New PFSense can't get on WAN
-
Thanks for your reply podilarius
There could be a problem with the ESXi network setup. Are you utilizing VLANs or something to segregate the networks?
No, and I read something last night that implies ESXi needs two physical nics to do this without VLANS. There is a 2nd nic in the ESXi host but it's not connected and a 2 hour drive to the datacenter; I've requested they connect it for me. Do you think it's as simple as that, connecting the 2nd nic to the WAN even though they go into the same layer 3 switch? Or are VLANs absolutely essential?
I guess I'm reluctant to go VLANs mainly for lack of experience and afraid to get locked out of the host.UPDATE: Not sure what changed, but the WAN is online today! Maybe rebooting the ESXi host had something to do with it, after changing the nic's assigned to this VM…? So perhaps it all can work with a single nic and no VLANs. Excited to try NAT next... will report back
-
It can work with only 1 NIC, I have done it before, but it is not very secure and as such is highly recommended that you get the second hooked up or go VLAN to separate the networks. Let us know how it goes.
-
perhaps it all can work with a single nic and no VLANs. Excited to try NAT next… will report back
Update: Inbound NAT works no problem. For some reason the computers can't connect out to the 'net, which is only an issue when they need to get updates, install new packages, etc.
I haven't been able to figure out what's wrong but the servers have for their gateway the PFSense LAN ip (192.168.1.1) and they can only ping addresses of other computers on the LAN, but not the gateway or beyond… I still have the default "Automatic Outbound NAT" rule in place and didn't add any new firewall rules that block anything. -
To be sure, the pfSense box itself can ping correctly to for example google.com and the gateway ip? But the client lan computers cannot ping the internetprovider-gateway. Can the lan computers ping the wan ip of the pfSense box?
The LAN interface should not have a gateway, but you do need a few firewall rules to allow outbound traffic. Can you check the firewall logs if trafic being blocked? What happens if you perform a "tracert 8.8.8.8" from a client pc?
As for the esx machine make sure the switch has allow forge mac adresses and allow promisques mode..
-
To be sure, the pfSense box itself can ping correctly to for example google.com and the gateway ip?
yes - from webconfigurator diagnostics > ping, ping google.com, resolved and ping 3 times 100% success
But the client lan computers cannot ping the internetprovider-gateway. Can the lan computers ping the wan ip of the pfSense box?
The LAN interface should not have a gateway, but you do need a few firewall rules to allow outbound traffic. Can you check the firewall logs if trafic being blocked?Computers on LAN only cannot ping gateway but can ping WAN ip of pfSense
LAN gateway = none
I noticed in the firewall logs incoming traffic hitting port 80 of the public ip address being blocked, but when I try to ping the gateway etc nothing shows up with the internal addresses being blocked.What happens if you perform a "tracert 8.8.8.8" from a client pc?
As for the esx machine make sure the switch has allow forge mac adresses and allow promisques mode..traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
etc until expirationHmm promiscous was disallowed on both the vnic and the vswitch - i wonder do i need to enable on both and what needs to be restarted aftewards..?
Thanks for your help PiBa!
-
Ueas you need a bridge, you don't need promiscuous mode on. What is the ip and subnet on LAN?
-
I enabled promiscuous, rebooted pfSense and the server, and nothing seemed to change.
Ueas you need a bridge, you don't need promiscuous mode on. What is the ip and subnet on LAN?
OK thanks podilarius,
I'd been using 192.168.1.1 in the example, in actuality it has 192.168.10.1 /24 (gateway none) and the servers are on the same subnet 192.168.10.X with their gateway set to 192.168.10.1, this how the routing looks on one I'm testing with:
ip route show
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.40
169.254.0.0/16 dev eth0 scope link
default via 192.168.10.1 dev eth0 -
But you cannot ping the LAN address? Is that correct? What rule have you modified on LAN and what have you done in NAT, more specifically outbound? Do the servers still have live ips?
-
But you cannot ping the LAN address? Is that correct? What rule have you modified on LAN and what have you done in NAT, more specifically outbound? Do the servers still have live ips?
I can ping the LAN address and the pfSense public WAN address from the servers, I just can't ping the public WAN gateway that pfSense is using (or anything beyond) if I have the LAN address as the server's gateway. If I switch the server's gateway to the WAN gateway ip address, then it can access anywhere. (the servers have both a public and LAN address currently, was hoping to remove the public once pfSense is set up)
As far as rules in pfSense, I added one NAT rule for a specific port to forward to an internal address for SSH; and it works from outside, I can SSH to a server with only an internal address on the LAN subnet.
The outgoing has only the default option checked "Automatic outbound NAT rule generation".
There are a few "allow all" rules but that's about it. -
It's working!
I wish I knew what it was that fixed it; I went to the WAN settings paged and it said there were changes waiting to be applied, I applied them and after that I noticed there was no gateway set. I set the gateway and applied the changes and suddenly it works. So it must have been something dumb I was doing, not applying changes or something, boy that was frustrating but I am so glad it works. Thanks for your help with this guys!