No internet access from LAN

Cam73 · May 13, 2012, 12:00 AM

I am new to pfsense. I have done a new install on to esxi 3 with 2 nics. My pfsense WAN is configured for DHCP with my PPPoA modem in half bridge mode, and its getting a valid internet IP. I can ping internet IPs from the pfsense ssh shell, but I cant ping internet ips from LAN machines. Ie. I just cant get to the internet from the lan side of pfsense. This is an out of the box install, and appears to be set up to allow all from "LAN network" to "Any" in the firewall and nat setup. Using 2.0.1.
Is there something I am missing?

Cam

ps. Im currently using ipfire, and thats working just fine, but I want to try pfsense to see if it performs better with my asterisk server.

biggsy · May 13, 2012, 12:16 AM

a new install on to esxi 3

Maybe time to look at ESXi 5.0? Better support for FreeBSD, IIRC. (You did notice that pfSense is FreeBSD-based not Linux-based?)

Did you use e1000 drivers for the virtual NICs?

Cam73 · May 13, 2012, 4:46 AM

I had a feeling you might say something like that ;)

I have an IBM xserver 8482 which will only support esxi3 (I have 3.5.0 Build 207095)

vmxnet.ko is installed in /boot/kernel and is being loaded. Is that the e1000 driver you are talking about?

Thanks for your help.

Cam73 · May 13, 2012, 6:26 AM

I've now installed pfsense 2.0.1 on dedicated hardware, with two nics:
SiS900 (sis0) and RealTek 8139 (rl0). I am having exactly the same results. Is there anything I need to configure other than port assignments and ip addresses?

biggsy · May 13, 2012, 6:36 AM

Is there anything I need to configure other than port assignments and ip addresses?

Not really and seems that those NICs are supported.

How are you getting an IP address for the pfSense WAN?

Cam73 · May 13, 2012, 7:18 AM

Yes, the hardware support page is the first place I looked at before posting. As an experiment, I switched ports, the realtek for LAN and the SiS for WAN, and although the WAN still got its address, I could no longer ping internet addresses from the console.
The WAN gets its ip using dhcp. The modem is a tp-link TD-8840 in half bridge mode.

When I switch over to the ipfire vm everything is sweet. However the whole point of the exercise is to get SIP and NAT playing nicely together. Ipfire is not acheiving this to my satisfaction…

A friend of mine has some newer ibm hardware, capable of supporting esxi 4 so I might have a play with that in the future. Right now I am tired having devoted the entire weekend to this.

But thanks again.

biggsy · May 13, 2012, 9:45 AM

If you get the newer hardware maybe this will help in some way: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5

chpalmer · May 13, 2012, 11:28 AM

Need to share a little more.

What is your LAN subnet?

Does your WAN get a public IP?

Are your client units DHCP or Static?

What do you have set for outbound NAT?

Can you reach the webconfigurator from the LAN side?

novacoresystems · May 24, 2012, 8:16 AM

Just to add to everything, I've found it helpful to actually run the Setup Wizard to setup the connection for the first time in pfsense. I've had the same thing happen to me where LAN traffic was not being routed properly until I went through the whole setup. Just adding in the settings manually seems to cause this issue for me even though I know all the settings.

Cam73 · Jun 2, 2012, 9:18 PM

Hi there,

Lan subnet is 192.168.5.0/25 netmask 255.255.255.128 (192.168.5.0 - 192.168.5.127)

The wan interface gets a real world ip address from the modem (which is in half bridge mode)

My clients are set statically at this time, but making them dhcp doesn't change anything.

Outbound nat is set up "out of the box" ie. no changes from default install settings.

Yes I gan get to the web configurator.

I'm having another go at this today (had a couple of weeks off) so I think I will start from scratch and after install I will try the setup wizard.

Cam73 · Jun 2, 2012, 11:51 PM

Further to my last post, I have done several complete re-installs on dedicated (and supported) hardware. I have also flashed and factory defaulted the modem. No change to the issues I am having…

When everything is installed and the interfaces and client are set up, the following is happening...

action: ping my isp's dns server from the pfsense machines console shell
result: no response

action: reboot modem
result: the ping starts returning responses

action: press control c (to end the ping command)
result: returns the prompt.

action: press the up arrow and then enter. Ie. re-run the ping command
result: NO PING RESPONSE!

action: reboot modem again
result: ping starts working again.

Question 1: Why does the ping command only get reponses the first time it is run?
Question 2: Has anyone successfully got pfsense working with a TP-LINK TD-8840 (REV 4) in half bridge mode?

Metu69salemi · Jun 4, 2012, 9:00 PM

Does your modem have same wan-side ip-address than pfsense?
I had one problem in the past, where my modem had one public ip-address in use and it "stole" it from pfsense, so any traffic with that public ip-address failed.

My modem were at the time also half-bridge mode

Cam73 · Jun 20, 2012, 6:38 AM

@Metu69salemi:

Does your modem have same wan-side ip-address than pfsense?
I had one problem in the past, where my modem had one public ip-address in use and it "stole" it from pfsense, so any traffic with that public ip-address failed.

My modem were at the time also half-bridge mode

Hmm, not sure what you mean "stole it from pfsense", as pfsense gets it's red ip address from the modem. Ie. the modem gets it's ip from my ISP and then assigns that ip to pfsense's red interface. And yes they are the same public IP on the red side of the modem and the red side of pfsense. Also this behaviour seems to be correct having read other forum posts.

If I set the modem up for staight NAT and not half bridge mode, the pfsense then gets a private ip from the modem and the whole thing starts working. However, what I have now achieved is double NAT - something I was hoping to avoid by using half bridge.

So to answer my own question, no - pfsense will not work with a TP-LINK TD-8840 in half bridge / ip extension mode. So far no one has been able to prove me wrong.

Metu69salemi · Jun 20, 2012, 7:05 AM

In my case any trafic with that public ip didn't get passed to pfsense, it just went to modem and that's it.
Because modem was half bridged mode, so two of it's ports (of total four ports) were in routed and other half were bridged. These two routed ports were getting internet access with this one public ip-address.

Modem basically stole one public ip-address, because all trafic destined to that ip-address were sent to routed ports, even if it was originally from pfsense(bridged Interface)

Cam73 · Jun 29, 2012, 8:53 AM

I have finally tracked down a Draytek Vigor 120 which has the pppoa to pppoe bridge. Pfsense now connects directly to my isp using the modem in "dumb modem" mode.

The TPLink will be getting auctioned at the earliest convenience!