LAN/OPT1 client ping through WAN -> host unreachable.

  • Hello there,
    I just recently found out about pfSense and it looks great to me because
    of feature that it can be installed on hard disk much easier than m0n0wall.
    However I have a small problem since I'm newbie with these things.
    I have a WAN, LAN and OPT1 interfaces on my pfSense beta2 box.
    The WAN has static IP and is connected to my friends LAN through his AP.
    I have turned off 'block private networks' on WAN interface and I bridged LAN
    to OPT1. What confuses me is that I can ping with WAN, LAN and OPT1 interfaces
    my friends machine which is sharing the internet through proxy, but I can't ping
    it as a client on OPT1 or LAN (host unreachable) and I can't have internet. ??? ???
    On firewall tab I have enabled all to go through but still it doesn't work.
    My friend is using rather unstandard IP range of and on the other
    side I have, on LAN and OPT1 a C range of
    You see, I want my LAN to be separated of his LAN but to be able to share
    internet with him.
    I don't know is there something more that should be done or what?
    If there was a similar thread about this please redirect me cause I didn't
    found any that could answer my question….....yet.

  • I just fixed a ton of LAN bridging issues.

    Do this from a shell (since you have a full installation) to update to the latest: releng_1 && /etc/rc.filter_configure && pfctl -f /tmp/rules.debug

    Make sure that pfctl does not spit any errors out.  Now retest and report back :)

  • @sullrich
    Can I use downloaded update_beta3 for beta2 and how to do it?

  • Feed your update file at System>firmware, manual update. Wait for the firewall to reboot. then run the above posted cvs sync command on top of it after it returned.

  • I did upgrade firmware and cvs. Everything went fine but I'm still having the same problem.
    ping works but as a client on OPT1 I get 'host unreachable' from WAN interface. :'(
    I tried to add some rules for WAN to let ICMP and TCP/UDP packets but without success.

  • It seems to me that everything that comes to WAN interface is blocked even though
    I made two rules for this device in Firewall tab to pass everything from WAN network and LAN/OPT1. ???
    In System log/Firewall there are a lot of UDP and IGMP packets that are blocked on this device still.

  • Click on the small block icon in front of the line at system>systemlogs, firewall. It will tell you which rule blocked the connection. If it reads something like "block all just to make sure" your rules are not correct.

  • If I connect to my ISP directly through PPPoE without any rule
    in firewall except default ones, then everything works fine.
    If I use static IP to connect to my friends AP and I enable these rules
    for WAN:
    proto Source Port Destination         Port     Gateway
    TCP/UDP      *    808    LAN > WAN
    ICMP      *    *            *          ICMP LAN -> WAN
    ICMP    OPT1 net    *    *            *          ICMP OPT1 -> WAN
    TCP/UDP    OPT1 net    *    808    OPT1 -> WAN

    I cannot ping no one on net neither to have internet. is my machine (a client on OPT1).
    I have checked on log option for each of these rules and none of them did
    appear in System logs/Firewall.
    Also I checked this option for LAN and OPT1 rules which are passing everything
    and guess what, none of them appeared in log although they should.
    All I can see is that WAN is blocking incoming packets and yes there is
    "block all just to make sure" if I click on icon in log.

    I must admit that I am a noob about all these things but I want to learn more.
    I also didn't mention that I'm not using my original MAC on WAN with my friend
    because we are using the same (my) account at ISP which is filtering MAC addresses.
    So in order to connect to my friends AP I'm using different address because of
    possible collisions or whatever, and he is using my when we are sharing the internet.
    Perhaps this could be the problem.
    My wlan is Prism2.5 based.

  • The rules have the wrong direction (source and destination). Also I think your whole setup is a bit wrong. Just to clarify:

    internet–----your friends Accesspoint ) ) ) )    wifi      ( ( ( (wireless wan/pfsense/lan-----clients

    Is it this way? What is the OPT1 for?

    I suggest first setting rules at all interfaces like this: pass any protocol, any source, any destination. This way you have allowed all traffic.

  • @hoba:

    I suggest first setting rules at all interfaces like this: pass any protocol, any source, any destination. This way you have allowed all traffic.

    Well, I did that at first and it didn't work so I tried to add some rules.
    That is why am I confused. As you can see I mentioned in my first post
    that I allowed everything everywhere and OPT1/LAN interfaces, which are behind
    WAN can ping the outside, but the client behind OPT1 is somehow blocked.

    The OPT1 I use to directly connect my machine with pfsense through switched UTP
    and that is just for this time until I configure pfsense. The LAN is connected to my switch.

    This is my configuration:
    internet–----your friends Accesspoint ) ) ) )    wifi      ( ( ( (wireless wan/pfsense/lan-----clients
                                                                                                                      opt1-------my machine

    The OPT1 and LAN are in same IP range. Could this be a problem?

  • Yes, OPT1 and LAN should have different ranges or you break routing. Otherwise bridge OPT1 to LAN and don't use an IP-Adress on OPT1.

  • I am sorry for troubling you hoba but this just doesn't work for me.

    I have reset pfsense box to the factory settings, and I connected my machine (slackware)
    to the LAN.
    Then I set static IP  and MAC for WAN, also I disabled 'block private networks' and set
    the firewall rule for WAN to pass everything and to log its traffic.
    LAN is not blocking anything.

    I still can't get to remote network or to use internet.

    One thing that is very interesting that I used this same wlan card on my machine (slackware)
    and whenever I tried to connect to my friends AP I needed to refresh its settings because
    when it associates for first time I wasn't able to use the net so I tried to connect few times
    to google and the wlan card just dissassociate itself from AP. After that I just refresh it and everything
    goes fine. And I need to do that everytime I reboot.

    In pfsense, when I use PPPoE in Status/Wireless my ISP's AP is clearly noted but for Static IP
    there is nothing noted about my friends AP.

    This could be an hardware issue.
    What drivers pfsense is using for Prism based cards?

  • What happens if you save the Interface settings of the wireless client again? it will reload the interface settings and reinitialize the card.

  • Yes, but still there is no AP listed in Status/Wireless. :(

  • I'm not sure if this will show up there if you use a mode other than accesspoint.

  • Well at this very moment  I'm using my PPPoE account on ISP and there IS listed the IPS's AP.
    There is a SSID, BSSID, channel, everything.

  • here is a snapshot

  • @hoba:

    I'm not sure if this will show up there if you use a mode other than accesspoint.

    I assume that you didn't believe me when I said that my WISP is broadcasting it's MAC
    However you can check it here on this link
    Please click on 'MAPA' at the bottom of the page.

Log in to reply