New pfsense 2.1 install no Internet from LAN
-
I have just discovered pfsense and I am very excited about it. I pulled an old PC and added a NIC card. It took many hours to get pfsens installed onto my hard drive (one very smart poster told someone else to dd all zeros onto the drive and then do a quick install. I tried it and it worked).
I have been working through all the little issues and I am now down to the following, which is very much like:
http://forum.pfsense.org/index.php?topic=63008.0I can not ping the Internet from my LAN. I can ping the DNS. I am certain it is something simple, but I can not picture what I have to change.
Here is the setup.
cable modem to my ASUS router. Router outside address is: 76.26.xxx.yy. Router internal address is 192.168.1.1
I have the pfsense WAN address static set to 192.168.1.4/24 with a gateway of 192.168.1.1
I have pfsense LAN address static set t 192.168.3.1/24 with no gateway defined.
I have unchecked the "block private networks" for both the LAN and WAN.When I plug my laptop into the LAN side I get an IP address. If I open a command window I can ping the DNS (8.8.8.8 and 8.8.4.4).
I can nslookup anything I like. I can tracert to the DNS servers.However, I can not ping or tracert to any "normal" internet address. If I do an nslookup on my website I get the IP address, but I can not ping it or tracert it.
When I tracert the DNS the first two lines are:
1 <1ms <1ms <1ms pfsense.localdomain [192.168.3.1]
2 <1ms <1ms <1ms 192.168.1.1
3 …and the rest of the trace is there (15 levels total)
If I then try to tracert to my webpage I get the following:
1 <1ms <1ms <1ms pfsense.localdomain [192.168.3.1]
2 * * * Request timed out.
3 * * pfsense.localdomain [192.168.3.1] reports: Destination host unreachableI have checked the NAT rule and the firewall rules like mentioned in my linked thread, but they are all the default settings.
The only difference between my setup and the one in my linked thread is that he was directly attached to his internet and I have a private LAN as my pfsense WAN. It seems like there is one more step I have to take but my hours of searching have not uncovered the nugget I need.
Any hints/tips would be much appreciated.
Thanks,
Eric -
You do understand that pfsense is meant to replace your soho asus router - and there is little point to double natting like your doing.
This in your trace makes no sense
3 * * pfsense.localdomain [192.168.3.1] reports: Destination host unreachableWhat is your destination IP in this trace?
What I would do is take your asus router out of the picture - what do you expect to do with pfsense behind a double nat already
? -
The reason I have it set up like this is because the internet at my bosses hotel is the same way. The main router provided by the commercial ISP has a 192.168.1.0/24 address space for the LAN. There are two local routers hanging off the 192.168.1.0 subnet. The first feeds the Front desk area. The second feeds his wireless guest network.
He wants to implement a captive portal with vouchers for the guests. So I want to replace the second router with the pfsense router.
As for the IP address I am attempting to ping/tracert in the first post its: 74.220.207.125
What I thought was weird was that trace routing the DNS made it past the second hop, but the trace route to an internet IP address got hung up and didnt reach the second hop.
And about replacing my ASUS with pfsense, you are correct. I want to replace the route function and move the ASUS into the middle of the house and use it as an AP. I think if I put pfsense in that function, I can set the WAN to DHCP and the cable modem will set my outside IP address. I am happy because I can reuse an older computer.
Any ideas on how to fix my original issue?
Thanks again,
Eric -
Can you ping external IPs from the pfSense box itself, either from the Diagnostics menu in the webgui or from the console?
Steve
-
And in the hotel - pfsense would replace the router and you would have a vlan for hotel use, and a vlan for guest network. You would still not want to double nat.
Since you changed the lan network of pfsense have your rebooted it, what are you doing for outbound nat automatic or manual?
You are correct it makes no sense that you could ping and traceroute to googledns, but not other IPs What does the route table look like on pfsense? And yes stephen suggestion of what can pfsense do for pings and traceroutes is a good test.
-
So if I open a shell on the pfsense box (option 8). I was ale to ping DNS (8.8.8.8) but not any internet IP (74.220.207.125). The latter times out and then starts showing "ping: send to: host is down"
I did a traceroute to 8.8.8.8 and it works. The first two hops asfter 192.168.1.1 are 96.120.0.137 and 68.85.224.13
If I try to ping either one of those addresses I get the same "host is down" message. If I ping those 96 and 68 addresses from a PC attached in the 192.168.1.0/24 space they work.
I have rebooted the pfsense box.
My outbound NAT is set to "Automatic outbound NAT rule generation"
I have attached a picture of my routing table. This is after I did all the pings and traceroutes. Looks pretty boring.
-
No its not boring - clearly shows your problem.. You have your LAN IP address setup as your default route. And then you have specific routes for googledns 8.8.8.8 and 8.8.4.4 to talk to your soho routers IP. So that explains why they work.
So where did those routes come from?
Your default route should be your soho routers IP 192.168.1.1. That is all you should have in your route table. How do you expect to get anywhere if you say the next hop off this network is your own address? 192.168.3.1??
-
^Exactly.
Though you said in your first post that you don't have a gateway on LAN did you ever have one?
If you removed a gateway from LAN did you change your default route? I would expect it to have changed back to the WAN gateway though. Check in the webgui in System: Routes:Steve
-
So in my wrestling to get the DNS working yesterday in system->general setup->DNS servers, I had used the "use gateway" popup to set them to use 192.168.1.1. That is how the specific routes for the DNS ended up in the routing table. I have set these DNS entries to "none" under the "use gateway".
So in system->routing->gateways I see that the LAN gateway (192.168.3.1) is set as the default. I edit the GW_LAN (192.168.3.1) and unchecked the box for default route. I saved it and then edited the GW_WAN (192.168.1.1) and checked the default route box. I saved it and then rebooted.
It is now fixed. I am buying you a beer.
One last question to expand my knowledge. If my pfsense box had been installed right after the cable companies modem so that the pfsense WAN address had been set by DHCP (76.26.XXX.YYY), would my default route have been the 192.168.3.1 address?
In other words, were my defaults not working correctly because of the double NAT?
Thanks so much. I appreciate your time.
Eric
-
I can only speculate here but….
I would guess that you added a gateway on the LAN interface and then removed it after doing some research on the forum. The system default gateway will be set to whichever gateway was most recently added. Since the WAN is the first interface to be configured if you add a gateway on LAN it will end up as the default. It would not have made any difference if you'd had a public IP on your WAN.Generally speaking you should try to have your public IP on the WAN interface and avoid a double NAT situation. Some things will not function across double NAT. However if you are using pfSense for it's captive portal function and aren't having any problems then you're probably fine.
Steve
-
" If my pfsense box had been installed right after the cable companies modem so that the pfsense WAN address had been set by DHCP (76.26.XXX.YYY), would my default route have been the 192.168.3.1 address?"
Yeah with stephen only speculation - you clearly were dicking around to get a gateway set to your own address… In a typical setup where you were directly connected to your ISP.. bing bang zoom you would of been dhcp on your wan and default 192.168 address on your lan and not have had to touch anything and would of been working out of the box.
You playing around with static on wan and changing the IP on your lan interface is where you prob got messed up.
There is RARELY a good reason, and I mean RARE!! to double nat - its pointless, it is a performance hit, and yes somethings are going to have issues working with it, and is just a PITA all the way around.
I would suggest you want to use pfsense as you firewall/gateway then use it as intended - if you need more than 1 network segment/vlan on your lan side then add nics to pfsense to allow for that vs using routers that nat as your way of creating isolated segments.