PfSense won't forward traffic form LAN server to internet
-
Do you have an outbound nat rule in place that seperate subnet?
http://i.imgur.com/L5FrSeb.png
Is that it? -
Move it above the block all rule and then its fine.
I don't think I have a block all rule. And if you mean "RFC 1918 networks" and "Reserved/not assigned by IANA", then it is not possible.
You can try unchecking the box “Block private networks” on the screen Interfaces WAN (at the bottom) and see if that solves your problem.
-
You can try unchecking the box “Block private networks” on the screen Interfaces WAN (at the bottom) and see if that solves your problem.
That's one of those things I tried and forgot to mention :(
-
Perhaps you could finally look at the firewall logs?!?!?
-
Nope…
It looks like this...
Menu -> Firewall -> NAT -> Outbound
-
Perhaps you could finally look at the firewall logs?!?!?
What am I looking for? I already said I could see nothing related to the IP I am accessing the web server from.
Nope…
It looks like this...
Menu -> Firewall -> NAT -> Outbound
That's what I have:
http://i.imgur.com/fWWY3XA.png -
You can try unchecking the box “Block private networks” on the screen Interfaces WAN (at the bottom) and see if that solves your problem.
That's one of those things I tried and forgot to mention :(
But the screen shot of the firewall rules shows Block private networks is in effect. I am confused.
-
But the screen shot of the firewall rules shows Block private networks is in effect. I am confused.
Because I re-enabled it after I found out it did not change anything. Anyway, now I have it disabled again.
-
★ My setup:
Host (ArchLinux, nanoBox):
Physical interfaces: with eth0 (no ip) and wlan0 (hostapd).
Virtual interfaces: br0 (static IP 192.168.7.2 assigned with netctl profile)Guest (pfSense inside KVM):
Guest interfaces:
vtnet0 - bridged to eth0
vtnet1 - bridged to br0 (192.168.7.1)My Host is also a web sever. I do not know if this is good practice, but br0 is the interface which which host services connect to internet.
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
-
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
No, the other way around:
eth0-WAN-85.x.x.x-vtnet0
br0-LAN-192.168.7.1-vtnet1 -
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
No, the other way around:
eth0-WAN-85.x.x.x-vtnet0
br0-LAN-192.168.7.1-vtnet1Does 192.168.7.2 have 192.168.7.1 as gateway? I am guessing not because it has internet with pfsense in shutdown.
-
Does 192.168.7.2 have 192.168.7.1 as gateway?
Yes.
@gjaltemba:I am guessing not because it has internet with pfsense in shutdown.
No, it doesn't. It only has LAN if I set br0 to static IP. I can then connect to it with my laptop (also with static IP) which connects to hostapd (bridged with br0).
-
…
Well, I need my server on the LAN to be accessible from WAN.Test approach: simplify your config, exclude your reliance on aliases & name(s).
You need probably:
[Firewall: NAT: Port Forward] with a rule like:
WAN TCP * * WAN address 80 192.168.x.y 80 -
@hda:
Test approach: simplify your config, exclude your reliance on aliases & name(s).
Thanks, but
@lockheed:(nanoBox alias is assigned to 192.168.7.2 ip. Replacing alias with the ip itself makes no difference)
I have a new find that might shed some light on the source of the problem.
When I am on the host, pinging google.com works BUT going to google.com in a browser or with wget does not. In fact, no URL address works at all in any other capacity than PING.
-
Change your outbound nat for the subnet to include UDP as well.
-
Change your outbound nat for the subnet to include UDP as well.
Like so? http://i.imgur.com/4jgDqJj.png
It didn't help.Also, please remember that those issues are experienced only on the Host of the pfSense VM. Every other pfSense manager LAN client works just fine.
-
Change your outbound nat for the subnet to include UDP as well.
Like so? http://i.imgur.com/4jgDqJj.png
It didn't help.There is nothing useful visible there at all regarding protocol. (And please, learn to use the IMG tag.)
-
There is nothing useful visible there at all regarding protocol. (And please, learn to use the IMG tag.)
I selected ALL protocols. As for IMG, I am giving links to images because I did not want to clutter the thread with auto-displaying images.
-
I just created an identical pfSense on VirtualBox and cloned the config on it. Everything works fine.
Here's the ifconfig of KVM setup:
ifconfig br0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet 192.168.7.2 netmask 255.255.255.0 broadcast 192.168.7.255 inet6 fe80::4ccb:a9ff:feb7:5617 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 0 (Ethernet) RX packets 2825 bytes 330247 (322.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3339 bytes 802554 (783.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp2s0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::5ea1:75a3:7d46:befd prefixlen 64 scopeid 0x20 ether 00:90:27:77:fb:02 txqueuelen 1000 (Ethernet) RX packets 223027 bytes 20719723 (19.7 MiB) RX errors 0 dropped 178 overruns 0 frame 0 TX packets 6747 bytes 2101069 (2.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<up,loopback,running> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 <host>loop txqueuelen 0 (Local Loopback) RX packets 12388 bytes 1341938 (1.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12388 bytes 1341938 (1.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 macvtap0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::26f4:1e55:97a0:c0cb prefixlen 64 scopeid 0x20 ether 00:90:27:77:fb:02 txqueuelen 500 (Ethernet) RX packets 217268 bytes 20328935 (19.3 MiB) RX errors 8919 dropped 8919 overruns 0 frame 0 TX packets 6620 bytes 2073711 (1.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vnet0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::5d6b:398c:6b44:d602 prefixlen 64 scopeid 0x20 ether fe:54:00:6f:2e:15 txqueuelen 500 (Ethernet) RX packets 4558 bytes 4062075 (3.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4583 bytes 624983 (610.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp1s0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::6e57:fe92:1321:1521 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 1000 (Ethernet) RX packets 6040 bytes 811010 (792.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7038 bytes 4986969 (4.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running,multicast></up,broadcast,running,multicast></up,broadcast,running,multicast></host></up,loopback,running></up,broadcast,running,multicast></up,broadcast,running,multicast>and of a much cleaner, and - more importantly - working VirtualBox setup:
# ifconfig br0: flags=4163<up,broadcast,running,multicast>mtu 1500 inet 192.168.7.2 netmask 255.255.255.0 broadcast 192.168.7.255 inet6 fe80::a288:69ff:fe0d:5c41 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 0 (Ethernet) RX packets 4999 bytes 1686341 (1.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9269 bytes 2203282 (2.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp2s0: flags=4163<up,broadcast,running,multicast>mtu 1500 inet 192.168.11.13 netmask 255.255.255.0 broadcast 192.168.11.255 inet6 fe80::201:2eff:fe4e:4b99 prefixlen 64 scopeid 0x20 ether 00:01:2e:4e:4b:99 txqueuelen 1000 (Ethernet) RX packets 175668 bytes 58689989 (55.9 MiB) RX errors 0 dropped 35 overruns 0 frame 0 TX packets 33594 bytes 2862399 (2.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<up,loopback,running>mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 <host>loop txqueuelen 0 (Local Loopback) RX packets 44600 bytes 11957420 (11.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 44600 bytes 11957420 (11.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp1s0: flags=4163<up,broadcast,running,multicast>mtu 1500 inet6 fe80::a288:69ff:fe0d:5c41 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 1000 (Ethernet) RX packets 4400 bytes 1698452 (1.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8264 bytes 2315002 (2.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running,multicast></host></up,loopback,running></up,broadcast,running,multicast></up,broadcast,running,multicast>So it looks like KVM is not suitable for hosting pfSense VM if host machine is required have access to the internet. It is a shame as I was hoping for KVM to be not just working, but a superior solution.
Can someone move this thread to Virtualization?