Outbound traffic blocked? NAT issues?



  • I am having a problem reaching the internet from any computer on my PFSense LAN. Below is the setup:

    ISP->Cable Modem/Wireless Router (TPLINK Archer CR700) -> PFSense Firewall -> LAN ( all end users)

    I can ping my default gateway set up on my cable modem/router which is 192.168.1.1 from the inside of the LAN
    I have the LAN IP set at 192.168.2.1
    I have the WAN(pfsense) set at 192.168.1.10
    I also have a DMZ set at 192.168.1.10 (on the cable modem/router.
    I am not sure what is taking place that I cannot reach the internet but I believe it is due to pfsense blocking traffic or it is the cable modem/router blocking the traffic.
    I have tried to look at where I can add a rule inside the TPLINK archer CR700 to pass the route from pfsense to the inet but I am not seeing anything.
    If pictures are needed or additional information please let me know I can provide whatever is necessary.

    Also I was wondering if someone could give me advice on routing my wireless traffic from the cable modem/router to the pfsense router and then back out to cable modem/router and to the internet.



  • Is there a filter rule on LAN interface to allow outbound traffic?
    By default pfSense allows any traffic outwards.

    Check the outbound NAT and post a screenshot.

    Also check the interface settings (network mask) of pfSense WAN and the modems LAN.

    @pfanonsense:

    I also have a DMZ set at 192.168.1.10 (on the cable modem/router.
    I am not sure what is taking place that I cannot reach the internet but I believe it is due to pfsense blocking traffic or it is the cable

    This is only needed for incoming access.

    @pfanonsense:

    Also I was wondering if someone could give me advice on routing my wireless traffic from the cable modem/router to the pfsense router and then back out to cable modem/router and to the internet.

    You will have to set a route on the cable modem for traffic meant to the LAN directing to pfSense WAN address.
    Also you have to add a filter rule to pfSense WAN allowing incoming traffic from the WLAN subnet.



  • Who is your ISP?  What version of pfSense?  What cable modem?

    Can you put the cable modem in bridge mode (if a gateway device) and plug it directly into the WAN of the pfSense box?  (restart the cable modem if you do that)

    Then you can set the router up as an AP only and use the remaining switch ports.

    There is tons of information on Google and even here about using your SOHO router as an AP only.



  • @chpalmer:

    Who is your ISP?  What version of pfSense?  What cable modem?

    Can you put the cable modem in bridge mode (if a gateway device) and plug it directly into the WAN of the pfSense box?  (restart the cable modem if you do that)

    Time Warner

    I thought about bridge mode but then i figured I would lose my WAP with the change into bridge mode.
    What you are saying is that if I turn it into bridged mode I will still have a WAP and the traffic from the WAP will actually be routed to the PFsense Router?

    cable modem/WAP is plugged directly into the PFsense router in an onboard NIC.
    The wired end users are connected via a 4 port PCI NIC. on em3 (4th port)



  • @viragomann:

    Is there a filter rule on LAN interface to allow outbound traffic?
    By default pfSense allows any traffic outwards.

    Check the outbound NAT and post a screenshot.

    Also check the interface settings (network mask) of pfSense WAN and the modems LAN.

    ok here are some pictures that should help us a little better


    ![pfsense-LAN rule.PNG_thumb](/public/imported_attachments/1/pfsense-LAN rule.PNG_thumb)
    ![pfsense-LAN rule.PNG](/public/imported_attachments/1/pfsense-LAN rule.PNG)
    ![pfsense-General logs.PNG_thumb](/public/imported_attachments/1/pfsense-General logs.PNG_thumb)
    ![pfsense-General logs.PNG](/public/imported_attachments/1/pfsense-General logs.PNG)


    ![pfsense-gateway logs.PNG_thumb](/public/imported_attachments/1/pfsense-gateway logs.PNG_thumb)
    ![pfsense-gateway logs.PNG](/public/imported_attachments/1/pfsense-gateway logs.PNG)
    ![pfsense-firewall error.PNG_thumb](/public/imported_attachments/1/pfsense-firewall error.PNG_thumb)
    ![pfsense-firewall error.PNG](/public/imported_attachments/1/pfsense-firewall error.PNG)
    ![pfsense firewall logs.PNG_thumb](/public/imported_attachments/1/pfsense firewall logs.PNG_thumb)
    ![pfsense firewall logs.PNG](/public/imported_attachments/1/pfsense firewall logs.PNG)

    ![pfsense-WAN rule.PNG](/public/imported_attachments/1/pfsense-WAN rule.PNG)
    ![pfsense-WAN rule.PNG_thumb](/public/imported_attachments/1/pfsense-WAN rule.PNG_thumb)
    ![Tplink- info-subnet.PNG](/public/imported_attachments/1/Tplink- info-subnet.PNG)
    ![Tplink- info-subnet.PNG_thumb](/public/imported_attachments/1/Tplink- info-subnet.PNG_thumb)
    ![Tplink- Lan settings.PNG](/public/imported_attachments/1/Tplink- Lan settings.PNG)
    ![Tplink- Lan settings.PNG_thumb](/public/imported_attachments/1/Tplink- Lan settings.PNG_thumb)
    ![Tplink- options.PNG](/public/imported_attachments/1/Tplink- options.PNG)
    ![Tplink- options.PNG_thumb](/public/imported_attachments/1/Tplink- options.PNG_thumb)



  • Delete the gateways GW_WAN, LANGW and GW_LAN.

    On LAN interface you only allow TCP to the internet. So the devices can neither access a DNS server nor ping anything, not even to pfSense.



  • @viragomann:

    Delete the gateways GW_WAN, LANGW and GW_LAN.

    I deleted them

    @viragomann:

    On LAN interface you only allow TCP to the internet. So the devices can neither access a DNS server nor ping anything, not even to pfSense.

    When you refer to the LAN interface are you referring to the on on the TPLINK or Pfsense?
    I see on the pfsense that there is a rule for port 80 na "anti lock" rule which cannot be changed nor moved down the rule list.

    any suggestions on where to go from here?

    I tried bridging my modem and there was no access to the web GUI either directly connected to the tplink or connected to the pfsense LAN


  • Banned

    When a Cable/DSL modem is in bridge mode, it has no web gui, and no settings to configure, you instead set the pfsense wan port to DHCP, or if you have a assigned static ip, those settings.



  • Time Warner is cable.
    pfanonsense-  When I first read this I thought your setup was a separate cable modem then wirelessrouter then pfsense box..

    Id still put it in bridge mode if I were you and find myself another AP but that is your choice.

    You need to open up your LAN rules back to default.  source- All LAN Net  any..  Source  all any any ect  otherwise as viragomann noted- you will never have access to some things you need to surf the web.

    If your modem is still bridged you need to reboot it…  then see what the IP address to your pfSense WAN is.  If it is still private space you should release/renew it..  Easy way- reboot pfSense.


  • Banned

    It is also possible you could end up with a 100.64.0.0 ip address if TWC is using Carrier Grade NAT per RFC 6598 in your area.



  • @chpalmer:

    Time Warner is cable.
    pfanonsense-  When I first read this I thought your setup was a separate cable modem then wirelessrouter then pfsense box..

    Id still put it in bridge mode if I were you and find myself another AP but that is your choice.

    You need to open up your LAN rules back to default.  source- All LAN Net  any..  Source  all any any ect  otherwise as viragomann noted- you will never have access to some things you need to surf the web.

    If your modem is still bridged you need to reboot it…  then see what the IP address to your pfSense WAN is.  If it is still private space you should release/renew it..  Easy way- reboot pfSense.

    Do you think a fresh start would be benificial??
    also there is a GUI for the bridged mode, it jsut literally shows you what is going on with no options to change anything.
    The weird thing is, is that in the manual it tells you, after placing it in bridged mode you can turn DHCP on in the GUI…



  • @pfanonsense:

    @chpalmer:

    Time Warner is cable.
    pfanonsense-  When I first read this I thought your setup was a separate cable modem then wirelessrouter then pfsense box..

    Id still put it in bridge mode if I were you and find myself another AP but that is your choice.

    You need to open up your LAN rules back to default.  source- All LAN Net  any..  Source  all any any ect  otherwise as viragomann noted- you will never have access to some things you need to surf the web.

    If your modem is still bridged you need to reboot it…  then see what the IP address to your pfSense WAN is.  If it is still private space you should release/renew it..  Easy way- reboot pfSense.

    Do you think a fresh start would be benificial??
    also there is a GUI for the bridged mode, it jsut literally shows you what is going on with no options to change anything.
    The weird thing is, is that in the manual it tells you, after placing it in bridged mode you can turn DHCP on in the GUI…

    Literal "bridge mode" means the devices allows no access to itself, it only forwards traffic.

    but, many ISP-supplied devices don't do that because that means no GUI access, so many allow both bridging & GUI access.

    Yeah, I think a fresh start is a good idea. You never know what settings you may have changed while newbishly clicking random things (I've done this many times myself… dangerous).



  • @Nullity:

    Yeah, I think a fresh start is a good idea. You never know what settings you may have changed while newbishly clicking random things (I've done this many times myself… dangerous).

    Ok I will try this out and see what happens.

    I have a 60GB SSD coming in so this is all some what of practice and somewhat of try, fail, try, fail…
    Hopefully it becomes a success.
    Alternatively I will end up buying solely a cable modem, even though i literally just bought this modem/WAP.
    We'll see!

    Ill update you guys. I really appreciate the help!


Log in to reply