With new installation, no Internet access.

darkcorner

For some time now I have been encountering various problems accessing the Internet and the only way is to leave the rule completely open.
I thought it was due to a bad DNS configuration or poorly applied rules.
Unable to find the right configuration, I did a clean installation of version 2.7.0.
I left exactly everything in the initial configuration, even the pfsense password.
I limited myself only to inserting the basic rules for a test (below).

Well, I can't access the Internet either with the option "DNS Query Forwarding = Enable Forwarding Mode" (in DNS Resolve) or by entering the DNS 1.1.1.1 in the DHCP server.
From the router I already get 8.8.8.8.

From Diagnostic / Ping /LAN pinging google.com and wsj.com works.
Not from Windows.
I'm using Win11 Pro with the latest WinUpdates.
I even tried with a new clean version of Windows 11 and also another PC.
It doesn't work with Linux either.

It seems that the DNS cannot be transferred.

I want to say that I am not an expert in pfSense, but for the main things I now move with a certain ease because I have been using it for over a year now.
There may be some options that I just didn't activate correctly, but, again, I'm using the initial configuration with basic changes.

Uglybrian

Hi, how do you have pfsense installed? Is it in a virtual machine on windows or is it standalone on another device.

CommonSense

@darkcorner Your allow all bottom rule should be IPV4* NOT ICMP only.

Also, check your System > General make sure you DNS specified in there. You can use 8.8.8.8 as you have in your post though I prefer Quad9.net (9.9.9.9 or 149.112.112.112).

Hope that helps!

darkcorner

@Uglybrian
PC Acer, with a NIC into motherboard and a card with 4 ports.
LAN is is on the first port of this card.

I didn't write it first, but I did the troubleshooting as also indicated in the documentation.
I also tried DNS rules 53 and 853 with TCP/UDP. Now they are these.
From the PC I can ping IP addresses on the internet, but not domains.

Furthermore, I also tried assigning a static IP to the PC's NIC, both using 192.168.1.1 as DNS and using 1.1.1.1.
I can't ping google.com either.

As soon as I enable the "All Open" rule, the ping works.

darkcorner

@CommonSense said in With new installation, no Internet access.:

Your allow all bottom rule should be IPV4* NOT ICMP only.

I didn't get the hint. That rule is to enable ping. Isn't that correct?

Also, check your System > General make sure you DNS specified in there. You can use 8.8.8.8 as you have in your post though I prefer Quad9.net (9.9.9.9 or 149.112.112.112).

In "System > General Setup" I entered 9.9.9.9, but neither the web page nor ping works.
For the test I use https://wsj.com

viragomann

@darkcorner
You might not want to limit the source port in firewall rules.
Almost all application use a random source port, so it can be any from 1025 - 65535.

If you want to restrict traffic to say DNS set 53 as destination port.
You should also set the protocol for DNS to "TCP/UDP". Clients may use both.

darkcorner

@viragomann said in With new installation, no Internet access.:

You might not want to limit the source port in firewall rules.
Almost all application use a random source port, so it can be any from 1025 - 65535.

If you want to restrict traffic to say DNS set 53 as destination port.
You should also set the protocol for DNS to "TCP/UDP". Clients may use both.

If I move the filters from From to Destination everything works, but I don't understand.
At this point I may be remembering incorrectly because I haven't created rules for at least a year, but I'm (almost) certain that I have always put the rules in From.
The guide also says: "Outbound rules are never required, because filtering is applied on the inbound direction of every interface."

darkcorner

Damnation. I have the memory of a goldfish.
I went and got the rules from a year and a half ago: all in Destination.
Sorry for wasting your time.

Uglybrian

Sounds like you have things working now. It also sounds like you may be familiar with the pfsense docs. I don’t know if you’re aware but,there are some basic software configuration recipes that are very helpful. If you have the time, you can look them over and compare them to your settings.

https://docs.netgate.com/pfsense/en/latest/recipes/index.html

darkcorner

@Uglybrian
@CommonSense
@viragomann

It may seem strange, but while I was entering the rules into this new firewall I felt that it was wrong to put the ports in "Source" instead of "Destination".
But I said to myself "if they've been fine on other firewalls for over a year, they'll be fine here too". Instead, the feeling was right and I was the one who remembered it wrong.
I always document everything, step by step; it was enough to go and read the notes from back then instead of memorizing.
I apologize again.