Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OPT interface - No Internet Access

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 4 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      realtec
      last edited by

      Hi all,

      I have set up a new pfsense box, imported the config from our old box to the new one. All seemed to be working well. We upgraded to the new server as it has 4 onboard NIC's and a PCI-E dual NIC. On the dual NIC (bce4 &5) I have added an opt interface. No matter what I do I cannot get internet access through these ports. I can ping the gateway IP I have set on the ports, from a PC. I can also ping that PC (Dhcp enabled) from PFsense.

      BUT no internet at all.

      I have added an allow all rule into the firewall on the OPT interface, still no joy. I cna ping my entire internal network from the PC connected to bce4.

      if I was to ping google or 8.8.8.8 I get no response.

      Any ideas ?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • M
        mguebert
        last edited by

        The default is to block, so you need a allow rule any-opt1-any-any-any-any. That will allow traffic to your lan network also though. So in my case I placed a block rule to Lan from Opt1 then a allow rule for DNS to the firewall, then a block rule to the firewall to block any other access to the firewall, then a allow all rule. It seems to work well for me.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "I have added an allow all rule into the firewall on the OPT interface,"

          Post the rules you have on lan and the rules you placed on opt.  Its quite common for users to just do tcp when they create the any any rule.  TCP would not allow for icmp (ping) nor would it allow for dns which is UDP on 53, etc..

          Yes the default is deny.  So you have to create rules on the interface that allow the traffic you want/need - the lan interface out of the box is any any.  But when you create a new interface there is no rules.  So yes you have to add the rules you want/need to allow the traffic you want.

          Rules are evaluated as the traffic enters the interface going toward pfsense.  Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.  So if the traffic hits a block rule that it matches on.  Does not matter if there is a rule below that rule that would allow the traffic.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            pushitsolutions
            last edited by

            Did you check the Firewall->NAT->outbound
            if you setup manual outbound nat you have to enter the mappings in there manually if its setup as Hybrid (my choice) then new interface mappings are automatically added and you can also enter manual ones.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.