Can't access internet



  • Here's my setup;

    Internet router that can't be put in bridge mode.
    Pfsense box with ip from internet router
    pfsense ip in DMZ of internet router

    Pfsense general setup DNS set:
    8.8.8.8 through wangw
    8.8.4.4 through wangw
    isp DNS through wangw
    192.168.150.1 none

    I've setup my gateway to router's address.192.168.170.1
    Wan interface has static ip from router. 192.168.170.2
    IPv4 Upstream Gateway 192.168.170.1/24
    Block private networks
    Block bogon.

    Lan interface 192.168.185.1/24
    No upstream gateway

    DHCP setup from lan 192.168.185.1 works fine

    From a machine on the 192.168.185.1/24 network i can; (same thing from pfsense diag)
    Ping 8.8.8.8
    ping google.com

    I can't browse the web

    Any ideas?

    Thanks



  • You didn't mentioned your firewall rules. Please verify that all is configured as desired.
    Also, please have a look on your firewall logs and check if you see you web traffic passing or blocked. Make sure that you marked the "Log packets…" on each of your firewall rules.



  • The lan rules ar the basic ones
    Anti-lockout rule
    Default allow LAN to any rule
    Tried to go to google's IP 216.58.208.202 with the browser and the log shows as pass, but i can't reach the site.




  • You must not check "Block private networks" on WAN interface if you have a private subnet on WAN!



  • I've removed the "block private networks" and checked "Disable hardware checksum offload"
    Still no access, but new fwall log that shows blocks




  • The two blocks on LAN are IPv6. Maybe you've disabled IPv6.
    You can display the appropriate rule in the log by activate this in the log setting (Where to show rule descriptions).

    There are allowed access shown in the log to a private network. I don't know if this is on WAN or another internal one.

    Is your outbound NAT configured correctly?



  • I do indeed block IPv6
    My outbound NAT is set to automatic.
    The Wan network range is 192.168.170.1/24 That's the ISP router internal network.



  • The last log in your screenshot shows permitted https access to the internet. So if that doesn't work, I assume that responses do not come back to the source host.

    If your outbound NAT is set to automatic packets source address should be translated to WAN address and everything should work properly.

    Ensure that your WAN subnet is configured correctly at pfSense and your router. Check the mask.
    For troubleshooting do a packet capture (Diagnostic menu) on WAN and LAN while you try to attempt a public site.



  • The mask for the 192.168.170.0 network is 255.255.255.0
    The one setup in the wan gateway is 192.168.170.1/24
    Attaching the capture file

    [185.31 log.txt](/public/imported_attachments/1/185.31 log.txt)



  • For evaluating the packet capture, it's necessary to know on which interface it is taken.
    If this is from LAN it's okay, if it's from WAN your outbound NAT doesn't work.

    If you do again a capture, please select IPv4 address family and TCP protocol for more clarity.



  • Here's a new capture
    Interface: lan
    address family:ipv4
    protocol tcp

    Thanks

    [185.31 log.txt](/public/imported_attachments/1/185.31 log.txt)



  • As said above, for LAN the former capture was okay anyway. It depends on WAN.



  • Did another test.
    From the pfsense console i was able to download a file with curl.
    Tried from a std ubuntu server and it fails.
    So there's really a block from lan to wan.  :'(



  • A misconfigured outbound NAT could cause the same effect.