who said routers and firewalls operate slightly differently which wasn't relevant to the discussion as when it comes to SOHO edge devices they do not, they operate the same except with a proper router OS you can change that default configuration to operate more like a professional firewall or router.

 

But the default settings on consumer devices, OpenWRT, pfSense, OPNsense, ALL explicitly defines a LAN and WAN.

 

I think the confusion is you assumed as they are connected two LAN ranges they were wanting to use it as a LAN to LAN router, the rest of us were trying to find out IF that's what they wanted.

[sphbecker]

1 minute ago, Alex Atkin UK said:

We were strictly talking about SOHO edge devices here, its you who said routers and firewalls operate slightly differently which wasn't relevant to the discussion as when it comes to SOHO edge devices they do not, they operate the same except with a proper router OS you can change that default configuration to operate more like a professional firewall or router.

 

But the default settings on consumer devices, OpenWRT, pfSense, OPNsense, ALL explicitly defines a LAN and WAN.

Maybe scroll up to the top...this is a thread about pfScene, which is not a SOHO router, that is a professional (or simi-professional) firewall.

 

We can agree to disagree here, but none of the devices you just mentioned are technically routers, they are all firewalls. OpenWRT is debatable, but it is purpose built to be an edge device. Routers are not really meant to be edge devices at all...but can function that way if configured correctly.

 

Not really looking to get into an argument, I guess I was just triggered by you saying "any good router" will do a thing that professional routers don't do. There is no way I would agree that a Netgear flavor of the year is a "good" router, but a Cisco 4431 is not.

[Alex Atkin UK]

14 minutes ago, sphbecker said:

Maybe scroll up to the top...this is a thread about pfScene, which is not a SOHO router, that is a professional (or simi-professional) firewall.

Yes, and pfSense in its default configuration as we see in that post specifically defaults to WAN and LAN.  Its expected use-case is as an edge router & firewall.

 

The thing is, NOBODY refers to these devices as firewalls outside of the professional space.  As there was no indication this was a professional setting, I did not expect anyone to assume I was talking about professional equipment, I strictly meant any "SOHO router" will perform the same default functionality as pfSense, in that their firewall settings default to blocking incoming connections on the WAN interface, often including ping.