Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help, cant get traffic out of FW.

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 6 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      ibby
      last edited by

      @doktornotor:

      Also, WTH is trust/untrust. You have LAN interface IP assigned by DHCP?  :o

      What i meant to say
      I have a static ip addresses assigned to untrust and trust
      trust ip interface is 10.5.5.1 / dfg is same.
      This ip interface / subnet /24 255.255.255.0
      I have a DHCP scope running on the LAN / TRUST interface from 10.5.5.50 > 10.5.5.100
      :)

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.

        Steve

        1 Reply Last reply Reply Quote 0
        • I Offline
          ibby
          last edited by

          @heper:

          stop configuring and see if you get a default install working. it should work out of the box.
          if that works, figure out what you did wrong.

          its probably a routing,firewall or NAT issue ::::: too little info to help you

          additional to that I have
          two fw rules allowing WAN to LAN / UNTRUST to TRUST for 53 and 80

          1 Reply Last reply Reply Quote 0
          • I Offline
            ibby
            last edited by

            @stephenw10:

            If you can't ping from LAN via Diagnostics but can from WAN then NAT is not working. Most likely cause there (if you haven't disabled it) is that the gateway is not actually assigned on the WAN interface but simply added in System > Routing.

            Steve

            Hi,

            I have already checked in the "gateways section".
            I have 2
            GW_WAN > WAN > 69.197.177.225 > MP IP 69.197.177.255
            LAN+GW > LAN > 10.5.5.1 > MP IP 10.5.5.1

            1 Reply Last reply Reply Quote 0
            • pttP Offline
              ptt Rebel Alliance
              last edited by

              Why do you have a "GW" on LAN ?

              1 Reply Last reply Reply Quote 0
              • I Offline
                ibby
                last edited by

                @ptt:

                Why do you have a "GW" on LAN ?

                When I originally configured it I made a typo error on the lan gateway ip.
                So I deleted the original entry and inserted this one.
                ( I found via packet trace it was sending traffic to 10.5.5.11, and not 10.5.5.5.1)

                1 Reply Last reply Reply Quote 0
                • D Offline
                  doktornotor Banned
                  last edited by

                  You should have NO gateway whatsoever on LAN. Read the notes in the GUI. There was really a reason I asked about the trust/untrust thing and about what's actually LAN and WAN there…

                  1 Reply Last reply Reply Quote 0
                  • I Offline
                    ibby
                    last edited by

                    That was it!

                    I was trying to configure it as a netscreen / juniper!  ;D

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      heper
                      last edited by

                      @ibby:

                      That was it!

                      I was trying to configure it as a netscreen / juniper!  ;D

                      so netscreen / juniper works with invalid configurations then ? neat feature

                      1 Reply Last reply Reply Quote 0
                      • I Offline
                        ibby
                        last edited by

                        @heper:

                        @ibby:

                        That was it!

                        I was trying to configure it as a netscreen / juniper!  ;D

                        so netscreen / juniper works with invalid configurations then ? neat feature

                        Its not an invalid config.

                        You still need to set an ip address for the interface to route out.

                        eg on the juniper you dont have an "any any" rule set, you have to set the protocols to go out of the zones / interfaces.

                        I was assuming when I was setting up the pfsense firewall the gateway would actually be, "route anything 10.5.5.1/24 through 10.5.5.1 gateway" and then route through the external wan interface.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          "route anything 10.5.5.1/24 through 10.5.5.1 gateway"

                          There might be some terminology misunderstandings with pass vs route.  For example, that looks a lot like the default LAN pass any any rule in pfSense:

                          Pass IPv4 any source LAN net dest any any

                          Note that rule would typically be on an interface with a 10.5.5.1 address.

                          The actual route for that traffic is the default gateway setting on the hosts on 10.5.5.1/24.  And even then, the route isn't for traffic to 10.5.5.0/24, since that's the local subnet.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.