Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help, cant get traffic out of FW.

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 6 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      ibby
      last edited by

      @heper:

      stop configuring and see if you get a default install working. it should work out of the box.
      if that works, figure out what you did wrong.

      its probably a routing,firewall or NAT issue ::::: too little info to help you

      I have two Port forwarding rules configured

      1 x Dest.address = WAN
      Dest Port 53
      Nat IP 10.5.5.51 NATP 53

      The other one the same for port 8

      Routes are :

      default gateway 69.194.177.225
      10.5.5.0/24 link#2 em1
      10.5.5.1/24 link#2 lo0
      69.194.177.224/29 em0
      69.194.177.277 link#1 lo0
      127.0.01 link#5 lo0

      1 Reply Last reply Reply Quote 0
      • I Offline
        ibby
        last edited by

        @doktornotor:

        Also, WTH is trust/untrust. You have LAN interface IP assigned by DHCP?  :o

        What i meant to say
        I have a static ip addresses assigned to untrust and trust
        trust ip interface is 10.5.5.1 / dfg is same.
        This ip interface / subnet /24 255.255.255.0
        I have a DHCP scope running on the LAN / TRUST interface from 10.5.5.50 > 10.5.5.100
        :)

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.

          Steve

          1 Reply Last reply Reply Quote 0
          • I Offline
            ibby
            last edited by

            @heper:

            stop configuring and see if you get a default install working. it should work out of the box.
            if that works, figure out what you did wrong.

            its probably a routing,firewall or NAT issue ::::: too little info to help you

            additional to that I have
            two fw rules allowing WAN to LAN / UNTRUST to TRUST for 53 and 80

            1 Reply Last reply Reply Quote 0
            • I Offline
              ibby
              last edited by

              @stephenw10:

              If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.

              Steve

              Hi,

              I have already checked in the "gateways section".
              I have 2
              GW_WAN > WAN > 69.197.177.225 > MP IP 69.197.177.255
              LAN+GW > LAN > 10.5.5.1 > MP IP 10.5.5.1

              1 Reply Last reply Reply Quote 0
              • pttP Offline
                ptt Rebel Alliance
                last edited by

                Why do you have a "GW" on LAN ?

                1 Reply Last reply Reply Quote 0
                • I Offline
                  ibby
                  last edited by

                  @ptt:

                  Why do you have a "GW" on LAN ?

                  When I originally configured it I made a typo error on the lan gateway ip.
                  So I deleted the original entry and inserted this one.
                  ( I found via packet trace it was sending traffic to 10.5.5.11, and not 10.5.5.5.1)

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    doktornotor Banned
                    last edited by

                    You should have NO gateway whatsoever on LAN. Read the notes in the GUI. There was really a reason I asked about the trust/untrust thing and about what's actually LAN and WAN there…

                    1 Reply Last reply Reply Quote 0
                    • I Offline
                      ibby
                      last edited by

                      That was it!

                      I was trying to configure it as a netscreen / juniper!  ;D

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        heper
                        last edited by

                        @ibby:

                        That was it!

                        I was trying to configure it as a netscreen / juniper!  ;D

                        so netscreen / juniper works with invalid configurations then ? neat feature

                        1 Reply Last reply Reply Quote 0
                        • I Offline
                          ibby
                          last edited by

                          @heper:

                          @ibby:

                          That was it!

                          I was trying to configure it as a netscreen / juniper!  ;D

                          so netscreen / juniper works with invalid configurations then ? neat feature

                          Its not an invalid config.

                          You still need to set an ip address for the interface to route out.

                          eg on the juniper you dont have an "any any" rule set, you have to set the protocols to go out of the zones / interfaces.

                          I was assuming when I was setting up the pfsense firewall the gateway would actually be, "route anything 10.5.5.1/24 through 10.5.5.1 gateway" and then route through the external wan interface.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            "route anything 10.5.5.1/24 through 10.5.5.1 gateway"

                            There might be some terminology misunderstandings with pass vs route.  For example, that looks a lot like the default LAN pass any any rule in pfSense:

                            Pass IPv4 any source LAN net dest any any

                            Note that rule would typically be on an interface with a 10.5.5.1 address.

                            The actual route for that traffic is the default gateway setting on the hosts on 10.5.5.1/24.  And even then, the route isn't for traffic to 10.5.5.0/24, since that's the local subnet.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.