Nothing getting out from LAN to WAN
-
New installation of 2.0.1 on i386. I created inbound port forwarding rules, left the outbound rules at "automatic outbound NAT rule generation" enabled, defined my LAN and WAN interfaces, with a default gateway on the WAN, and plugged it in.
I can ping from the pfsense box to the WAN and to the LAN just fine. However, I can't get any traffic through from LAN to WAN at all. No pings, no HTTP, no nothing.
I must be missing something basic, but what?
-
- Setup DNS Servers in "SYSTEM- > General Setup"
- Enable DNS Forwarder in "SERVICES -> DNS Forwarder"
- Add a firewall rule on the LAN interface which allows traffic to the internet
- Uncheck "block private networks" on your WAN interfaces if it is connected to a private network. (Interfaces -> WAN)
- assign the pfsense LAN interface as Gateway and DNS for your hosts on the LAN interface
- check from host with traceroute with and public IP address (e.g. 8.8.8.8) and with (www.google.com). This checks gateway and DNS functionality
No need for any inbound rules if you just want to connect from the LAN to internet.
Outbound rules on automatic is correct -
- Setup DNS Servers in "SYSTEM- > General Setup"
Done.
- Enable DNS Forwarder in "SERVICES -> DNS Forwarder"
Done.
- Add a firewall rule on the LAN interface which allows traffic to the internet
Defaulted (see screenshot)
- Uncheck "block private networks" on your WAN interfaces if it is connected to a private network. (Interfaces -> WAN)
WAN is connected to my ISP, with a routable static address.
- assign the pfsense LAN interface as Gateway and DNS for your hosts on the LAN interface
Done.
- check from host with traceroute with and public IP address (e.g. 8.8.8.8) and with (www.google.com). This checks gateway and DNS functionality
I used 8.8.8.8 as my DNS. Names resolve fine at the pfsense box.
No need for any inbound rules if you just want to connect from the LAN to internet.
I have a couple of servers I need to forward to, and set those rules up.
Outbound rules on automatic is correct
Thought so. That's where that firewall LAN rule came from, right? (The second one.)
All of those had been done before I tried it…and got nothing through.
-
The firewall rules:
the first one (on top) ist just to make sure that you don't lockout from the GUI
the second rules is a default rule after installation which should allow all users on the LAn to connect to the internet. you can delete or edit the rule if you like. It has nothing to do with NAT or Portforwarding.Can you ping the pfsense LAN interface from your hosts ?
Can you ping the pfsense WAN address from your hosts ? -
Can you ping the pfsense LAN interface from your hosts ?
Can you ping the pfsense WAN address from your hosts ?Yes and yes. I can't ping the pfsense default gateway on the WAN from my hosts, though.
-
Solved.
My LAN is on a non-RFC1918 network, and the automatic NAT rules weren't being generated. I turned off the automatic NAT ont he LAN port, put in a manual rule, then went and changed the LAN network rule on the firewall outbound side to the real LAN network instead of whatever it had been using. Works fine now.
-
My LAN is on a non-RFC1918 network
That's bad, fix that. Your work around will work, but will leave you with broken connectivity to whoever actually owns those IPs.