Unable to use Static IP/Gateway for WAN

eri--

Check that you do not have block bogons on the interfaces.

gazzer82

I am done in the office for the day so i can't check the live server, however i have the config.xml backup file with me, can i check in that, what XML key would i be looking for?

Cheers

Gareth

gazzer82

I have double checked and i do not have block bogons selected on any of my interfaces.

Any other ideas?

Cheers

Gareth

Slam

Hello, I think I am facing the same problem

my testbed setup:

modem1->full bridging mode
modem2->half brigding mode (ip 82.xx.xx.17/29

fxp0->WAN1 (static ip) 75.xx.xx.xx/20
lan->LAN (static+dhcpd set for clients) 10.0.0.0/24
opt1->WAN2 (static ip) 82.xx.xx.18/29

I have created routes for both WAN's

WAN1 wan1  78.105.0.1  78.105.0.1

WAN2 (default) wan2 82.152.129.17 82.152.129.17

then I created a gateway group

dualwan  wan1
wan2
Tier 1
Tier 1

I then amended the existing LAN firewall rule and set the gateway to dualwan

Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
[add new rule]
[click to toggle enabled/disabled status] * LAN net * * * dualwan none   Default allow LAN to any rule

with this configuration, i am facing the same problems as gazzer82, I get no network connectivity, pinging  my half bridged modems ip (wan2) i get 100% pkt loss, if I then go back to the firewall rule for LAN, setting the gateway to "default" works fine, setting it to anything else is a no go.

I am using the latest snapshot

ipfw show

ipfw show

ipfw: getsockopt(IP_FW_GET): Protocol not available

cat /tmp/rules.debug

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor

rdr-anchor "relayd/*"

FTP proxy

rdr-anchor "ftp-proxy/"
rdr-anchor "tftp-proxy/"

rdr on re0 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8021
rdr on re0 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "ftpsesame/"
anchor "relayd/"
anchor "firewallrules"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for re0

allow access to DHCP server on lan

anchor "dhcpserverlan"
pass in on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $lan proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
pass out on $lan proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for fxp1

block anything from private networks on interfaces with the option set

antispoof for $wan2
block in log quick on $wan2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for fxp0

block anything from private networks on interfaces with the option set

antispoof for $wan1
#System aliases

loopback = "{ lo0 }"
lan = "{ re0 }"
wan2 = "{ fxp1 }"
wan1 = "{ fxp0 }"

User Aliases

set loginterface re0
set loginterface fxp1
set loginterface fxp0
set optimization normal
set limit states 95000

scrub in on $lan all    fragment reassemble
scrub in on $wan2 all    fragment reassemble
scrub in on $wan1 all    fragment reassemble

nat-anchor "ftp-proxy/"
nat-anchor "natearly/"
nat-anchor "natrules/*"

Outbound NAT rules

Subnets to NAT

tonatsubnets    = "{ 10.0.0.0/24  }"
no nat on $wan2 to port tftp
nat on $wan2 from $tonatsubnets port 500 to any port 500 -> 82.152.129.18/32 port 500
nat on $wan2 from $tonatsubnets port 4500 to any port 4500 -> 82.152.129.18/32 port 4500
nat on $wan2 from $tonatsubnets port 5060 to any port 5060 -> 82.152.129.18/32 port 5060
nat on $wan2 from $tonatsubnets to any -> 82.152.129.18/32
no nat on $wan1 to port tftp
nat on $wan1 from $tonatsubnets port 500 to any port 500 -> 78.105.5.34/32 port 500
nat on $wan1 from $tonatsubnets port 4500 to any port 4500 -> 78.105.5.34/32 port 4500
nat on $wan1 from $tonatsubnets port 5060 to any port 5060 -> 78.105.5.34/32 port 5060
nat on $wan1 from $tonatsubnets to any -> 78.105.5.34/32

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor

rdr-anchor "relayd/*"

FTP proxy

rdr-anchor "ftp-proxy/"
rdr-anchor "tftp-proxy/"

rdr on re0 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8021
rdr on re0 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "ftpsesame/"
anchor "relayd/"
anchor "firewallrules"
#---------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for re0

allow access to DHCP server on lan

anchor "dhcpserverlan"
pass in on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $lan proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
pass out on $lan proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for fxp1

block anything from private networks on interfaces with the option set

antispoof for $wan2
block in log quick on $wan2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for fxp0

block anything from private networks on interfaces with the option set

antispoof for $wan1

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for re0

allow access to DHCP server on lan

anchor "dhcpserverlan"
pass in on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $lan proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
pass out on $lan proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for fxp1

block anything from private networks on interfaces with the option set

antispoof for $wan2
block in log quick on $wan2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for fxp0

block anything from private networks on interfaces with the option set

antispoof for $wan1
block in log quick on $wan1 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan1 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan1 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan1 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
anchor "spoofing"

loopback

anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"
pass in quick on re0 from any to (re0) keep state label "anti-lockout rule"

NAT Reflection rules

package manager late specific hook

anchor "packagelate"

anchor "ftp-proxy/*"

enable ftp-proxy

pass in quick inet proto tcp tagged PFFTPPROXY flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

User-defined aliases follow

User-defined rules follow

pass  in  quick  on $lan  from 10.0.0.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass  in  quick  on $lan  from 10.0.0.0/24  to <direct_networks>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass  in  quick  on $lan  route-to { ( opt1 82.152.129.17 ) }  from 10.0.0.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

VPN Rules

anchor "limitingesr"

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"</direct_networks></vpns></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>

if there is any other things I can post to help solve the problem just let me know.

cheers

P.S I also have bogon's turned off, though i dont think it really related to this, I will also download latest full iso and start from scratch incase my present box is borked.

XToni

Try to set a default gateway and Firewall: NAT: Outbound manual outbound nat. For me this fixed the problem.

gazzer82

Hi XToni,

i have tried you suggestion with no success, i can now ping the gateway ip from the pfsense box, but i cannot ping from pfsense to the outside world, it is very very odd.

Firewall rules wise, all i have is an allow all from Lan to Wan using the default gateway, otherwise i loose access to the web config interface, then above that a rule which specifies that any traffic not destined for the pfsense ip (192.168.20.254) should be routed out of the static gateway i have set.

I have enabled DNS forwarder, and setup two DNS servers in preferences, OpenDNS with ip's of 208.67.222.222 and 208.67.220.220.

I have tried turning Outbound NAT to manual, leaving the default rules there and not changing/adding any rules here, do i need to?

Is there something in this config that is causing the problem?

I am just confused as to why when i set the interface to DHCP it works fine, but by manually specifying exactly the same config it does not work.

Cheers

Gareth

XToni

Go to System:routing:gateways, edit your gateway and choose default.

If nothing change Go to System:Advanced:Firewall and disable the entire firewall to see if it's a firewall issue.

gazzer82

Ha ha, we are getting somewhere, followed all of your steps.

As long as i set my gateway as default, and make sure that my firewall rule for gateway is set as use default, i finally have internet access.

However, if i set my firewall rules gateway to manually point at the correct gateway i get no net access. This is a problem as i am eventually going to be setting this up as a load balanced dual WAN so i need the ability to put the two gateways into a group and tell my firewall rules to use that group, not the default.

Any idea?

Do i need to create additional firewall/nat rules to make this happen?

Help very much appreciated!!

Cheers

Gareth

kpa

When you set the WAN addresses manually, make sure you have the netmasks set correctly for each wan interface, /20 for WAN1 and /29 for WAN2 based on your description.

gazzer82

thanks kpa, i did have the netmask set at 24, i have tried it at 20, but at the moment i am only using a single WAN for testing. However it hasn't helped things, i am still able to acces the net fine setting the gateway in the firewall rules to default, but setting it manually to my actual gateway leaves me with not access outside the network. Interestingly it appears that in this setup pfsense also cannot get to the net, from pfsense i can ping the gateway fine, but if i try to ping anything outside the gateway, be it by ip or dns name i get 100% packet loss.

By the way, for the sake of testing at the moment this device is still sitting behing my nat router, this is what i am using for the gateway, not that that should make any difference.

Anyone else got any idea, can anyone explain to me what the difference in rules/routing are between leaving the gateway set as default and manually selecting the gateway, see if i can work out where it's going wrong/getting blocked!!

Cheers

Gareth

kambeeng

@gazzer82

Try to set ur net mask to 32 for DNS server.

Best Regards

Kambeeng

Try My Configuration