New 2.1 install not permitting users to connect to Internet
-
The problem is that LAN users cannot surf the Internet and the PFsense server is "unable to check for updates" or retrieve packages.
Here is the configuration and symptoms.
- new AMD CPU with 4GB ram and 500 GB Hard drive with 2 Realtech network cards.
- installed version 2.1 from CD - no issues.
- the WAN interface connects directly to the ISP IP address (public IP)
- the LAN interface provides DHCP (ip4) to the PC's. Each PC and device is receiving a valid IP and they can communicate between each other.
- Connected this PFSense server to a second PFsense server at another location using OpenVPN Other location is the VPN server and this location is the client. (Peer to Peer (sharedkey) configuration)
Symptoms:
-
the New PFsense server is showing on the GUI that it is unable to check for updates, and we are unable to get a package listing
-
the Lan gateway is up and we can connect to the PFsense web gui without any issues from any LAN PC.
-
the WAN gateway is up, I can ping the public IP from PFsense
-
the OpenVPN connection is up and is working properly ( both side can see the others pc's and servers at each location. We can even open the file server at each location and manipulate files etc… ( if we stop the VPN service no change in accessibility to the web.
-
The LAN PC's (Windows 7) (at the new pfsense location) are showing that they have no Internet connection and they are unable to browse to any web site. Which is consistent with the pfsense server which is unable to reach the pfsense servers for updates or to list available packages. When we do a diagnostic from Windows everything comes back normal- no problems
-
Verified the DHCP settings provided to each PC and all are correct with valid dns entries and with the valid WAN gateway.
-
verified the firewall rules for the LAN - Default allow LAN to any rule is listed in the LAN rules. This in theory should permit the users to access the Internet.
I'm at a lost to explain that the VPN is working yet pfsense and the local PC's are unable to connect to the Internet. Any help or suggestion would be appreciated.
Thanks
Cjb
-
the Lan gateway is up and we can connect to the PFsense web gui without any issues from any LAN PC.
What exactly do you mean by LAN gateway? The LAN interface should not have a gateway defined.
How is the remote OpenVPN server defined? If it's by IP directly then you may have a DNS problem. Can you ping, say, 8.8.8.8 from pfSense or LAN side clients?
What is the system default gateway set to?
Steve
-
The correct term is the LAN interface is up.
OpenVPN server is defined by a DNS entry and not an IP, which suggest that it can find the IP using the DNS that are defined.
From the LAN side (PFSENSE) I can only ping the ISP IP and the servers the other side of the VPN, if I try to ping google or any other external IP I cannot reach them. In the DNS list in addition to the ISP DNS server we also have 4.2.2.2 .
The ISP service is a DHCP service so they provide their gateway. PSfense wan gateway is pointing to the IP provided by the ISP which can be ping from another location. Also in the firewall log I am seeing that it is blocking unwanted traffic trying to come in to the PFSense on closed ports.
We placed DNS 8.8.8.8 and then went to the diagnostic/ping option and the ping provided a valid reply
cjb
-
Is OpenVPN set up to route all traffic from the remote location through the main location's Internet gateway?
Have you done a trace route from one of the LAN PCs to an internet location? What are the results?
Can you provide a diagram of the topology with internal IPs so I/we can see where the trace route is going?
-
We need to see your:
System General Setup
Firewall > rules (LAN, WAN and Openvpn tabs)
to start with…
The interfaces > LAN and WAN pages would also be helpful.
With that things would probably go quickly.
-
Yes, that would be my guess; all you traffic is being routed over the VPN and the other end isn't configured to route it out there. Th reason you can ping the ISP gateway is because it's seen as a local address, it's in the same subnet as one of your interfaces.
Steve
-
Here are the requested images
Thanks
cjb
-
general setup
![General Setup.png](/public/imported_attachments/1/General Setup.png)
![General Setup.png_thumb](/public/imported_attachments/1/General Setup.png_thumb) -
Lan Interface
![Lan Interface.png](/public/imported_attachments/1/Lan Interface.png)
![Lan Interface.png_thumb](/public/imported_attachments/1/Lan Interface.png_thumb) -
Lan Rules
![Lan Rules.png](/public/imported_attachments/1/Lan Rules.png)
![Lan Rules.png_thumb](/public/imported_attachments/1/Lan Rules.png_thumb) -
Wan Interface
![Wan Interface.png](/public/imported_attachments/1/Wan Interface.png)
![Wan Interface.png_thumb](/public/imported_attachments/1/Wan Interface.png_thumb) -
Wan Rules
![Wan Rules.png](/public/imported_attachments/1/Wan Rules.png)
![Wan Rules.png_thumb](/public/imported_attachments/1/Wan Rules.png_thumb) -
Open VPN Rule
![openVPN Rule.png](/public/imported_attachments/1/openVPN Rule.png)
![openVPN Rule.png_thumb](/public/imported_attachments/1/openVPN Rule.png_thumb) -
Like I said above you should not have a gateway set on the LAN interface. Remove it.
In some rare circumstances you might want a gateway on LAN but here it has probably become the default system gateway which kills routing.Steve