GNS3 + ESXI + PFSense Appliance
-
Can anyone help me out with this virtual setup? I utilized the GNS3 NAT function to get internet access into the virtual network. The PFSense appliance can ping both the NAT (Comcast) gateway 192.168.122.1, 8.8.8.8, and the Windows 7 PC 10.1.100.100). The Windows 7 PC can ping PFSense at 10.1.100.1 and 192.168.122.67. but can not ping 192.168.122.1 or 8.8.8.8.
I have created firewall rules to allow all IPv4 traffic on each interface for testing. I have also disabled "Block private networks and loopback addresses" and "Block bogon networks".
-
did you mess with your outbound nat on pfsense? If pfsense does not nat that 10.1.100 network to its 192.168.122 network then the upstream natter would not know what to do with it. This seems likely if you can not ping 192.168.122.1 but can ping 192.168.122.67… Because pfsense knows how to get to 10.1.100 but 192.168.122.1 would not.
You see this most of the time when users take their outbound nat out of automatic.
-
I did attempt to change the outbound nat settings in the beginning, but currently have it set to "Automatic outbound NAT rule generation".
-
well post them up and lets take a look see.
-
Attached is a screenshot of the automatic rules.
-
Well that looks correct for sure.. Where did the 10.1.1.0/24 network come from.. That is not listed in your post or diagram.
Do a sniff on pfsense wan when you try and ping your 192.168.122.1 IP from your client.. Does it send the ping out its wan? And is natting it to its wan IP..
-
10.1.1.0/24 is a second vlan that is setup on pfsense (OPT2) but not setup anywhere else.
It appears that the ping is sent out the wan, but no reply is received:
9:43:51.827857 IP 192.168.122.67 > 192.168.122.1: ICMP echo request, id 26030, seq 16830, length 8
9:43:51.828573 IP 192.168.122.1 > 192.168.122.67: ICMP echo reply, id 26030, seq 16830, length 8
9:43:52.128334 IP 10.1.100.100 > 192.168.122.1: ICMP echo request, id 1, seq 54398, length 40
9:43:52.328871 IP 192.168.122.67 > 192.168.122.1: ICMP echo request, id 26030, seq 16831, length 8
9:43:52.329228 IP 192.168.122.1 > 192.168.122.67: ICMP echo reply, id 26030, seq 16831, length 8 -
Its being sent out un natted.. see the 10.1.100.100 address.. That will not work.. So for whatever reason that is not being natted.. Your upstream is not going to know how to answer that..
You sure you applied your outbound nats after you changed it to manual, etc. Did you reboot?
-
I only had it set to manual temporarily. It is currently set to "Automatic outbound NAT rule generation". I just restarted pfsense, but it doesn't appear that anything changed.
-
so your still sending that out unnatted? Might be easier to spot if you send traffic on different port vs icmp, since pfsense send ping to its gateway every second..
Check out that actual nat is there
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_rulesetpfctl -sn
-
pfctl -sn provides no output.
-
what do you mean NO output? My pfsense is not currently doing nat.. Since I have its wan turned off, and just using it for dns and dhcp until my new pfsense hardware gets here. Long story with new high speed internet and pfsense VM not able to handle the speed, etc.. But I just enabled an outbound nat on its lan interface.. And you see that in the output
[2.4.1-RELEASE][root@pfsense.local.lan]/root: pfctl -sn
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on em1 inet all -> 192.168.9.6 port 1024:65535
nat-anchor "ftp-proxy/" all
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "ftp-proxy/" all
rdr pass on em1 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
rdr-anchor "miniupnpd" all
[2.4.1-RELEASE][root@pfsense.local.lan]/root:I could fire up a vm so that you could see the output when using automatic nat and wan lan setup.. But take me a few minutes. But there should be Something output!! And it should show you the outbound nats you have enabled.
edit: Here I just enabled a bogus IP on the wan interface.. And let it do automatic nat.. You can see the output from that command. (pic attached)
edit2: You can then view whats in the alias in the diag, table listing.. pic 2
-
The appliance within GNS3 does not have any output with that command. I even inserted a 2nd appliance and tested that one with the same results.
-
well you got something wrong for sure then in your setup.. Pfsense not doing what its suppose to be doing.. And prob explains your problem with it not working ;)
How exactly did you do that sniff? Did you do it via pfsense diag packet capture or somewhere else?
So your running appliance from here https://docs.gns3.com/appliances/pfsense.html in GNS3, how does esxi come into play here? Going to need more info on how you got this all setup to try and figure out what is not right.
Your gns3 layout shows only em0 on pfsense appliance with a trunk.. So your opt interface is a vlan? Why would you not just give the appliance 2 interfaces put the router appliance between your clients and the network? Vs what looks to be a router on a stick.
-
I did use the diag packet capture to do the sniff.
I am running a central GNS3 Server (in ESXi) with that PFSense appliance imported. This way all of the processing is being handled on the server instead of my workstation. You are correct that that em0 is a trunk and OPT is a vlan.
It is setup as a router on a stick currently to allow a PFSense VM to be migrated between 2 virtual hosts.
-
I would have to fire gns3 up on my esxi box to try and figure out what could be wrong.. But can tell for sure that that command should have an output..
-
I appreciate the help. I will try to get another pfsense installation in GNS3 without using the appliance and see if that makes a difference.