No Internet access to LAN2
-
Hey guys…
Back at it again...
Was out of the country due to death in the family and now I'm back!!!Today i did the following:
- Changed IP address on both the server and my PF box
- Able to ping server from PF box as seen below from the ping stat
PING 192.168.x.x from 68.150.x.x: 56 data bytes
64 bytes from 192.168.x.x: icmp_seq=0 ttl=64 time=0.131 ms
64 bytes from 192.168.x.x: icmp_seq=1 ttl=64 time=0.057 ms
64 bytes from 192.168.x.x: icmp_seq=2 ttl=64 time=0.051 ms
--- 192.168.x.x ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.051/0.080/0.131/0.036 msServer still not visible on LAN 1 nor has WAN access...
No NAT rules or Bridges have been setup -
Sorry about that. :(
Reading back through this thread it looks like we never resolved what the firewall rule you put in place is.
Please post a screen shot (or copy and paste) of your LAN2 firewall rules.Also just to confirm you have LAN2 assigned to lagg0?
Steve
-
Rules for LAN1 are the same for LAN2…
Allow all and any traffic from WAN to LAN2 and From LAN1 to LAN2 and vice versa -
Rules for LAN1 are the same for LAN2…
Allow all and any traffic from WAN to LAN2 and From LAN1 to LAN2 and vice versaThese two statements do not agree unless you have changed the default LAN rule dramatically!
The rule I expect to see on LAN2 would be:
Protocol: any
Source: LAN2 net, port any
Destination: any, port any
Gateway anyThe firewall rules on an interface apply to traffic entering that interface. Therefore you need to allow traffic entering the LAN2 interface from the other end of the LAGG.
Steve
-
Actually…
i copied it the Default LAN1 Rule to LAN2 -
Ah, maybe I've misunderstood. The problem is the machine at the end of the LAGG cannot access the internet yes?
Is there anything appearing in the firewall log when you try to connect out from the server on LAN2? There shouldn't be if you have the firewall rule correct. You could try enabling logging on the LAN2 rule to check if it is working correctly.If not that I'd have to suspect a routing problem related to LAGG.
Steve
-
Thanks for the quick reply Steve…
On the Server I'm running HP Network Configuration Utility that allows the network adapter to be teamed and run LACP
I'm very tempted to dissolve the teaming and check if it will run without it and if it does then at least i tracked down my problem
-
That's a good plan.
One step at a time when things start to go wrong.Steve
-
OK…
Dissolved network card teaming, set Static IP on 1 adapter and DHCP on the other...
Did the same on my PFBox and set up the default rules on both ports
Tried one adapter at a time with no successI guess it wasn't the LAGG or LACP setup
-
Hmm, interesting.
Did you assign each adapter in turn as LAN2 or both as 2 and 3?
Reassigning adapters and ip type can sometimes result in a stale state table, with rules still in place from a previos config waiting to timeout. This can cause misleading results. You can clear the state table or reboot after a major config change to ensure everything has filtered down.Steve
-
EM0 was named SERVER and EM1 was named WIRELESS
After all the changes i restarted the firewall -
Time to get fundamental. ;)
Are you sure these NICs are working? Cables OK?
Is your box receiving DHCP inormation? Is it the correct information?Something that can catch people out (including me) is that when you create a new interface and specify it's type as static it defaults to a /32 netmask which results in no route. That is usually shown up when you try to add a dhcp server but not if you're using all static IPs.
Steve
-
All the subnet masks are /24 ( 255.255.255.0)
Cables are new out of the bag and tested them with my cable tester- Pass on all - CAT6
Box is working properly and sending and receiving DHCP info.
Tested add on card by moving my WAN port to both EM0 and EM1 with success -
And nothing in the logs? ???
Steve
-
OK…
moved the card from my PF box into my server and its working..
Tied into my LAN1 Switch and the server is online.Pulled my NC7170 network card out and put it back into my PFBox.
So... The network card and wiring is ruled out.Running 2.1-BETA0 (i386)
built on Tue Jun 12 05:15:27 EDT 2012
FreeBSD 8.3-RELEASE-p2
which is the current build -
Hmm, OK some possible scenarios:
1. You have the firewall rule wrong somehow. It could be either wrong in that it's not matching the required traffic but in that case I would expect to see hits in the firewall log from the default block all rule. It could be wrong in that it's matching traffic but routing it when it shouldn't. You would see nothing in the logs in this case but enabling logging on the rule should show you what's going on.2. The firewall rule is working correctly but there is a routing problem. Again enabling logging on the rule should show correct or incorrect working. The most likely causes of this are: no route - usually an incorrect subnet or NAT set to manual and not added to LAN2.
3. Traffic isn't making it to the firewall at all. This seems unlikely since DHCP is working. You could run a packet capture on LAN2 to make sure.
Can you ping the LAN2 interface fro the server? This would verify that it's a routing and not a firewall problem.
Steve
-
OK, everything is back to the way it was before.
However, I set up a TunnelBroker.net IPV6 account…
I followed the walk trough and now the server even gets a valid V6 but still no access :/Rules are to allow any IPv4 and IPv6 from and to WAN
-
To the server or from it? Can you ping the LAN2 interface from the server?
Steve
-
OK, everything is back to the way it was before.
However, I set up a TunnelBroker.net IPV6 account…
I followed the walk trough and now the server even gets a valid V6 but still no access :/Rules are to allow any IPv4 and IPv6 from and to WAN
Sounds similar to the issue I'm having:
http://forum.pfsense.org/index.php/topic,50500.0.html -
I can ping the server From my Laptop (LAN) and from the pfbox.
From the server I can ping my Laptop (LAN), the pfbox and the WAN.Yet my server still displays the "No Internet Connection" warning
