Assign 3rd interface to Pfsense
-
how to properly add 3rd interface to pfsense 2.4.4 to get internet?
- I have added any any firewall rule to interface
-
That is all you need to do to allow clients on that interface out if the rest of the install is default.
You may also want to enable the DHCP server on the new interface if the clients there need to use DHCP.
Steve
-
After adding the new interface and creating the any any firewall rule.
- I receive a dhcp address from my server
-- I can ping the gateway which I made 10.x.x.254 my switch vlan interface is 10.x.x.1
-- I can ping any device on that LAN
--trying to ping outside 4.2.2.2 it doesn't work
What could I be missing ?
- I receive a dhcp address from my server
-
Is that the gateway on the client?
pfSense should not have a gateway on that internal interface. Doing so will make it outbound NAT to it in the defaul auo mode for outbound NAT.
Steve
-
-
Ok that should be fine then.
So set a continuous ping running to 4.2.2.2 then check the state table in Diag > States. Filter by 4.2.2.2.
You should see a state on the new interface and a state with NAT on the WAN interface.
Steve
-
Thanks Steve for your reply, I checked the states and filtered by 4.2.2.1, unfortunately it showed nothing. The firewall rule looks as below.
-
@techman2005
Outbound NAT is configured for 10.1.40.0/24 ???? -
it appears to be there. Is there another good way to look at the logs? NAT is auto generated.
-
@techman2005
Try to run Packet Capture or tcpdump on the wan interface to see what's going on
interface WAN
Protocol ICMP
Host 4.2.2.2Ideally , you should see this result
21:09:16.501092 IP XXX.XXX.1.96 > 4.2.2.2: ICMP echo request, id 25266, seq 0, length 64
21:09:16.556329 IP 4.2.2.2 > XXX.XXX.1.96: ICMP echo reply, id 25266, seq 0, length 64 -
-
If this is the wan interface, you can see that nat outbound does not work correctly
Try to use Manual Outbound NAT
-
If you're seeing packets come in but no states generated either on DEVICENET or WAN (you should see both) then something is blocking that traffic. Do you see it blocked in the firewall logs? Which rule is blocking it?
If not you may have something set to block without logging like maybe pfBlocker or Snort.Steve
-
I was able to get packet captures from both WAN and D net. where do I go from here? all your help is greatly appreciated.
-
Are you using 8.8.8.8 as the monitoring IP for the WAN? Or pinging it from anywhere else?
Because those pings on DEVICENET are at ~5s internals but on WAN are at 1s intervals. I don't think that's the same traffic.
You were seeing no open states and they will be there is traffic is being passed.
Check the firewall logs.
Do you have any packages installed?
Steve
-
-
Still 1s intervals on WAN and 5 internally. Use a different IP that isn't in use anywhere else.
Check the firewall logs.
Do you have any packages installed?
-
That interface doesn't even appear in the firewall logs.
Yes I have a few packages installed screenshot attached.
-
Ok, none of those packages should be an issue.
Did you filter the firewall logs by the IP you were trying to ping? Or by the interface you were pinging from?
That screenshot shows 21s of logs so they moght just not be shown there.But, again, try pinging by some other IP that is not used anywhere else. Leave the ping running then check the state table and filter by the target IP. Leave the interfaces set to 'all'. You should see states on both the internal interface and WAN. You can verify that by testing from a working interface so you know what it should look like.
Steve
-
@techman2005
Hey
Show the output of the command ifconfigor
Status/interfaces (Devicenet)
