GNS3 + ESXI + PFSense Appliance
-
10.1.1.0/24 is a second vlan that is setup on pfsense (OPT2) but not setup anywhere else.
It appears that the ping is sent out the wan, but no reply is received:
9:43:51.827857 IP 192.168.122.67 > 192.168.122.1: ICMP echo request, id 26030, seq 16830, length 8
9:43:51.828573 IP 192.168.122.1 > 192.168.122.67: ICMP echo reply, id 26030, seq 16830, length 8
9:43:52.128334 IP 10.1.100.100 > 192.168.122.1: ICMP echo request, id 1, seq 54398, length 40
9:43:52.328871 IP 192.168.122.67 > 192.168.122.1: ICMP echo request, id 26030, seq 16831, length 8
9:43:52.329228 IP 192.168.122.1 > 192.168.122.67: ICMP echo reply, id 26030, seq 16831, length 8 -
Its being sent out un natted.. see the 10.1.100.100 address.. That will not work.. So for whatever reason that is not being natted.. Your upstream is not going to know how to answer that..
You sure you applied your outbound nats after you changed it to manual, etc. Did you reboot?
-
I only had it set to manual temporarily. It is currently set to "Automatic outbound NAT rule generation". I just restarted pfsense, but it doesn't appear that anything changed.
-
so your still sending that out unnatted? Might be easier to spot if you send traffic on different port vs icmp, since pfsense send ping to its gateway every second..
Check out that actual nat is there
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_rulesetpfctl -sn
-
pfctl -sn provides no output.
-
what do you mean NO output? My pfsense is not currently doing nat.. Since I have its wan turned off, and just using it for dns and dhcp until my new pfsense hardware gets here. Long story with new high speed internet and pfsense VM not able to handle the speed, etc.. But I just enabled an outbound nat on its lan interface.. And you see that in the output
[2.4.1-RELEASE][root@pfsense.local.lan]/root: pfctl -sn
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on em1 inet all -> 192.168.9.6 port 1024:65535
nat-anchor "ftp-proxy/" all
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr-anchor "ftp-proxy/" all
rdr pass on em1 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
rdr-anchor "miniupnpd" all
[2.4.1-RELEASE][root@pfsense.local.lan]/root:I could fire up a vm so that you could see the output when using automatic nat and wan lan setup.. But take me a few minutes. But there should be Something output!! And it should show you the outbound nats you have enabled.
edit: Here I just enabled a bogus IP on the wan interface.. And let it do automatic nat.. You can see the output from that command. (pic attached)
edit2: You can then view whats in the alias in the diag, table listing.. pic 2
-
The appliance within GNS3 does not have any output with that command. I even inserted a 2nd appliance and tested that one with the same results.
-
well you got something wrong for sure then in your setup.. Pfsense not doing what its suppose to be doing.. And prob explains your problem with it not working ;)
How exactly did you do that sniff? Did you do it via pfsense diag packet capture or somewhere else?
So your running appliance from here https://docs.gns3.com/appliances/pfsense.html in GNS3, how does esxi come into play here? Going to need more info on how you got this all setup to try and figure out what is not right.
Your gns3 layout shows only em0 on pfsense appliance with a trunk.. So your opt interface is a vlan? Why would you not just give the appliance 2 interfaces put the router appliance between your clients and the network? Vs what looks to be a router on a stick.
-
I did use the diag packet capture to do the sniff.
I am running a central GNS3 Server (in ESXi) with that PFSense appliance imported. This way all of the processing is being handled on the server instead of my workstation. You are correct that that em0 is a trunk and OPT is a vlan.
It is setup as a router on a stick currently to allow a PFSense VM to be migrated between 2 virtual hosts.
-
I would have to fire gns3 up on my esxi box to try and figure out what could be wrong.. But can tell for sure that that command should have an output..
-
I appreciate the help. I will try to get another pfsense installation in GNS3 without using the appliance and see if that makes a difference.