No internet access from LAN side

trex13

Here are the screenshots:
i've done factory reset of pfsense before that but it didn't help.

lanrules.JPG_thumb

gws.JPG_thumb

intfs.JPG_thumb

dnslookup.JPG_thumb

routes.JPG_thumb

nat.JPG_thumb

ptt

You don't need/want a GW on LAN, please remove it ;)

phil.davis

Somehow people are feeling the urge to specify a gateway on LAN. pfSense understands gateways to be the way out to the rest of the internet (or at least some other networks), and a gateway set on an interface is assumed to be a general way out to "everywhere". One of the gateways has to be the default gateway, and if you specify a gateway on LAN and it is the default gateway then packets are going to spin around somewhere inside LAN and never get out.
After removing that LAN gateway, make sure that you have a WAN gateway that points to a real upstream router that gets to the internet, and set that as the default gateway.
I wonder if the words describing this in the initial setup scripts can be enhanced in some way so that people do not feel the urge to put a gateway on LAN?

johnpoz

yeah it is becoming a very recurring issue – maybe we need to create BIG FLASHING RED letters that say do not put a GW on this LAN interface unless you fully understand what that means. And then rethink it and then don't do it!! ;)

Can we just remove the option all together, if you you classify it as LAN interface there is NO option to put a GW on it at all.. ;) Is this connection used as WAN/INTERNET sort of check mark, and if not checked no GW option is even available? I am almost positive that the wizard of setup clearly skips over asking the question even - doesn't it??

trex13

@ptt:

You don't need/want a GW on LAN, please remove it ;)

There is none selected under LAN interface "gateway" but in "status" there are 2 gateways shown(see screenshots).
Did pfsense restart and nothing changed.

![GW status.jpg](/public/imported_attachments/1/GW status.jpg)
![GW status.jpg_thumb](/public/imported_attachments/1/GW status.jpg_thumb)

LAN_GW.jpg_thumb
![trcrt LAN.jpg](/public/imported_attachments/1/trcrt LAN.jpg)
![trcrt LAN.jpg_thumb](/public/imported_attachments/1/trcrt LAN.jpg_thumb)
![trcrt wan.jpg](/public/imported_attachments/1/trcrt wan.jpg)
![trcrt wan.jpg_thumb](/public/imported_attachments/1/trcrt wan.jpg_thumb)

ptt

Please Remove/Delete the "GW_LAN" you Don't Need It !

The ONLY GW that a "pfSense default install" (with 2 interfaces, WAN & LAN) Need to work "OK" is the WAN GW

pf_WAN_GW.png_thumb

johnpoz

3 levels of nats? Your 3rd hop in your trace is 172.29 which is private as well..

trex13

@ptt:

Please Remove/Delete the "GW_LAN" you Don't Need It !

The ONLY GW that a "pfSense default install" (with 2 interfaces, WAN & LAN) Need to work "OK" is the WAN GW

Finally it works! Problem was that i didn't know how to delete LAN gateway because it's under "System>routing" and i tried to remove it under "interfaces>LAN(gateway)". Once i saw your SS i start opening all sub menus under "system" and found "gateways" menu.

Thank you and thank you johnpoz, too.

trex13

@johnpoz:

3 levels of nats? Your 3rd hop in your trace is 172.29 which is private as well..

I don't know what address is that and to whom it belongs to. I think it belongs to ISP. Can it be? My router's private LAN address is 192.168.1.1 which is first hop.

johnpoz

172.29 doesn't really belong to anyone its private address space - just like your 192.168, it rfc1918 address space and clearly needed for you to have multiple boxes behind an actual public. That is what your adsl gateway should be doing.. But your showing 2 hops past that still private??

I would think you have a hard time doing any sort of unsolicited inbound traffic? Port Forwards. Shoot I would guess your clients behind pfsense are 4 nats deep, unless your ISP just routing the privates then your only 3 ;) isp to public, your adsl to pfsense and then pfsense to your lan clients behind pfsense ;)

trex13

@johnpoz:

I would think you have a hard time doing any sort of unsolicited inbound traffic? Port Forwards. Shoot I would guess your clients behind pfsense are 4 nats deep, unless your ISP just routing the privates then your only 3 ;) isp to public, your adsl to pfsense and then pfsense to your lan clients behind pfsense ;)

I don't have any need for unsolicited inbound traffic on LAN interface of pfsense. I run pfsense only to have hotspot(tickets/captive portal - that's next step) for web surfing. On WAN side (192.168.1.x - 5-6 clients) I have few open ports on main router(192.168.1.1) and all unsolicited inbound traffic passes through main router fine.

unexpectedly

@johnpoz:

yeah it is becoming a very recurring issue – maybe we need to create BIG FLASHING RED letters that say do not put a GW on this LAN interface unless you fully understand what that means. And then rethink it and then don't do it!! ;)

Can we just remove the option all together, if you you classify it as LAN interface there is NO option to put a GW on it at all.. ;) Is this connection used as WAN/INTERNET sort of check mark, and if not checked no GW option is even available? I am almost positive that the wizard of setup clearly skips over asking the question even - doesn't it??

THIS.

Argh. I've been working on getting VLANs to work and part of that was moving DHCP off the pfsense box so I could configure the subnetting correctly. I didn't notice this put a gateway on pfsense's LAN side. And until this thread, didn't realize that was why the internet just turned off. :(

Thanks though! I hate having my business behind store bought wifi routers.
Chris