PfSense won't forward traffic form LAN server to internet
-
Perhaps you could finally look at the firewall logs?!?!?
-
Nope…
It looks like this...
Menu -> Firewall -> NAT -> Outbound
-
Perhaps you could finally look at the firewall logs?!?!?
What am I looking for? I already said I could see nothing related to the IP I am accessing the web server from.
Nope…
It looks like this...
Menu -> Firewall -> NAT -> Outbound
That's what I have:
http://i.imgur.com/fWWY3XA.png -
You can try unchecking the box “Block private networks” on the screen Interfaces WAN (at the bottom) and see if that solves your problem.
That's one of those things I tried and forgot to mention :(
But the screen shot of the firewall rules shows Block private networks is in effect. I am confused.
-
But the screen shot of the firewall rules shows Block private networks is in effect. I am confused.
Because I re-enabled it after I found out it did not change anything. Anyway, now I have it disabled again.
-
★ My setup:
Host (ArchLinux, nanoBox):
Physical interfaces: with eth0 (no ip) and wlan0 (hostapd).
Virtual interfaces: br0 (static IP 192.168.7.2 assigned with netctl profile)Guest (pfSense inside KVM):
Guest interfaces:
vtnet0 - bridged to eth0
vtnet1 - bridged to br0 (192.168.7.1)My Host is also a web sever. I do not know if this is good practice, but br0 is the interface which which host services connect to internet.
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
-
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
No, the other way around:
eth0-WAN-85.x.x.x-vtnet0
br0-LAN-192.168.7.1-vtnet1 -
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
No, the other way around:
eth0-WAN-85.x.x.x-vtnet0
br0-LAN-192.168.7.1-vtnet1Does 192.168.7.2 have 192.168.7.1 as gateway? I am guessing not because it has internet with pfsense in shutdown.
-
Does 192.168.7.2 have 192.168.7.1 as gateway?
Yes.
@gjaltemba:I am guessing not because it has internet with pfsense in shutdown.
No, it doesn't. It only has LAN if I set br0 to static IP. I can then connect to it with my laptop (also with static IP) which connects to hostapd (bridged with br0).
-
…
Well, I need my server on the LAN to be accessible from WAN.Test approach: simplify your config, exclude your reliance on aliases & name(s).
You need probably:
[Firewall: NAT: Port Forward] with a rule like:
WAN TCP * * WAN address 80 192.168.x.y 80 -
@hda:
Test approach: simplify your config, exclude your reliance on aliases & name(s).
Thanks, but
@lockheed:(nanoBox alias is assigned to 192.168.7.2 ip. Replacing alias with the ip itself makes no difference)
I have a new find that might shed some light on the source of the problem.
When I am on the host, pinging google.com works BUT going to google.com in a browser or with wget does not. In fact, no URL address works at all in any other capacity than PING.
-
Change your outbound nat for the subnet to include UDP as well.
-
Change your outbound nat for the subnet to include UDP as well.
Like so? http://i.imgur.com/4jgDqJj.png
It didn't help.Also, please remember that those issues are experienced only on the Host of the pfSense VM. Every other pfSense manager LAN client works just fine.
-
Change your outbound nat for the subnet to include UDP as well.
Like so? http://i.imgur.com/4jgDqJj.png
It didn't help.There is nothing useful visible there at all regarding protocol. (And please, learn to use the IMG tag.)
-
There is nothing useful visible there at all regarding protocol. (And please, learn to use the IMG tag.)
I selected ALL protocols. As for IMG, I am giving links to images because I did not want to clutter the thread with auto-displaying images.
-
I just created an identical pfSense on VirtualBox and cloned the config on it. Everything works fine.
Here's the ifconfig of KVM setup:
ifconfig br0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet 192.168.7.2 netmask 255.255.255.0 broadcast 192.168.7.255 inet6 fe80::4ccb:a9ff:feb7:5617 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 0 (Ethernet) RX packets 2825 bytes 330247 (322.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3339 bytes 802554 (783.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp2s0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::5ea1:75a3:7d46:befd prefixlen 64 scopeid 0x20 ether 00:90:27:77:fb:02 txqueuelen 1000 (Ethernet) RX packets 223027 bytes 20719723 (19.7 MiB) RX errors 0 dropped 178 overruns 0 frame 0 TX packets 6747 bytes 2101069 (2.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<up,loopback,running> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 <host>loop txqueuelen 0 (Local Loopback) RX packets 12388 bytes 1341938 (1.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12388 bytes 1341938 (1.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 macvtap0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::26f4:1e55:97a0:c0cb prefixlen 64 scopeid 0x20 ether 00:90:27:77:fb:02 txqueuelen 500 (Ethernet) RX packets 217268 bytes 20328935 (19.3 MiB) RX errors 8919 dropped 8919 overruns 0 frame 0 TX packets 6620 bytes 2073711 (1.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vnet0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::5d6b:398c:6b44:d602 prefixlen 64 scopeid 0x20 ether fe:54:00:6f:2e:15 txqueuelen 500 (Ethernet) RX packets 4558 bytes 4062075 (3.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4583 bytes 624983 (610.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp1s0: flags=4163<up,broadcast,running,multicast> mtu 1500 inet6 fe80::6e57:fe92:1321:1521 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 1000 (Ethernet) RX packets 6040 bytes 811010 (792.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7038 bytes 4986969 (4.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running,multicast></up,broadcast,running,multicast></up,broadcast,running,multicast></host></up,loopback,running></up,broadcast,running,multicast></up,broadcast,running,multicast>and of a much cleaner, and - more importantly - working VirtualBox setup:
# ifconfig br0: flags=4163<up,broadcast,running,multicast>mtu 1500 inet 192.168.7.2 netmask 255.255.255.0 broadcast 192.168.7.255 inet6 fe80::a288:69ff:fe0d:5c41 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 0 (Ethernet) RX packets 4999 bytes 1686341 (1.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9269 bytes 2203282 (2.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp2s0: flags=4163<up,broadcast,running,multicast>mtu 1500 inet 192.168.11.13 netmask 255.255.255.0 broadcast 192.168.11.255 inet6 fe80::201:2eff:fe4e:4b99 prefixlen 64 scopeid 0x20 ether 00:01:2e:4e:4b:99 txqueuelen 1000 (Ethernet) RX packets 175668 bytes 58689989 (55.9 MiB) RX errors 0 dropped 35 overruns 0 frame 0 TX packets 33594 bytes 2862399 (2.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<up,loopback,running>mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 <host>loop txqueuelen 0 (Local Loopback) RX packets 44600 bytes 11957420 (11.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 44600 bytes 11957420 (11.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp1s0: flags=4163<up,broadcast,running,multicast>mtu 1500 inet6 fe80::a288:69ff:fe0d:5c41 prefixlen 64 scopeid 0x20 ether a0:88:69:0d:5c:41 txqueuelen 1000 (Ethernet) RX packets 4400 bytes 1698452 (1.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8264 bytes 2315002 (2.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running,multicast></host></up,loopback,running></up,broadcast,running,multicast></up,broadcast,running,multicast>So it looks like KVM is not suitable for hosting pfSense VM if host machine is required have access to the internet. It is a shame as I was hoping for KVM to be not just working, but a superior solution.
Can someone move this thread to Virtualization?