Computers on the LAN can't reach outside

magmatic · Jan 20, 2016, 4:02 AM

My pfSense firewall is plugged into my DSL modem to get Internet access. (The modem's IP address is 192.168.111.254, and pfSense's WAN IP address is 192.168.111.200).

Then I have a wifi router plugged into pfSense's LAN interface. The LAN interface has an IP address of 192.168.137.1 and runs a DHCP server.

The wifi router also runs a DHCP server (in the 192.168.1.* range)

But when I do a traceroute from a computer connected to the wifi, I get this result:

192.168.1.1 (the wifi router)
192.168.137.1 (the LAN interface)

That's all. It doesn't reach the DSL modem, and it can't reach the Internet.

Why not!!!???

I've set the following settings, and I'm out of ideas. Can anyone shed some light on my problem? What am I missing?

If I do a traceroute from pfSense using "any" source address, I get 192.168.111.254 (the DSL router), then the rest of the Internet, so that works fine.
System/Advanced/Firewall "Disable all packet filtering" is checked, so there is no firewall rule blocking anything.
On the LAN interface, I have "IPv4 Upstream Gateway" set to "none", which is correct I think.
On the WAN interface, I have "IPv4 Upstream Gateway" set to "GW_LAN - 192.168.111.254", which is correct I think.
"Block Private Networks" is unchecked on all interfaces.
I also have a few more Interfaces, but I think don't they should be bothering anything. Their subnets are all different.
This is a brand new installation

What is there left to do? Why can't the LAN get out to see the Internet? pfSense must be blocking it somewhere, but where and why?

Thanks.

chris4916 · Jan 20, 2016, 6:26 AM

It looks like pfSense is not aware that in order to send back packet to wifi connected devices, it has to reach 192.168.1.0/24 through 192.168.137.n (I don't known which IP - on the LAN - is allocated to your wifi access point).

You should add this address as a gateway and define such route.

Another option, if your wifi connected devices are part of the LAN, is to extend your LAN to wifi and let pfSense manage all IPs, including wifi.

magmatic · Jan 20, 2016, 4:42 PM

So I disabled the DHCP server on the wifi router, and plugged the pfsense box into a LAN (non-uplink) port on the wifi router, thus making the pfsense box the DHCP server for all wifi computers.

So I connected a computer to the wifi and got an address 192.168.137.13, which must have come from pfSense. But when I do a traceroute from this computer now, I get this result:

192.168.137.1 (the LAN interface)

And that's all. Same as last time.

Nothing has changed.

I can't get out to the Internet from LAN even like this.

Help!

What's left to try? A hardware problem on a network card?

marvosa · Jan 20, 2016, 4:58 PM

Just from skimming the OP, assuming you have your masks configured properly, you either have a routing or DNS issue, so you need to isolate which problem you have.

Honestly though, the first thing you should do is simplify your network. You're triple NATing which is an awful idea. Here's my suggestion:

Configure your modem as a bridge, so PFsense gets a public IP
Verify the DNS forwarder is enabled

After that, there are few different scenarios depending on what you want done, but basically:

Assuming you want your wifi clients segmented and isolated from your LAN:

Statically set the LAN IP on your wifi router to something in the 192.168.137.0/24 range… (e.g. 192.168.137.254)
Disable DHCP on your wifi router
Remove the patch from the WAN port on your wifi router and move it to a LAN port on your wifi router
Done. Your wifi router is now an AP only and your wifi clients will get DHCP info from PFsense. Clients should receive a gateway and DNS of 192.168.137.1.

If your want your wifi clients on the same network as your LAN:

Plug a switch into your PFsense LAN port, then plug your wifi router into the switch
Statically set the LAN IP on your wifi router to something in your LAN subnet
Disable DHCP on your wifi router
Remove the patch from the WAN port on your wifi router and move it to a LAN port on your wifi router
Done. Your wifi router is now an AP only and your wifi clients will get DHCP info from PFsense.

phil.davis · Jan 20, 2016, 5:03 PM

The existing configuration should work as described, and since the traceroute starts going somewhere, the DNS of whatever is being traced must have resolved.
Maybe NAT is not happening - because it will have to NAT the LAN packets when going out WAN.
Check Firewall->NAT->Outbound - it should work on Automatic.

magmatic · Jan 20, 2016, 5:24 PM

@phil.davis:

The existing configuration should work as described, and since the traceroute starts going somewhere, the DNS of whatever is being traced must have resolved.
Maybe NAT is not happening - because it will have to NAT the LAN packets when going out WAN.
Check Firewall->NAT->Outbound - it should work on Automatic.

Thanks for the ideas Phil. I was traceroute'ing "8.8.8.8", so DNS is not even a question.

I checked the NAT setting. It is already set to "Automatic outbound NAT rule generation", and there is a rule that includes source "192.168.137.0/24" and NAT Address "WAN address".

Oh, and thank marvosa for the ideas. I think I'm already following your first set of instructions.

I'm about to give up and try a fresh install, unless anyone has any more ideas.

chris4916 · Jan 20, 2016, 11:23 PM

I really depends on how you have configured your wifi access point.
Default is most likely "router mode" where disabling DHCP is not enough to ensure access to internet.
You should also find "access point mode" which is the one I suggest. With this mode, you don't have any DHCP server neither different network.
wifi and wired devices share same LAN, thus same internet access.

marvosa · Jan 22, 2016, 5:55 PM

You may have done this already, but since you've been tinkering with other advanced options, I'd suggest a fresh install, re-configure your interfaces, re-do your dhcp scopes and I'll bet everything will just work.

marvosa · Jan 25, 2016, 8:24 PM

No news = good news?