Outbound to Internet not working



  • Config:
    pfSense with single interface (10.7.0.4) on subnet 10.7.0.0/29. All Internet-bound traffic is forwarded to 10.7.0.4 via a routing mechanism called user-defined routing.

    Host (10.7.1.4) on subnet 10.7.1.0/24 cannot browse the Internet. Note when I tracert from host I see the pfSense box is the first hop:

    PS C:\Users\demouser> tracert www.homestead.com

    Tracing route to www.homestead.com [108.167.135.50]
    over a maximum of 30 hops:

    1    <1 ms    <1 ms    <1 ms  10.7.0.4
      2    *        *        *    Request timed out.

    Also I see the traffic being allowed on the firewall:

    pass/1467663836
    Jul 6 03:38:19 WAN 10.7.1.4:63396 108.167.135.50:80 TCP:SEC

    Packet capture from pfSense shows host trying to set up TCP session.
    12 9.086574 10.7.1.4 108.167.135.50 TCP 66 63438 → 80 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1418 WS=256 SACK_PERM=1

    Then it re transmits several times. So it seems like pfSense is doing it's job but I'm guessing maybe there is not a path back to the host? Any thoughts as to what may be going wrong and how to troubleshoot further would be very appreciated. I'm banging my head up against a wall at this point… :o



  • Is the packet capture taken on LAN or WAN interface?



  • @viragomann - there is only 1 interface on the pfSense appliance. Thanks so much for replying.

    Well thanks to some help from a friend I got this working. I had to enable Manual outbound NAT and provide a manual mapping:

    Interface: WAN (the only interface)
    Source: 10.7.0.0/16 (my internal network)
    Src Port: *
    Destination: *
    Dest. Port: *
    NAT Address: WAN Address
    NAT Port: *
    Static Port: NO

    I am going to post my full config in the forum later so it will hopefully help others.



  • @Coldaddy:

    I am going to post my full config in the forum later so it will hopefully help others.

    I just finished a blog post that goes over a working configuration of pfSense in Azure. I hope it helps others and I welcome feedback.

    https://www.opsgility.com/blog/2016/07/14/rethinking-paradigms-in-networking-firewalls-in-the-public-cloud/

    Thanks,
    Steve



  • Hey Coldaddy, and everybody else. Thanks for creating the guide.

    I have tried to set this up, but haven't gotten outbound internet traffic to be routed correctly.

    VNet: 10.0.0.0/16
    DMZ for pfSense with Single NIC: 10.0.0.0/24
    FrontEnd: 10.0.1.0/24
    BackEnd: 10.0.2.0/24

    Route in FrontEnd net: 10.0.2.0/24 to next hop virtual appliance 10.0.0.4
    Route in BackEnd net: 10.0.1.0/24 to next hop virtual appliance 10.0.0.4

    pfSense: 10.0.0.4
    Server 1: 10.0.1.4
    Server 2: 10.0.2.4

    Current setup works and I am routing between the two server networks via the appliance.

    traceroute to 10.0.1.4 (10.0.1.4), 30 hops max, 60 byte packets
    1  10.0.0.4 (10.0.0.4)  1.786 ms  1.774 ms  1.765 ms
    2  10.0.1.4 (10.0.1.4)  2.387 ms  2.380 ms  2.373 ms

    I now try to change the route in the FrontEnd net to 0.0.0.0/0 with next hop virtual appliance 10.0.0.4, and now everything breaks. Even the routing between the two internal networks. Extremely bizarre that a 10.0.2.0/24 => 10.0.0.4 route behaves differently than a 0.0.0.0/0 => 10.0.0.4 one. The latter route just covers the first network, and every else.

    This is the result when doing a couple of traces.

    traceroute to 10.0.1.4 (10.0.1.4), 30 hops max, 60 byte packets
    1  10.0.0.4 (10.0.0.4)  2.414 ms  2.402 ms  2.396 ms

    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
    1  * * *
    2  * * *
    3  * * *
    …...... up to 30 timeouts

    I see that you at least got all the way to the appliance when trying to access the internet, but in my case it seems like the traffic is trying to go through the standard Azure gateway.

    Any idea about what it could be?



  • I got it working!  :)

    For internet access with Outbound NAT routed through pfSense I added VNet-Internet rule (attached image) to the pfSense NSG inbound security rules.

    Remember that private networks are blocked in the Azure NSG (Network Security Group) connected to pfSense in Azure. In my case I added inbound and outbound security rules for my on-premises network 172.26.28.0/24 and traffic started flowing through the IPsec VPN connection.

    (You must be logged in to see the pictures.)







Log in to reply