OPT1 can't get Internet

newest_newbie

Hello folks.
This is my first experience with PFSense.
I googled around and could not see an answer - need some help !!!

I have the following setup
re0 - WAN - DHCP
re1 - LAN - 192.168.0.11/24 - no gateway
re2 - OPT1 - 192.168.1.11/24 - no gateway

After some work I was able to set proper rules and both WAN and LAN are running fine.
The problem is with OPT1 - It is not getting internet access.

FACTS

• From 192.168.1.238 (windows box) I can ping 192.168.1.11 (implicit gateway for OPT1) and ping 192.168.1.9 (another host) with sucess
• When ping www.google.com or 192.168.0.11 (implicit gateway for LAN)- timeout
• I created a rule opening all for OPT1
  Protocol  Source  Port Destination  Port  Gateway  Queue Schedule
  IPv4      *     *   *       * * * none

I did a lot of tries but none seem to work.
Seems to me it is a gateway/NAT or DNS problem.

QUESTION

• At "Interfaces/OPT1" should I set 192.168.0.11 as the gateway ?

Any tips ?

TIA

Derelict

No. Don't set a gateway on LAN interfaces.

All hosts on OPT1 should have 192.168.1.11 as their default gateway.

Your OPT1 rule is fine.

What are your settings in Firewall > NAT, Outbound? Is 192.168.1.0/24 listed as a source network on WAN?

Hosts having pfSense as the default gateway, rules on OPT1, and outbound NAT are really all there is to it.

newest_newbie

Yes I believe - both LAN and OPT1
WAN 127.0.0.0/8 192.168.0.0/24 192.168.1.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.0.0/24 192.168.1.0/24 * * * WAN address * Auto created rule

newest_newbie

During my search, looked like this is a very common problem, and no one has a sure way of fix it.
Meanwhile I am trying to find a solution.
If someone has some tip…

Derelict

It is not a common problem.

• pfSense as the hosts' default gateway

• firewall rules on the inside interface passing the traffic

• Outbound NAT

• It just works

newest_newbie

I'm sure it works, since it was designed to be a firewall… :P ...but not smoothly

More information

My physical map

OPT1 (192.168.1.11) <------> SWITCH <-----> (192.168.1.238 STATIC) WINDOWS PC FIREWALL DISABLED
                                              SWITCH <-----> (192.168.1.9 STATIC) ANOTHER HOST                           
Testing the port

PF/DIAGNOSTICS/PING 
PING 192.168.1.238 (192.168.1.238): 56 data bytes
64 bytes from 192.168.1.238: icmp_seq=0 ttl=128 time=0.314 ms
64 bytes from 192.168.1.238: icmp_seq=1 ttl=128 time=0.159 ms
64 bytes from 192.168.1.238: icmp_seq=2 ttl=128 time=0.372 ms
--- 192.168.1.238 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.159/0.282/0.372/0.090 ms
Success !!! Physically everythings okay

The rule at OPT1

States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0 /0 B        IPv4 * OPT1 net * * * * none   ALLOW OPT1 TO ANY

Testing the rule

If I enable it at PF/FIREWALL/RULES/OPT1, I ping to 192.168.1.238, it answers.
If I disable it at PF/FIREWALL/RULES/OPT1, I ping to 192.168.1.238, it times out.
So the rule is surely working, but not allows to pass on, or something in the back is not working as it should.

How I know it works ?

I made a batch which run at windows PC and constantly pings realms
PING 192.168.1.9    (another host at same switch) - OK
PING 192.168.1.11  (gateway port at OPT1) - OK
PING 192.168.0.11  (gateway port at LAN) - TIMES OUT
PING 192.168.2.100 (gateway port at WAN) - TIMES OUT
PING 8.8.4.4            (dns server at internet - no name translation) - TIMES OUT
PING www.???????.com.br (my website at intenet - name translation) - TIMES OUT

Suggestions ?

Derelict

Might want to start here:

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

johnpoz

What I can tell you is this is clickity clickity.. Add a opt interface, give it an IP, setup rules on that interface = works right out the box!!

That you have realtek interfaces might be the problem - what is common is users using realtek or usb interfaces having issues.

"During my search, looked like this is a very common problem"

What search - please post to articles/forum threads you think is common to your issue.. Where "and no one has a sure way of fix it. " Could almost promise you your problem is either PEBAC.. or hardware issue..

kpa

It's not a common problem at all. There are just a few people out of literally thousands who can't get this working because either they have some crazy ideas of how networking works or they are in the small minority with broken/badly working/poorly supported hardware.

newest_newbie

I found the problem…

All of this began when i needed to build a Captive Portal.

I've notice that OPT1 wasn't working.
I've been trying to ping but didn't seem to work.

So I found out that Captive Portal was still enabled although not fully configured.
I never thought CP would block ICMP - but I should. :o
I disabled CP and voila !! it worked....

I found this following this step-by-step that Derelict showed me, although everything was setup properly.

When I said this is a common problem I mean I found a lot of posts regarding this, people gets stuck trying to found out how stuff work and behave. A bit like "if you are here you can't get things easy - you've got to sweat".
This is a part of getting knowledge to something new.

Anyway it's all up and running.
I was a Smoothwall Express user and now I'm a happy PFsense user...

Thanks buddies.

PS: Now another hill to climb - captive portal using vouchers.

johnpoz

So chalk another one up to PEBKAC ;)

newest_newbie

Normally that happens when you are at full multitasking with just one core processor (head)…  :)