Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help, cant get traffic out of FW.

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 6 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      heper
      last edited by

      stop configuring and see if you get a default install working. it should work out of the box.
      if that works, figure out what you did wrong.

      its probably a routing,firewall or NAT issue ::::: too little info to help you

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        Also, WTH is trust/untrust. You have LAN interface IP assigned by DHCP?  :o

        1 Reply Last reply Reply Quote 0
        • I Offline
          ibby
          last edited by

          @heper:

          stop configuring and see if you get a default install working. it should work out of the box.
          if that works, figure out what you did wrong.

          its probably a routing,firewall or NAT issue ::::: too little info to help you

          I have two Port forwarding rules configured

          1 x Dest.address = WAN
          Dest Port 53
          Nat IP 10.5.5.51 NATP 53

          The other one the same for port 8

          Routes are :

          default gateway 69.194.177.225
          10.5.5.0/24 link#2 em1
          10.5.5.1/24 link#2 lo0
          69.194.177.224/29 em0
          69.194.177.277 link#1 lo0
          127.0.01 link#5 lo0

          1 Reply Last reply Reply Quote 0
          • I Offline
            ibby
            last edited by

            @doktornotor:

            Also, WTH is trust/untrust. You have LAN interface IP assigned by DHCP?  :o

            What i meant to say
            I have a static ip addresses assigned to untrust and trust
            trust ip interface is 10.5.5.1 / dfg is same.
            This ip interface / subnet /24 255.255.255.0
            I have a DHCP scope running on the LAN / TRUST interface from 10.5.5.50 > 10.5.5.100
            :)

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.

              Steve

              1 Reply Last reply Reply Quote 0
              • I Offline
                ibby
                last edited by

                @heper:

                stop configuring and see if you get a default install working. it should work out of the box.
                if that works, figure out what you did wrong.

                its probably a routing,firewall or NAT issue ::::: too little info to help you

                additional to that I have
                two fw rules allowing WAN to LAN / UNTRUST to TRUST for 53 and 80

                1 Reply Last reply Reply Quote 0
                • I Offline
                  ibby
                  last edited by

                  @stephenw10:

                  If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.

                  Steve

                  Hi,

                  I have already checked in the "gateways section".
                  I have 2
                  GW_WAN > WAN > 69.197.177.225 > MP IP 69.197.177.255
                  LAN+GW > LAN > 10.5.5.1 > MP IP 10.5.5.1

                  1 Reply Last reply Reply Quote 0
                  • pttP Offline
                    ptt Rebel Alliance
                    last edited by

                    Why do you have a "GW" on LAN ?

                    1 Reply Last reply Reply Quote 0
                    • I Offline
                      ibby
                      last edited by

                      @ptt:

                      Why do you have a "GW" on LAN ?

                      When I originally configured it I made a typo error on the lan gateway ip.
                      So I deleted the original entry and inserted this one.
                      ( I found via packet trace it was sending traffic to 10.5.5.11, and not 10.5.5.5.1)

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        You should have NO gateway whatsoever on LAN. Read the notes in the GUI. There was really a reason I asked about the trust/untrust thing and about what's actually LAN and WAN there…

                        1 Reply Last reply Reply Quote 0
                        • I Offline
                          ibby
                          last edited by

                          That was it!

                          I was trying to configure it as a netscreen / juniper!  ;D

                          1 Reply Last reply Reply Quote 0
                          • H Offline
                            heper
                            last edited by

                            @ibby:

                            That was it!

                            I was trying to configure it as a netscreen / juniper!  ;D

                            so netscreen / juniper works with invalid configurations then ? neat feature

                            1 Reply Last reply Reply Quote 0
                            • I Offline
                              ibby
                              last edited by

                              @heper:

                              @ibby:

                              That was it!

                              I was trying to configure it as a netscreen / juniper!  ;D

                              so netscreen / juniper works with invalid configurations then ? neat feature

                              Its not an invalid config.

                              You still need to set an ip address for the interface to route out.

                              eg on the juniper you dont have an "any any" rule set, you have to set the protocols to go out of the zones / interfaces.

                              I was assuming when I was setting up the pfsense firewall the gateway would actually be, "route anything 10.5.5.1/24 through 10.5.5.1 gateway" and then route through the external wan interface.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD Offline
                                Derelict LAYER 8 Netgate
                                last edited by

                                "route anything 10.5.5.1/24 through 10.5.5.1 gateway"

                                There might be some terminology misunderstandings with pass vs route.  For example, that looks a lot like the default LAN pass any any rule in pfSense:

                                Pass IPv4 any source LAN net dest any any

                                Note that rule would typically be on an interface with a 10.5.5.1 address.

                                The actual route for that traffic is the default gateway setting on the hosts on 10.5.5.1/24.  And even then, the route isn't for traffic to 10.5.5.0/24, since that's the local subnet.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.