Problem with FW itself Internet Access



  • Hello,

    I have made the configuration that I draw in the image, and all LAN devices can access to internet as well as Port Forward is working well to send traffic to our internal servers.

    The router of Movistar bypass all traffic to our public ip to the WAN ip of our FW which is the 192.168.1.1
    Our FW has got a manually outbound config with our public address configured (SNAT).
    All this works well, but the FW itself can´t access to internet. Due to this, I can´t install packages, configure HTTP Proxy, etc.

    I have installed in a test computer Zentyal 3.5 and configured the same scenario, and everything is working well and the Zentyal itself can access to internet. So this means that the Movistar router has got the correct configuration.

    Any idea about what can be happening and how I can solve this, please?

    Many thanks
    ![network .png](/public/imported_attachments/1/network .png)
    ![network .png_thumb](/public/imported_attachments/1/network .png_thumb)



  • What subnet mask are you using on your LAN? What is your network and DNS config on your firewall? Can you ping the router from your firewall? Are you saying that your users on your LAN can access the internet but the firewall can't? Does your router have any MAC filtering in place which could be preventing the firewall from connecting?

    Post screenshots of your network config on the firewall and your DNS settings. And a bit more clarity in your problem description, please. It's unclear what the exact problem is (see above).



  • Hello,

    • The Mask in my lan is 255.255.255.0
    • The Firewall network config as it is in the image is WAN - 192.168.1.1-255.255.255.0- GW-192.168.1.99 and LAN - 192.168.0.1-255.255.255.0 (no GW configured)
    • I can ping the router of MOVISTAR from the firewall to the ip 192.168.1.99 without problem.
    • Yes, all users in the LAN can access to all services of internet, HTTP, FTP, etc, but the Firewall can´t.
    • No, there is no configuration in the router to block the firewall access to internet. I installed a old Zentyal 3.5 to test, and made the same configuration and the zentyal can access to internet.

    As I have configured our public ip address in the outbount, I think that is not being used by the Firewall to access internet. I will post an image of the settings used. The configuration of the Port Forwarding is working well to access the services of our servers.

    Many thanks for your help.










  • Ok, so what are the DNS settings for your firewall? And what DNS server(s) are you assigning your LAN clients (via DHCP I assume)? From the description, this sounds like a possible DNS issue. Have you tried remoting onto the firewall via SSH and running a dig or nslookup against some random remote hosts - bbc.co.uk or www.yahoo.com, for instance? If that works, have you tried running a telnet from the same command prompt on the firewall to a remote host on port 80 (eg: 'telnet www.bbc.co.uk 80')?



  • I didn´t change any DNS settings after the installation. So they are by default. The General Settings -> DNS Server Settings has got 127.0.0.1 and 192.168.0.12. All clients in the LAN are using 192.168.0.12 as the DNS Server.
    When I make a nslookup in firewall shell, the address is resolved, and the same to ping or telnet.

    Any other idea?

    Thanks




  • Post your firewall rules for both your WAN and LAN. It's starting to look like you either have a block rule for your firewall set somewhere in your rules, or the Movistar device is causing some kind of block.



  • Here I post the RULES for LAN and WAN. All of them have been created automatically when I configured the port forward for the access to the internal servers.
    I don´t think that the problem is happening in the Movistar router, because If I use the old Zentyal Proxy with the same configuration it works well and can access to internet itselves.
    Any idea with the rules?
    Many thanks

    ![RULES 1.JPG](/public/imported_attachments/1/RULES 1.JPG)
    ![RULES 1.JPG_thumb](/public/imported_attachments/1/RULES 1.JPG_thumb)
    ![RULES 2.JPG](/public/imported_attachments/1/RULES 2.JPG)
    ![RULES 2.JPG_thumb](/public/imported_attachments/1/RULES 2.JPG_thumb)



  • From what I can see, there doesn't appear to be anything on the firewall blocking access to the internet from your firewall. Have you tried running a default config on the PFS first, without all the forwarding rules, etc? If you start with a basic, vanilla installation you ought to be able to access the internet directly from the firewall. From there you can then customise your setup and continue testing until the issue reappears.



  • Hello,
    It just has the problem after the installation. When I install Pfsense, I configure both interfaces WAN and LAN. After that I have to manually configure the outbound because I need to configure the public IP to go to internet. If I don´t configure the public ip in the NAT outbound, anyone will go to internet.
    So just when I do that, all Lan computers go to internet but the proxy doesn´t.

    Any other idea?



  • @franae:

    It just has the problem after the installation. When I install Pfsense, I configure both interfaces WAN and LAN. After that I have to manually configure the outbound because I need to configure the public IP to go to internet. If I don´t configure the public ip in the NAT outbound, anyone will go to internet.
    So just when I do that, all Lan computers go to internet but the proxy doesn´t.

    Ok, so when you install PFS, you configure the WAN and LAN interfaces. Assumedly you have to set your WAN default gateway to the Movistar router to get out to the internet. At this point, assuming you don't have anything on the router which is blocking you, you ought to have a working firewall which allows all users out and allows the firewall to connect to any updates/packages/etc. Is this right?

    @franae:

    If I don´t configure the public ip in the NAT outbound, anyone will go to internet.

    What do you mean by this? What are you trying to acheive by not allowing anyone to get to the internet?



  • When I configure LAN and WAN, I put by default the MOVISTAR Gateway which is the ip 192.168.1.99.
    This gateway is allowing us to go to internet if we change the source addres with the Public one. And when Movistar router receive connections from internet to our public ip, it only send all traffic to our WAN ip address which is 192.168.1.1

    That is why I need to use the manual outbound NAT, because the Movistar router is expecting to receive outbound traffic with public ip header.



  • From the sound of it, you're trying to run before you can walk. Start by configuring the firewall with the basic, out-of-the-box settings. Just configure your internal network settings, you WAN IP and gateway. Check that your LAN hosts can access the internet and that the PFS can pick up updates/packages. Once you get to this point, THEN look at trying to customise your outbound traffic and inbound NAT. After you make each change, check once more to see if your firewall can still pick up updates, etc. The point where things go awry will be when you make the change which breaks your connection. Then it will be easier to find out the fault and address it.


Log in to reply