Help, cant get traffic out of FW.
-
Also, WTH is trust/untrust. You have LAN interface IP assigned by DHCP? :o
What i meant to say
I have a static ip addresses assigned to untrust and trust
trust ip interface is 10.5.5.1 / dfg is same.
This ip interface / subnet /24 255.255.255.0
I have a DHCP scope running on the LAN / TRUST interface from 10.5.5.50 > 10.5.5.100
:) -
If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.
Steve
-
stop configuring and see if you get a default install working. it should work out of the box.
if that works, figure out what you did wrong.its probably a routing,firewall or NAT issue ::::: too little info to help you
additional to that I have
two fw rules allowing WAN to LAN / UNTRUST to TRUST for 53 and 80 -
If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.
Steve
Hi,
I have already checked in the "gateways section".
I have 2
GW_WAN > WAN > 69.197.177.225 > MP IP 69.197.177.255
LAN+GW > LAN > 10.5.5.1 > MP IP 10.5.5.1 -
Why do you have a "GW" on LAN ?
-
@ptt:
Why do you have a "GW" on LAN ?
When I originally configured it I made a typo error on the lan gateway ip.
So I deleted the original entry and inserted this one.
( I found via packet trace it was sending traffic to 10.5.5.11, and not 10.5.5.5.1) -
You should have NO gateway whatsoever on LAN. Read the notes in the GUI. There was really a reason I asked about the trust/untrust thing and about what's actually LAN and WAN there…
-
That was it!
I was trying to configure it as a netscreen / juniper! ;D
-
That was it!
I was trying to configure it as a netscreen / juniper! ;D
so netscreen / juniper works with invalid configurations then ? neat feature
-
That was it!
I was trying to configure it as a netscreen / juniper! ;D
so netscreen / juniper works with invalid configurations then ? neat feature
Its not an invalid config.
You still need to set an ip address for the interface to route out.
eg on the juniper you dont have an "any any" rule set, you have to set the protocols to go out of the zones / interfaces.
I was assuming when I was setting up the pfsense firewall the gateway would actually be, "route anything 10.5.5.1/24 through 10.5.5.1 gateway" and then route through the external wan interface.
-
"route anything 10.5.5.1/24 through 10.5.5.1 gateway"
There might be some terminology misunderstandings with pass vs route. For example, that looks a lot like the default LAN pass any any rule in pfSense:
Pass IPv4 any source LAN net dest any any
Note that rule would typically be on an interface with a 10.5.5.1 address.
The actual route for that traffic is the default gateway setting on the hosts on 10.5.5.1/24. And even then, the route isn't for traffic to 10.5.5.0/24, since that's the local subnet.
