OPT cannot access internet
-
You have as destination 192.168.9.8
Since 192.168.9.8 is the source you certainly dont want it as destination.
Set as destination "any". -
GruensFroeschli:
I set just like you said but even i cannot ping outside world from my server. Don't know why?
-
Can anyone assist me? I also add in Outbound. But no luck. Please solve my problem..
-
As jahonix already wrote:
For anyone to be able to help you, you need to provide more information.Like screenshots of your firewall rules, screenshot of your "interfaces" page, screenshot of your inbound/outbound NAT rules, relevant systemlogs, etc.
Which subnets are you using where? (All of them, WAN, LAN, OPT).Unless you start giving informations nobody will be able to help you.
-
Here is some screenshot:
http://img151.imageshack.us/img151/4825/wannic.png
http://img19.imageshack.us/img19/8738/wannic2.png
http://img196.imageshack.us/img196/9908/wanrule.png
http://img151.imageshack.us/img151/9535/firewalllog.png
http://img31.imageshack.us/img31/5359/inboundrule.png
http://img171.imageshack.us/img171/7103/lannic.png
http://img7.imageshack.us/img7/2133/lanrule.png
http://img13.imageshack.us/img13/5629/opt1rule.png
http://img15.imageshack.us/img15/4299/outboundrule.png -
Why did you enable AON? Specific reason?
On the OPT1 rules tab you defined a dozent rules plus an "OPT1 -> any" at the very botton.
Put it on top and (temporarily) forget about the others.
Besides that, there seem to be typos in the rules (a /6 that could be /16 and so on). Make sure that what you defined really is correct.On "port forwards" you have port 80 defined twice. Not great.
–----
You defined a good amount of rules and port forwards already. When something doesn't work you want to keep things simple and get it working FIRST. Finetune afterwards. At least, that was proven useful a million times... -
I follow what said. I disable a dozent of rule on OPT1 and put the last at the top. And i restart my pfsense. When i ping yahoo.com, it seem like it can be resolve but it cannot reach it.
-
Your opt1rule picture doesn't show any rules being disabled and the allow-all-rule is at the very bottom.
-
Here some:
http://img197.imageshack.us/img197/9972/opt3.png
http://img268.imageshack.us/img268/2784/putty2.png -
try to ping yahoo from pfSense itself.
what is default gateway for workstation you are trying to ping yahoo from? -
Ping yahoo.com from pfsense. I can ping any domain.
The default gateway that i set in all server OPT1 is 192.168.9.8. I can ping pfsense from my server.
-
I also notice that OPT1 cannot ping to LAN even i set rule pass ICMP from OPT1 to LAN. Any idea? Please help me. :'( :'(
-
from console please:
pfctl -sr | grep <your opt="" int="" name=""> pfctl -sn</your><your opt="" int="" name="">replace with something like bge0 or em0 or… whatever you have for your opt interface</your>
-
Here some code:
# netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 219.93.218.176 UGS 0 11684 ng0 60.54.177.197 lo0 UHS 0 0 lo0 127.0.0.1 127.0.0.1 UH 0 43 lo0 192.168.8.0/24 link#2 UC 0 0 rl0 192.168.8.199 00:14:a5:73:f2:09 UHLW 1 3947 rl0 1048 192.168.8.210 00:60:b3:58:d2:46 UHLW 1 165 rl0 1115 192.168.8.214 00:12:0e:a9:00:a5 UHLW 1 59 rl0 1077 192.168.8.219 00:30:0a:de:7e:e4 UHLW 1 49 rl0 1076 192.168.8.222 00:17:c4:22:bd:5c UHLW 1 12724 rl0 1024 192.168.9.0/24 link#3 UC 0 0 rl1 192.168.9.31 00:1e:8c:c8:cb:89 UHLW 1 6 rl1 1100 219.93.218.176 60.54.177.197 UH 1 25 ng0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%rl0/64 link#2 UC rl0 fe80::222:b0ff:fece:1309%rl0 00:22:b0:ce:13:09 UHL lo0 fe80::%rl1/64 link#3 UC rl1 fe80::221:91ff:feeb:e52b%rl1 00:21:91:eb:e5:2b UHL lo0 fe80::%rl2/64 link#4 UC rl2 fe80::222:b0ff:fece:de2%rl2 00:22:b0:ce:0d:e2 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#7 UHL lo0 fe80::%ng0/64 link#10 UC ng0 fe80::213:d4ff:fe43:31ca%ng0 link#10 UHL lo0 ff01:2::/32 link#2 UC rl0 ff01:3::/32 link#3 UC rl1 ff01:4::/32 link#4 UC rl2 ff01:7::/32 ::1 UC lo0 ff01:a::/32 link#10 UC ng0 ff02::%rl0/32 link#2 UC rl0 ff02::%rl1/32 link#3 UC rl1 ff02::%rl2/32 link#4 UC rl2 ff02::%lo0/32 ::1 UC lo0 ff02::%ng0/32 link#10 UC ng0pfctl -sr | grep rl1
# pfctl -sr | grep rl1 block drop in on ! rl1 inet from 192.168.9.0/24 to any block drop in on rl1 inet6 from fe80::221:91ff:feeb:e52b to any pass out quick on rl1 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on rl1 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" pass out quick on rl1 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" pass in quick on rl1 inet from 192.168.9.0/24 to any flags S/SA keep state label "USER_RULE: OPT1 -> Any" pass in quick on rl1 inet proto icmp from 192.168.9.0/24 to 192.168.9.8 keep state label "USER_RULE: OPT1 to ping firewall" pass in quick on rl1 inet proto tcp from 192.168.9.0/24 to 192.168.9.8 port = domain flags S/SA keep state label "USER_RULE: OP T1 to DNS on firewall" pass in quick on rl1 inet proto icmp from 192.168.9.0/24 to 192.168.8.0/24 keep state label "USER_RULE: Ping from OPT1 to LAN" pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to l ocalhost"pfctl -sn
# pfctl -sn nat-anchor "pftpx/*" all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on rl2 inet from 192.168.8.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on ng0 inet from 192.168.8.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on rl2 inet from 192.168.8.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on ng0 inet from 192.168.8.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on rl2 inet from 192.168.8.0/24 to any -> (ng0) round-robin nat on ng0 inet from 192.168.8.0/24 to any -> (ng0) round-robin nat on rl2 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on ng0 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on rl2 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on ng0 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on rl2 inet from 192.168.9.0/24 to any -> (ng0) round-robin nat on ng0 inet from 192.168.9.0/24 to any -> (ng0) round-robin rdr-anchor "pftpx/*" all rdr-anchor "slb" all no rdr on rl0 proto tcp from any to <vpns>port = ftp no rdr on rl0 proto tcp from <onetoonelist>to any port = ftp rdr on rl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 no rdr on rl1 proto tcp from any to <vpns>port = ftp no rdr on rl1 proto tcp from <onetoonelist>to any port = ftp rdr on rl1 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8022 rdr on ng0 inet proto tcp from any to any port = domain -> 192.168.9.35 rdr on ng0 inet proto tcp from any to any port = http -> 192.168.9.31 port 7778 rdr on ng0 inet proto tcp from any to any port = 7777 -> 192.168.9.31 rdr on ng0 inet proto tcp from any to any port = 7778 -> 192.168.9.31 rdr on ng0 inet proto tcp from any to any port = 8080 -> 192.168.9.20 rdr on ng0 inet proto tcp from any to any port = 8081 -> 192.168.9.32 port 80 rdr on ng0 inet proto tcp from any to any port = 18022 -> 192.168.9.34 port 2022 rdr on ng0 inet proto tcp from any to any port 28880:28889 -> 192.168.9.31 port 28880:28889 rdr on ng0 inet proto tcp from any to any port = http -> 192.168.9.34 port 2022 rdr on ng0 inet proto tcp from any to 60.54.177.197 port 4662:4681 -> 192.168.8.99 port 4662:4681 rdr on ng0 inet proto udp from any to 60.54.177.197 port 4662:4681 -> 192.168.8.99 port 4662:4681 rdr on ng0 inet proto tcp from any to any port 6750:6859 -> 192.168.9.33 port 6750:6859 rdr on ng0 inet proto udp from any to any port 6750:6859 -> 192.168.9.33 port 6750:6859 rdr on ng0 inet proto tcp from any to any port 6890:6999 -> 192.168.9.34 port 6890:6999 rdr on ng0 inet proto udp from any to any port 6890:6999 -> 192.168.9.34 port 6890:6999 rdr on ng0 inet proto tcp from any to ! (ng0) port = http -> 127.0.0.1 port 80 rdr-anchor "imspector" all rdr-anchor "miniupnpd" all rdr on ng0 inet proto tcp from any to (ng0) port = 8181 -> 127.0.0.1 port 8181 binat on ng0 inet from 192.168.9.0/24 to any -> 60.54.177.0/24 #</onetoonelist></vpns></onetoonelist></vpns>Hope this can solve my problem. ;)
Just curios, why my static ip from isp use loopback to connect to internet? -
Rules are ok but it seems there is no NAT set up for 192.168.9.0/24 -> Internet
Add it on Firewall->NAT->Outbound -
According to this pictures he posted he ticked 'manual outbound NAT' AON but didn't tell why.
I guess it's still there… -
As i work as technical team, i regularly use motto 'try and error' and if i cannot solve the problem, i'll post in forum. Share any problem that i faced.
-
Seems to be the difference between a "technical team" and an "engineering team". ;D ;D ;D SCNR
Honestly, I pointed you to it and your answer was "I follow what said.". Try to get that in line with your statement above.
-
When i ping from OPT1 seem it can resolve yahoo.com to ip but it 'cannot go out'.
-
Did you disable manual outbound?
Or at create an outbound NAT rule for the OPT subnet?
