Router only, no internet on OPT1
-
I'm running a pfsense box as router only with no firewall (disabled all packet filtering), but I don't seem to be able to access the WAN using OPT1, how do I do this ?
I can ping hosts from all interfaces except for OPT1 (and vlans attached to it) -
Please post your outgoing rules…normally this happens because you did not set outgoing NAT.
-
When he says he turned off filtering I would assume there is no nat either? Can you nat still if you turn off filtering?
My guess would be that the network on opt1 is not known by the wan network.. Devices on the wan network would need to know how to get to the opt1 network.
-
No NAT, just using this one as a routing box from the LAN\VLANS to a smoothwall box then to the internet.
Disabling the firewall seemed to fix the problems I had connecting to microsoft active directory from the smoothwall box for authentication but then it broke the routing on the VLANS on OPT1
Id enable the firewall if I could work out how to get the Smoothwall talking to AD (I couldn't ping the AD servers from the WAN interface no matter what I did)
-
I am not sure, but I would assume if you turn off filtering then you loose nat. So you would have to setup routing on your devices on the wan how to get to your lan and opt1 networks. OR setup a transit network between your router in front of pfsense to pfsense with routing to those networks.
-
Then I think I'll be better off turning the firewall off, but then I'm back to square one not being able to access the Active Directory from the wan unless there's a WAN rule that can fix that ?
-
You can have no WAN (or any other interface) rules when you turn the packet filter off. If you do not want NAT, then disable NAT and not the packet filter. It is even written in the GUI notes next to the checkbox where you can disable the pf.
-
^ exactly the way to use pfsense as router is disable nat and create any any rules.
-
Thanks, I'll test it out - feel like I've been going round in circles these past few days!
-
You can have no WAN (or any other interface) rules when you turn the packet filter off.
^ exactly the way to use pfsense as router is disable nat and create any any rules.
Well, which is it? No rules or Any:Any rules? Or did you mean there must be no rules when the filter is disabled but then after you need to add Any:Any rules???
-
Those are 2 different people saying things that you put into 1 quote.
How I would use pfsense as router would be turn off nat and then any any. You could then log traffic if you wanted in your any any rules, etc. Or create rules just for logging even better. You could still use the limiters, etc.
If you just going to turn off filtering and route - might as well just put in a L3 switch.
-
Those are 2 different people saying things that you put into 1 quote.
Yes, I know, was done for brevity. But you agreed with dok after saying something completely opposite. He says no rules, you say any:any.
-
Wish I could just put a L3 switch in would save me the problems, as it is it's cheaper for me to use a pfsense as a router instead
-
No he clearly stated
"If you do not want NAT, then disable NAT and not the packet filter."
Which I agreed with.. If you don't turn off the packet filter than you need rules.. I just said it in slightly different way with emphasis that you would need any any rules if the filter is on if you want it to act like a router.
-
You can have no WAN (or any other interface) rules when you turn the packet filter off.
This threw me off. I know there are a lot of non-native English speakers here and sometimes the Euro flair can be read differently. I read it to mean that you MUST remove the WAN rules if you are to disable the packet filter.
-
So from what I've learned
Enable Firewall
Disable Outbound NAT
Add Any Any Rules to each interface on the firewall e.g.
IPv4* * * * * * none
This should do all my routing to and from the smoothwall box
-
This should do all my routing to and from the smoothwall box
Whatever a "smoothwall box" is it will have to have routes for all the networks behind pfSense with the pfSense IP address as the routes' next hop.
-
The Smoothwall box is a transparent proxy / UTM, I work in a school and we need filtering enabled for students. Currently we rely on the Smoothwall box for routing between subnets (for wifi over vlans) for MDns, problem is we rely too much on it e.g
LAN –-> SMOOTHWALL ---> WAN
We don't have any layer 3 switching as the budget is restrictive, only layer 2 that serves the VLANS so swapping out the SMOOTHWALL utm for another vendor is difficult as most other vendors don't have routing / radius / dhcp etc. built in
So I'm trying to utilise old hardware so the topology looks like this :-
PFSense Router -----> PROXY -----> PFSense firewall, so I can slot any vendors filtering hardware in place of the proxy
The only problem I've faced is getting Smoothwall talking back to active directory for authentication purposes, if I know the PFSense configuration is correct then I know any problems lies within Smoothwall.
-
I made a new box and kept it as simple as possible
Enable Firewall
Disable Outbound NAT
Add Any Any Rules to each interface on the firewall e.g.
IPv4* * * * * * none
But it's still not working, the traceroute from the wan to the LAN seems to bounce around the WAN ip and the gateway
Here's an album of images
http://imgur.com/a/1X55p -
dude smoothwall needs to know how to get to the networks behind pfsense - it has to have a route that talks to pfsense want to get to segments behind pfsense.
This is normally done with a transit network so you don't run into asymmetrical routing.