pfsense WAN on private network
-
Hi. I have an instance of pfsense running entirely on a private network where WAN interface is getting a DHCP of 192.168.x.x and 2 other interfaces: 172.16.5.x and 172.16.6.x. This whole setup is purely for learning.
A host on either 172.16.x.x network can ping through the gateway to hosts on the WAN network (192.168.x.x), but I can't access any web servers, so port 80 and 443 are inaccessible.
NAT appears to work correctly, a host on the WAN network sees icmp traffic as from the WAN interface.
The "Reserved Networks" 2 check boxes are unchecked for both 172.16.x.x interfaces
I can ping www.google.com, so routing also works. Any suggestions would be appreciated, next step probably would be to reinstall. -
On the WAN interface did you uncheck "Block private networks and loopback addresses"?
-
@penguin-nut said in pfsense WAN on private network:
NAT appears to work correctly, a host on the WAN network sees icmp traffic as from the WAN interface.
Great start.. So do sniff on pfsense wan - do you send pfsense send the SYN for the http/https connection to the host on your 192.168 wan network?
What firewall rules do you have on your 2 172.16 interfaces? While the first lan side interface (lan) would default to any any... When you create a 2nd interface it would have no rules.
You say you can ping google, but can you access google?
-
@teamits I did, that didn't seem to allow traffic through. I ended up doing a "Reset to factory defaults", it now works. Very strange. There is nothing different that I can tell from what I configured then and now. Maybe switching the configuration back and forth so many times something got messed up?
-
@penguin-nut said in pfsense WAN on private network:
Maybe switching the configuration back and forth so many times something got messed up?
Zero mention of any of that in OP.
-
So I've discovered a couple things related to my test environment. My pfSense instance runs on Xenserver 7.x on Dell hardware. NICs are plugged into Cisco 2960 (IOS 15.x).
1 - Reconfiguring interfaces, sometimes requires re-saving firewall rules. I reconfigured an interface, DHCP works but unable to ping gateway or dig/nslookup fails. Re-saving firewall allow rule for that interface fixed everything.
2 - System->Advanced->Networking
Disable hardware checksum offload
Above fixed a recurring problem I could not resolve with pfSense running on Xenserver 7.x, Dell hardware.
3 - VLANs configuration can get very confusing. There are VLANs configured on the Cisco 2960 switch Xenserver is plugged into; Xenserver allows assigning ports to VLANs; pfSense has VLANs. It is easy to break this and just as easy to fix. -
@penguin-nut said in pfsense WAN on private network:
Disable hardware checksum offload
FYI, documented at https://www.netgate.com/docs/pfsense/book/config/advanced-networking.html?highlight=xen#hardware-checksum-offloading