How can I tell my pfsense box a route to my upstream gateway?
-
Why the hell are you messing around with FLOATING RULES!?!
That's not in any walkthrough I know of.
STOP OVERTHINKING IT and put your pass rule on LAN.
That's not a diagram. Draw one in crayon and take a picture if you have to.
The floating rule was to eliminate the other tabs as concerns.
In any case, I do have pass any any on both wan/dmz and lan. See attached.
-
Your diagram has pfSense with DMZ and LAN interfaces, and no interface IP addresses, yet your screenshot has WAN and LAN interfaces? Which is it?
Annotate your diagram with IP addresses and subnet masks of the various interfaces and make it as matchymatchy with what your screenshots say as possible so people know what they heck you're trying to do.
-
When you've bridged the LAN and WAN and you have completely open firewall rules your downstream clients are effectively talking directly to your upstream router. That clearly removes whatever arp issue is causing problems.
Steve
-
When you've bridged the LAN and WAN and you have completely open firewall rules your downstream clients are effectively talking directly to your upstream router. That clearly removes whatever arp issue is causing problems.
Steve
My thought exactly, Steve. I just don't know what else to try on the pfsense box to resolve that. It's as if it is ignoring the default gateway or has some other hidden automatic route somehow or there is a hidden filter still being applied (despite the disable packet filtering being checked). Any thoughts on how I can diagnose that diagnose that?
Your diagram has pfSense with DMZ and LAN interfaces, and no interface IP addresses, yet your screenshot has WAN and LAN interfaces? Which is it?
Annotate your diagram with IP addresses and subnet masks of the various interfaces and make it as matchymatchy with what your screenshots say as possible so people know what they heck you're trying to do.
Here's a new diagram with the IPs on the diagram itself rather than in the comment.
I haven't renamed interfaces from the default for the GUI. The "WAN" from the pfsense screenshots is the DMZ.
Green lines are working links. The red line is a link that works only in bridged mode and the yellow line within the pfsense box is where I suspect there is an issue.
-
You have the pfSenseDMZ interface set with an interface address of 192.168.1.1/24. You are expecting it to be able to send traffic to 10.10.10.1. You can't do that. The gateway for an interface MUST be on the same subnet/segment as the interface itself.
This is basic IP routing / subnetting.
-
You have the pfSenseDMZ interface set with an interface address of 192.168.1.1/24. You are expecting it to be able to send traffic to 10.10.10.1. You can't do that. The gateway for an interface MUST be on the same subnet/segment as the interface itself.
This is basic IP routing / subnetting.
Actually it's a typo in the pic since I've wiped and reset it a number of times. The pfsense DMZ side IP is 10.10.10.2
Corrected pic attached.
-
So what's not working?
What is it you want to have happen? Be specific and let's work one thing at a time.
-
So what's not working?
What is it you want to have happen? Be specific and let's work one thing at a time.
For starters, I want PC1 1.10.10.20 to be able to ping the DMZ/WAN IP 10.10.10.2 on the pfsense box when it is NOT in bridged mode. If it is bridged, I can ping it. If not I can't. Bridged, or not, I can ARP from either side.
-
Start from scratch on pfSense. Enable your WAN (DMZ) interface as 10.10.10.2/24. Create a gateway of 10.10.10.1. Uncheck block private networks.
Set your LAN interface to 192.168.2.2/24.
Edit your firewall rules on WAN/DMZ. Add a pass rule for IPv4 ICMP any Source any Dest WAN address.
DON'T DO ANYTHING ELSE! 10.10.10.1 and 10.10.10.20 will be able to ping 10.10.10.2.
See screen shot. You won't have the block private rule….
 -
Done and done.
At first I could only ping the LAN side. I had DHCP setup as well and despite giving LAN a .2 address, it was handing out .1 as the GW. I tried putting in .2 as the dhcp server gw, ipconfig/renew'ed and I STILL got .1 as a GW. I switched to static with .3 for PC2 on the LAN and .2 as it's GW, I could then ping both LAN and DMZ side.
I can NOT ping the upstream GW at 10.10.10.1.
(PC1, on DMZ 10.10.10.20) can NOT ping 10.10.10.2 either.)So DHCP oddity aside, the same behavior I've seen in every test to date on this system.
-
Why are you making this so goddamn complicated? Why are you trying to ping the LAN side? Did you REALLY wipe pfSense and start from scratch?
This was to test ONE thing. Pinging 10.10.10.2 from 10.10.10.1 and 10.10.10.20. Can you now do that or not?
There are some problems with the way you are trying to do this which we will get to later if you just follow along, step by step, and not get all clicky clicky.
-
Why are you making this so goddamn complicated? Why are you trying to ping the LAN side? Did you REALLY wipe pfSense and start from scratch?
This was to test ONE thing. Pinging 10.10.10.2 from 10.10.10.1 and 10.10.10.20. Can you now do that or not?
There are some problems with the way you are trying to do this which we will get to later if you just follow along, step by step, and not get all clicky clicky.
Pinging 10.10.10.2 from 10.10.10.1: Failure.
Pinging 10.10.10.2 from 10.10.10.20: Failure. -
Then your hardware is a complete fail or you're not doing what I'm saying to do.
-
And yet it works in bridged mode, that's why I don't understand - if it was a HW issue that shouldn't have worked either. I feel like I need to take a lead pencil and bridge a wire somewhere, like overclocking an old Athlon. I'll try the nightly build during the week and see if that resolves it for chuckles.
-
Which brings us back to you not doing what I'm saying to do.
Look. You are putting three interfaces on a LAN segment:
10.10.10.1/24
10.10.10.2/24
10.10.10.20/24You MUST tell the FIREWALL interface on 10.10.10.2 to PASS ICMP traffic inbound to it's own address or you won't be able to ping it.
You MUST tell the firewall not to block private traffic which is a default setting for this software.It's that simple. If it's not working then something else on your network is hosed.
There is nothing wrong with pfSense. You can spin your wheels trying different builds but it's not going to help. If you would STOP thinking something is wrong with pfSense and START looking at what's wrong with your network, you might have a prayer of fixing it.
-
What hardware are you running pfSense on? Details please. Perhaps you have some obscure NIC that's not co-operating.
Steve
-
This is becoming an interesting case. Not pretending to be the guru here, but I think we are missing something.
I still cannot understand how bridging solves anything here. A bridge cannot route, so how does your 10.x network get to the 192.x and back? There's nothing to route those subnets?
So let it be the fact that pfSense workes against you, even if you put it in a bridge it should not work?At first I could only ping the LAN side. I had DHCP setup as well and despite giving LAN a .2 address, it was handing out .1 as the GW. I tried putting in .2 as the dhcp server gw, ipconfig/renew'ed and I STILL got .1 as a GW. I switched to static with .3 for PC2 on the LAN and .2 as it's GW, I could then ping both LAN and DMZ side.
I can NOT ping the upstream GW at 10.10.10.1.
(PC1, on DMZ 10.10.10.20) can NOT ping 10.10.10.2 either.)So DHCP oddity aside, the same behavior I've seen in every test to date on this system.
Also this i quite puzzling. Looking at your drawing, why did you try giving a .2 if your pfSense LAN IF is a .1? If you did (for test) give your pfSense LAN IF a .2, dhcpd should follow unless you specified otherwise. (merely guessing here, you're not making it easy)
OR, you have some rogue device somewhere serving your clients! (wireshark should show that easily)My suggestion: revert to basic as Derelict also instructed.
Go to "Status: System logs: Settings", and check every option in section "Log Firewall Default Blocks". This will get default deny's to show in your log.
Another tool which might help you: "Diagnostics: Packet Capture". -> you can set filter there on icmp traffic, and repeat your test again.Happy hunting, keep us posted.
ps: this does not replace Derelict or Steve's questions, they are way more experienced than me ;D (also in troubleshooting)
-
We haven't even gotten to the problem of nothing on 10.10.10.0/24 having a route to 192.168.2.0/24. At best, the router at 10.10.10.1 will issue ICMP redirects and it might work. At worst it won't work at all without static routes everywhere. Regardless, it's a lousy way to do things.
