[RESOLVED] 2.1.5 -> 2.2: devices can't get on WAN but pfSense box can

cphaynes

Hello all.

Upgraded to 2.2 the other day - everything went just fine except for Snort. Left it alone until today; uninstalled / reinstalled Snort; lots of errors in the logs. I decided I'd tackle that later, went to uninstall it - done.

Rebooted the machine for good measure and this is where the problems started. When 2.2 rebooted, no devices can get on the internet any longer. pfSense (the box itself) can ping and resolve "google.com" and "8.8.8.8" just fine. My AutoBackup plugin works just fine - so FQDN's are resolving fine.

Nothing else changed, at all, on the config. Thought about doing a restore but wanted to check here to make sure there wasn't something I was missing first.

I'm using DNS Resolver, forwarding disabled. Checked to make sure a default gateway was selected (WAN was checked).

WAN -> PFS -> vlan 1,2,3 is how the setup looks.

Any advice or things to check would be appreciated. I can post more info on my setup if need be.

Thank you in advance.

cphaynes

Failed to mention that I have tried changing back to DNS Forwarder, without any results. Also tried disabling hardware checksum (based upon advice from another thread); this did not help.

Visseroth

I forget exactly what caused this for me. Check your NAT. Try setting it to manual. Also check to make sure you have a rule on the LAN allowing all traffic in and out. Make sure you don't set it on your WAN because you'll let everything in and out.

Oh yea, in System -> Routing -> Edit your WAN interface and make sure it has a gateway address or is set to "dynamic". If you don't have a gateway you don't have…. Well a gateway, lol

marvosa

Visseroth touched on what I was going to say… System -> Routing and make sure you have a default gateway set, but you've already stated PFsense can resolve DNS and ping.  Your network map is a little vague, are your vlans terminated on PFsense or your switch?

Since we know PFsense has internet, basically you've got a routing, firewall, DNS or NAT issue.  From there it's the usual progression... i.e:

• has anything changed on your network?

• is your dhcp server handing out the right gateway and dns?

• can your clients ping the gateway?

• can your clients ping the DNS server?

• You've stated you have the forwarder disabled, verify your DNS server can ping the gateway (PFsense)

• can your clients ping 8.8.8.8?

• Check your firewall rules, are there any blocks in the logs?

• Check your routing table and verify things are being routed where you expect

• check your outbound NATs, verify there's a NAT for every vlan

• Are you using squid or some other proxy?  disable or uninstall it

• etc, etc

The usual stuff

cphaynes

Thank you all for replying.

It ended up being NAT. I had it set on "Manual" and changed it to "Auto" at some point after the upgrade (didn't need the port forwarding stuff any longer). For reasons beyond my knowledge, the reboot of the server removed all NAT entries (Outbound) on the box. Changing this to a "Hybrid" NAT fixed the issues; placing the proper NAT entries on the system.

Thank you all for your help - I can't thank you enough.