Issues getting LAN to talk through Wan on 2.0
-
Man…... I tried... I looked high and low... and I am certain it is probably staring me in the face... but I've spent 6 hours on this now... and my brain is mush.
I am a long time user of pfsense however this 2.0 seems to have thrown me a curve ball. I don't do curve balls very well. :-\
I have set up a new 2.0 system and have 1 wan, 1 lan and 1 opt (maintenance network). Everything communicates regarding the opt network and the lan network internally and up to the pfsense box... that is.. I can get to and manage the pfsense box without issue. I can ping the wan address from the internet and I can ping internet addresses from the pfsense's diagnostic ping command and from the command line. I can not however ping anything from within the lan network (don't care to regarding the opt 'maintenance' network) to the internet. Not trying to do anything fancy here at this time other than set up a very basic firewall/router. There is no DHCP requirement and none used. My assumption is that I am missing a rule which needs to be configured to 'tie' the LAN to the WAN but for the life of me I can't figure it out. Aside from general NAT rules, i.e. 0.0.0.0/0 to gateway address or something to that effect tho pretty certain that's what the 'default' to gateway address is suppose to be doing, to accommodate outside access to inside services (which also are not reachable), the setting up of the wan, lan, and opt interfaces, everything else is pretty much as it comes out of the box... here is the basic configuration:
WAN:
IP address 173.xxx.xxx.187 / 28
Gateway 173.xxx.xxx.190LAN:
IP address 192.168.40.1 / 24
Gateway None ( I assume it would be the only wan port and would be handled by pfsense)Firewall: NAT: Outbound
AON checked
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 192.168.40.0/24 * * * * * NO
Firewall: NAT: Port Forwarding
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WAN TCP * 80 (HTTP) LAN address 80 (HTTP) 192.168.40.108 80 (HTTP) HTTP - Web01
WAN TCP * 443 (HTTPS) LAN address 443 (HTTPS) 192.168.40.108 443 (HTTPS) HTTPS - Web01
WAN TCP * 25 (SMTP) LAN address 25 (SMTP) 192.168.40.113 25 (SMTP) SMTP - Antispam1
WAN TCP * 53 (DNS) LAN address 53 (DNS) 192.168.40.2 53 (DNS) DNS - NS1
WAN TCP * 110 (POP3) LAN address 110 (POP3) 192.168.40.109 110 (POP3) POP3 - IMail Server
WAN TCP * 10989 LAN address 10989 192.168.40.109 10989 RD - IMailSystem: Gateways:
Name Interface Gateway Monitor IP Description
WAN (default) WAN 173.xxx.xxx.190 173.xxx.xxx.190 (another live subnet at another location... not same IP as gateway)
Diagnostics: Routing Tables
Destination Gateway Flags Refs Use Mtu Netif Expire
default 173.165.40.190 UGS 2 11263 1500 le0
127.0.0.1 link#7 UH 0 19 16384 lo0
127.0.0.2 127.0.0.1 UHS 0 0 16384 lo0
173.xxx.xxx.190 173.xxx.xxx.190 UGHS 4 8608 1500 le0 (monitor address to similar net but not same)
173.xxx.xxx.176/28 link#1 U 3 15305 1500 le0
173.xxx.xxx.187 link#1 UHS 0 0 16384 lo0
192.168.40.0/24 link#3 U 0 481 1500 le2
192.168.40.1 link#3 UHS 0 1038 16384 lo0
192.168.70.0/24 link#2 U 2 9851 1500 le1
192.168.70.42 link#2 UHS 0 0 16384 lo0As I indicated... I CAN ping the wan interface from the outside. I can also ping internet addresses from pfsense itself so I know there is a physical path. LAN can get to pfsense box and manage through the WebGUI with no issues. DNS is working as I can ping by domain name from the pfsense environment. It should also be noted that I can reach the webGUI from the internet without issue. I just can't reach anything that is port forwarded to the internal LAN or from the LAN, reach anything out on the internet.
Please.... somebody put me out of my misery. ???
I appreciate any assistance provided.
-
I notice a number of reads on this thread however no suggestions. It really can't be that tough can it?
Do I need to create a 'gateway' group even if only one gateway exists? As I am not looking to load balance at this time or setup multi-home connections I wouldn't have thought it necessary but perhaps it is. If I can get a confirmation one way or the other that will help to narrow it down.
Thanks
-
It should be noted that in the firewall logs I can see the attempts to ping from an internal IP to the wan gateway IP. I click on the 'easy rule: pass this traffic' enters the rule however doesn't make any difference. Still is not passing traffic from the wan interface to the upstream gateway.
-
Your NAT entries are wrong, read the note there for source port - "This is usually random and almost never equal to the destination port range (and should usually be "any"). "
-
And the destination address is wrong, that will be the WAN IP.
-
You know… sometimes you just can't see the forest for the trees... thank you cmb... you are a tonic for my befuddled brain... :-\ that worked as far as getting from the outside in... I still however am not getting from the inside out. No pinging, no data access to the internet. Anything strike you as goofy regarding my configuration?
As near as I can figure it.... I am able to ping the wan interface from the any lan device. I can also remote from internet based devices into the webGUI of pfsense so I know I'm getting to the wan from the outside. I can also ping the wan interface from the outside and now I can access redirected ports from the outside to the lan. The only thing I can not do is ping the gateway from the lan nor access any service from the lan to the internet.
I went through the setup wizard and all settings are correct and complete. The only thing that I am unsure about is the wan gateway configuration. I certainly have the IP of the next router up the chain (This would be the modem/router of our provider) but we seem to be missing that 'link' between the wan and that gateway for outbound connectivity.
The wan IP is xxx.xxx.xxx.187 with the gateway being xxx.xxx.xxx.190 on a /28 subnet. The 'monitor' IP is that of another one of our facilities and that ip is being reached by the monitor and pfsense is reporting the wan 'up'.
Pretty confused at this point.
-
Since the firewall has access, and the hosts behind it can get to the WAN, that narrows it down to almost certainly one of two things:
- LAN rules are wrong (not the case if you have the default LAN rule)
- Outbound NAT is wrong (not the case if you're using automatic outbound NAT)
-
I checked the outbound nat rules… I never entered any so the only rule at hand is the default. It was however set to manual outbound NAT rule generation (as shown in the first post above) and I changed that to Automatic outbound NAT rule generation and then rebooted the system and..... hold on... it's comin up.... darn near there.... hot damn!!! It's workin.
Thanks a bunch cmb. I really appreciate your assistance. What I have set up is a partial virtual environment making a half dozen of our physical servers all virtual with a virtual pfsense on the same power server. I will continue to work with and test this until such time 2.0 is released for live use and will report any issues that may arise.
For anyone interested I'm using vmware's ESXi 4.1 on a dual xeon MT 3.4ghz 8gb server and thus far... I'm pretty darned tickled.
Thanks again cmb.