Can ping Internet from Pfsense but cannot from LAN

lousylucky

I installed pfsense on proxmox and I'm able to access the internet from Pfsense but can't from LAN. I can also ping pfsense from PC on LAN and from pfsense this PC. I don't have any rules, everything is as default which should allow me to connect Internet.

In Interface/Wlan I uncheck "Block private networks and loopback addresses"
I'm kindly asking for help

NollipfSense

@lousylucky In default, your LAN would be 192.168.1.1 so you must have change the default settings

lousylucky

Yes sorry I made mistake on the graph, for LAN I'm using 192.168.1.1.

NollipfSense

@lousylucky said in Can ping Internet from Pfsense but cannot from LAN:

Yes sorry I made mistake on the graph, for LAN I'm using 192.168.1.1.

If that's the case, you must have change the default firewall rules.

lousylucky

@NollipfSense Currently I have something like this, almost everything is allowed

NollipfSense

@lousylucky The problem is here ... above you said your WAN is 10.0.0.140

lousylucky

@NollipfSense now I added any to any.

viragomann

@lousylucky
Did you disable "hardware checksum offloading" on pfSense?

KOM

@lousylucky None of your WAN rules affect access from LAN. You can delete your 2nd LAN rule since the allow all rule underneath it handles all IP4 traffic. When you say you can't access the Internet, what exactly do you mean? How are you testing and what specific error message are you getting? Can you ping 8.8.8.8? Can you resolve www.netgate.com? Get rid of any rules you added to WAN and LAN. Get basic connectivity working before you start changing things.

AKEGEC

@lousylucky first make a cup of tea or coffee and please watch this video on Youtube:
https://www.youtube.com/watch?v=wv1qTYR3faQ

Take a note on timestamps. For example Disabling IPv6 on 41:21 timestamp.

lousylucky

@viragomann yes, I disable this in Advances/Networking.

@KOM now I have no rules. Everything is allowed from any to any

@AKEGEC I turned off IPv6

Still, problem exists, I'm trying to ping 8.8.8.8 from the machine behind the firewall and this failed. But from pfsense shell I can ping 8.8.8.8

KOM

@lousylucky OK so then start looking at that machine behind the firewall. What is its network config? Does it have the correct IP address, mask & gateway? If you're sure those are correct, then do a packet capture on pfSense LAN to ensure the pings are hitting it.

lousylucky

@kom so yes, the problem I think is on the machine side. Who I responsible for translating IP address? When I'm keeping by default in pfsense NAT to translate I think this is not working. When I disable and add iptables in /etc/network/interfaces I'm able to ping 8.8.8.8 but is data really go through pfsense?
As default gateway in PC, I have pfsense (192.168.1.1), but for example, when I add this in iptables in proxmox, I lost access to pfsense through the web browser and also pfsense can't ping my machine. But the same machine can ping pfsense.

KOM

@lousylucky I don't want to touch your system config there. You have too much going on with multiple bridges & iptables rules and I don't know about your network and its details. That's beyond the scope of this forum.

viragomann

@lousylucky said in Can ping Internet from Pfsense but cannot from LAN:

Who I responsible for translating IP address?

Both. Since your pfSense WAN is not in the Proxmox WAN-facing network, pfSense has to do the translation for LAN (to its WAN address) and Proxmox has to translate pfSense WAN address into its vmbr0 address.
The latter might work, since you can access public IPs from pfSense itself.
If also the outbound NAT on pfSense would work, it shouldn't make any difference for Proxmox if you ping 8.8.8.8 from pfSense or from a LAN device, when the packets are passing pfSense.
So I suspect, that the outbound is not working properly.

When I disable and add iptables in /etc/network/interfaces I'm able to ping 8.8.8.8 but is data really go through pfsense?

Which one? The rules on vmbr2, I guess.
If it works with that, the packets won't pass pfSense.

So check the outbound NAT on pfSense. Possible there may a rule stayed wrong if you have changed the LAN network.
Otherwise use the Packet capture tool fron the Diagnostic menu as @KOM already suggested to investigate what's going on. To a capture on LAN to see if the PC sends its packets to pfSense at all. If so, take also a capture on WAN to see if the NAT is working properly.

lousylucky

@viragomann So I made Packet capture on LAN and I see that ping arrived to pfsense. I also made on WAN and I also see a request from my LAN to pfsense, redirected to Proxmox, and a reply to pfsense but pfsense didn't pass it to LAN. I also made some outbound rule, because before it was blank. Here's ss from WAN capture

And those results, I'm obtaining with commented line with translating 192.168.1.0/224 on proxmox also, in this case, I can't get access to the internet (but as we can see data are going to the internet and stopped on pfsense)
#post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
#post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

But when I'm applying the above translating on proxmox, I can access internet from LAN (with default network gateway 192.168.1.1 which is pfsense), I also can ping from LAN pfsense but I can't go on pfsense webpage and also pfsense can't ping my LAN PC

viragomann

@lousylucky
The ICMP replies you can see in the WAN capture might be the gateway monitoring from pfSense. There is nothing redirected to the Proxmox IP without any DNAT rule.

The second line in the capture screenshot shows that the packets go out with the LAN address and the Outbound NAT screen shows no rule.
So for sure, there is nothing translated when packets go out on WAN and therefor if you set the rule on Proxmox for the LAN subnet, ping to public IPs will work.

@lousylucky said in Can ping Internet from Pfsense but cannot from LAN:

I can't get access to the internet (but as we can see data are going to the internet and stopped on pfsense)

Where do you think to see that?

pfSense should add outbound NAT rules automatically for internal networks to interfaces which have a gateway defined. A assume the Proxmox IP is set as gateway in the WAN interface settings, cause of the gateway monitoring, but check it again, please. Then go to the outbound NAT, select "automatic rule generation" and hit save and check if an auto-rule is generated.
If not switch to the hybrid mode and re-enable the manual rule.