Vanilla install PFSense Business Test – no internet
-
Modem in bridge mode (FYI seems to work find hands over IP to PFSense WAN int no problem)
See attachment for nat.jpg for FW rules
Outbound NAT set to "Automatic outbound NAT rule generation"
Let me know what other details you need
-
Go to interfaces > wan
Look for "block private IP"
un-check it.Save.
Then try.
-
You assume correctly that the default config should be ready to roll giving internet access to LAN side clients.
Since it appears you have access to the webgui you can check if the pfSense box has internet access. On the dashboard is it reporting 'you are on the latest version' or 'unable to check for updates?
When you try to connect to an external host from the lan what is the error given? What if you try to ping by url or ip?Just for information the 'block private networks' rule on WAN will not stop lan clients getting a connection even if your WAN has a private IP. It blocks incomming connections only just like any other rule. You should disable it if your wan subnet is private because it will cause issues later if you need to run port forwards etc.
Steve
Edit: typo
-
Go to interfaces > wan
Look for "block private IP"
un-check it.Don't. No relation.
Check what Steve said.
-
Not necessarily true genius unless you can KNOW for sure that he didn't accidentally pass a private IP to the WAN.
People are forever thinking they bridged a modem/router but didn't get it right accidentally. I'd say 9/10s of the time that the case in a situation like this where a vanilla install of pfsense doesn't work and some other cheapo router does. Its just a thing to check.
If the bridge was done incorrectly or not at all, which is often the case, allowing a private IP on the WAN would show that quickly.
Then, if that is the problem, he could fix it.
So, CMB, its at best, POSSIBLE that what I suggested will make no diff. Depends on if the OP got the bridge right.
Its one freakin button click. If it changes nothing, its one button click to change it back.Another possibility is that the ISP is disallowing his MAC, in which case cloning the MAC of the working router, presumably the one that was there before pfsense, should clear things up.
I've seen both cases many times.
-
I'm not arguing that you shouldn't disable 'block private networks', indeed if the WAN is in a private subnet you should for the reasons I gave. In fact I'm not trying to argue at all. ;)
It's just purely for information because I see this suggested a lot by many people as a cause of 'no internet on LAN'. When diagnosing this type of issue you need to be aware that the 'block private networks' rule cannot prevent clients on LAN from accessing the internet.Now getting a private IP on WAN when you thought the modem was bridged in some way, that's a definitely a clue that something is amiss. :)
Steve
-
Its not so much you steve. Your advice is in fact reasonable and valid.
But CMB was out of line, and possibly wrong (its a coin toss - depends on the proficiency of the OP)
There is just no good reason to show up saying don't try something unless you are 100% sure it will have zero effect.
When I posted the original suggestion it was with full knowledge that it might not help anything.
In which case I'd suggest checking the MAC.
In fact there is a laundry list of simple checks that need be done if that fails.
Could be any simple thing - but its definitely something simple.
BTW - I presumed things on the LAN are working fine.
OP states "cannot resolve to anything external".
With that language, could be DNS I guess. I'm doubting it though if he really is using a default install. -
I presumed (a) default PFSense default of the box was ready to roll.
Usually is. :)
OP= Try imputing one of these IP's and see if it makes it… they should all take you to Google.
173.194.33.167
173.194.33.174
173.194.33.160
173.194.33.163
173.194.33.166
173.194.33.168
173.194.33.161
173.194.33.165
173.194.33.164
173.194.33.169
173.194.33.162If it works- how is your WAN setup? DHCP, Static,… ??
-
Not necessarily true genius unless you can KNOW for sure that he didn't accidentally pass a private IP to the WAN.
Wrong. That affects only traffic sourced on WAN.
There is just no good reason to show up saying don't try something unless you are 100% sure it will have zero effect.
I only state things in such a fashion where I am 100% sure it cannot affect that scenario. It can't.
-
@cmb:
Not necessarily true genius unless you can KNOW for sure that he didn't accidentally pass a private IP to the WAN.
Wrong. That affects only traffic sourced on WAN.
I only state things in such a fashion where I am 100% sure it cannot affect that scenario. It can't.
Yep-
I have a client that has a 10.x.x.x ip on their WAN as they are on a wireless internet provider and actually in this case on a local router across the highway on their own wireless bridge (over a VLAN) plugged directly into fiber. 2.5ms to a major fiber backbone, very cool!
The only reason I had to uncheck the "Block Private Networks" box was to allow the ISP (whom I work with and trust) to be able to log into the pfSense box from the WAN side. We were online just fine before that.
-
I've had to uncheck that box for every double NATed pfsense I ever connected. (Private IP on the WAN)
Must be just me (-;
-
The only scenario where you have to disable that is if you need to pass in traffic on WAN initiated from a private network. That's almost never the case in double NAT scenarios along these lines. Most only time that's necessary to disable is where the system is an internal router/firewall, or other circumstance where its WAN is connected to one of your LANs.
-
So just to test again I went into my pfsense VM that is running locally and checked "block private IP" on the WAN because it does have a private IP.
And nothing happened… I expected it to fail.
Which was quite weird for me because in the past on my Verizon FIOS and on comcast I've always had to un-click that button.
So I was wrong.
So still has me wondering whats up with this guy's machine?
DNS? MAC for wan interface? Other?
-
Thanks for all suggestions - Results as below
Ive also attached some screen shots which I hope may helpACTIONS based on suggestions in this thread:
Go to interfaces > wan ->Look for "block private IP"- >un-check it.->Save.=no change
On the dashboard is it reporting 'you are on the latest version' or 'unable to check for updates?= “Unable to check for updates”
When you try to connect to an external host from the lan what is the error given?= through browser no internet access
Ping google.com_= Ping request could not find google.com. Please check the name and try again._
Ping by IP __= Request timed out.
Pinging LAN devices = no issues all devices respond
STRANGE THING- when I cloned the MAC address and ping I got a outside result (see capture.png)
I thought i had cracked it! then next ping nothing. I dont understand that at all?? Pinging anything after this result failed (by name or IP) nothing.
VERY strange & frustrating.
Truely any advice would be gratefulOnce I
 -
Can you put the screenshot of Outbound NAT rules.
-
Outbound NAT
-
There is no rule…..so no lan traffic will be outbound NATd.
Try to add one manually as follow:
(unchecked)
Interface = [ WAN▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
Address: [ YOUR_LAN_IP_SUBNET ] / [ 24 ▼] (should be 192.168.1.0 from your screenshots)
Source port: [_____] (empty/blank)
Destination: Type = [ Any ▼]
Translation: Address = [ Interface Address ]
Description = [ LAN -> WAN ] -
Maybe you had two simple things wrong…
Cloned MAC and Something Else...
-
When outbound NAT is set to automatic, no rules are listed. That should be fine.
However, I noticed that DNS is not a default configuration. So its not vanilla.
What else did you change?
-
When outbound NAT is set to automatic, no rules are listed. That should be fine.
My ignorance since I only use manual outbound.
