Cannot access internet from LAN

torres

Hi, i'm newbie of pfsense community. So sorry if i bother anyone for my question

Below is my network topo :

access                                                    trunking
PC (10.0.2.201/24) –---------------        L3 switch          -----------------------  LAN pfsense            ----------- WAN pfsense
GW : 10.0.2.1/24                        vlan1 : 10.0.2.0/24                                  IP : 10.0.2.254/24                  IP : x.x.114.174/30                                   
                                              vlan11: 172.31.0.1/23                              LAN_GW : 10.0.2.1(online)      WAN_GW : x.x.114.173/30 (online)
                                              vlan12 : 172.31.2.1/23
                                              vlan13 : 172.31.4.1/23
                                              default route : 10.0.2.254
                                              DHCP server : 10.0.2.200/24

I've setup a new fresh pfsense like above and i do some pings :

• On L3 switch : ping to LAN interface pfsense (10.0.2.254) is ok
• On PC : ping to LAN interface pfsense is ok
• On pfsense : ping from WAN to 8.8.8.8 is ok
• On PC : ping to WAN interface pfsense (x.x.114.174) is ok

I HAVE NOT YET setup any rule or NAT on pfsense

So, my problem is : my PC and L3switch cannot ping 8.8.8.8 (100% packet loss). Why ? Anyone can help me ? Tks alot.

kholmqvist

why don't you use a separate network between the switch and pfSense? That could be your issue. And you do only have the wan set up GW set up as default gw in your pfsense right?

kholmqvist

and have you created static routes on your pfsense for the networks behind your layer 3 switch?

torres

Tks, let me answer your questions.

First, i do set default GW on pfsense, that is the WAN_GW,

Second, i first try to test for 1 vlan (vlan1), this is the local LAN of pfsense. Then, if this work i will set 3 static route for my 3 vlan behind pfsense.

johnpoz

Your transit network in such a design would be 10.0.2/24 network.  Looks like you have pointed your PC to IP of your router in this transit network.  This GW you set on pfsense in your transit network.. Did you make that a default gateway?

This is how you would setup such a configuration.

Pfsense could be .1 in your transit, your router in that transit vlan would be .2

Each vlan on your downstream L3 (router) would have an IP in each vlan say your .1 examples.  The devices in each of those vlans would have gateway set to that routers SVI in that vlan.

Pfsense would need a GW set (but not default) in the transit pointing to the router .2 address.  You would then have route(s) to cover all your downstream networks.

On pfsense you have to allow for rules on the interface the transit is connected to allow traffic from all those downstream networks.  You would also need NAT statements to nat these downstream networks to your WAN IP.

From your info you seem to have your PC in in your transit network pointing to the router, which would then in theory send it back to pfsense.  This is hairpin for sure and also asymmetrical and going to cause you nothing but grief.

torres

@johnpoz:

Your transit network in such a design would be 10.0.2/24 network.  Looks like you have pointed your PC to IP of your router in this transit network.  This GW you set on pfsense in your transit network.. Did you make that a default gateway?

This is how you would setup such a configuration.

Pfsense could be .1 in your transit, your router in that transit vlan would be .2

Each vlan on your downstream L3 (router) would have an IP in each vlan say your .1 examples.  The devices in each of those vlans would have gateway set to that routers SVI in that vlan.

Pfsense would need a GW set (but not default) in the transit pointing to the router .2 address.  You would then have route(s) to cover all your downstream networks.

On pfsense you have to allow for rules on the interface the transit is connected to allow traffic from all those downstream networks.  You would also need NAT statements to nat these downstream networks to your WAN IP.

From your info you seem to have your PC in in your transit network pointing to the router, which would then in theory send it back to pfsense.  This is hairpin for sure and also asymmetrical and going to cause you nothing but grief.

Thank you for your support. The transit network that you mention is my management network (vlan 1). I just try to configure access internet from vlan 1, then if success i'll add 3 static route on pfsense for my 3 vlan behind.

So, on my PC i set default GW is 10.0.2.1, ping to 10.0.2.254 (pfsense LAN interface is ok).

My internet connection is Leased Line (connect directly to ISP through a optical converter and do not go through any router in front of my pfsense) with the public IP i gave you in the 1st post.

And, the pfsense i'm using is a VM on an Exsi host which connected to core SW through a trunking port.

johnpoz

" The transit network that you mention is my management network (vlan 1)"

No that is not what a transit network is..  Devices are not on a transit network.. If you going to put a device on a transit network like your pc - then this pc needs to know how to route to get to where.  So for example in the case of your pc its default route should be pfsense.  Pfsense knows how to get to the internet.. your L3 would be an asymmetrical hop if you bounced off him.

You would then set your pc with routes on talk to your L3 svi in that transit network when you want to go to other networks off the L3..  Normally there is no devices other then routers in a transit network.  You may well make your management vlan 1, but that should not then be your transit network..  All a management network is normally a restricted network that has access to manage the network devices.  Normally it would not be connecting using the transit vlan on a router - but another interface on the router in a different network for "management"

"connected to core SW through a trunking port."

Why is there a trunked port??  With a setup of downstream router pfsense doesn't give 2 shits about tags or vlans from these other networks - he would never see them.  The only network that is connected to him is the transit network which vlan would would be native untagged.

So in your setup the port on your switch connected to this pfsense vm would just need to be access port in vlan 1.  all your other vlans would also be access ports.  Unless you have downstream access switches where multiple vlans would go across this uplink and need to be tagged I don't see any reason for any trunk ports.  If you had AP hanging off the L3 switch with different vlans on its SSID sure then that would be a trunk.  But in the setup with a downstream router connected to an upstream router like you have the only network that connects the 2 is the transit.  This is the only network or tag or vlan that either of the routers care about on this network - there is no need for tagging.

jahonix

@torres:

on my PC i set default GW is 10.0.2.1, ping to 10.0.2.254 (pfsense LAN interface is ok).

What? I don't get your setup at all.

If 10.0.2.254 is your pfSense Lan interface then what is listening on 10.0.2.1 and why is it your default gateway?

What do you want to do in regard to routing and firewalling in the end?
Will you have traffic between your /23 networks? If so, is the L3 switch doing the routing or your pfSense?
I see a DHCP server at 10.0.2.200/24. Where/what is that? Would it have to hand out leases to the /23 networks as well? I so, how did you plan to do that?

Honestly, this is not a straight forward design and only useful if you need to do specific things we do not know about yet.

johnpoz

"I see a DHCP server at 10.0.2.200/24. Where/what is that? Would it have to hand out leases to the /23 networks as well? I so, how did you plan to do that?"

That network 10.0.2/24 is what should be his transit network between his downstream router (L3 switch) and pfsense (edge/border firewall/router).  Putting his dhcp server on the transit vlan is bad idea.  And using his transit network as management vlan also not good design.  Place dhcp on a transit would require it to has host routing or not need to route to anything that is not off the downstream router.

I put together a basic drawing of how you would setup a downstream router.  You could use the transit IP for management but I wouldn't call the transit a management vlan.  you could create a managment vlan that is tagged that rides on the same physical connection as your transit if you want.  Or that could be an untagged native network and your transit could be a vlan with tags on it.  I would prob put the management as a tagged vlan since it should have way less traffic.

There are multiple ways to skin the cat - but no putting devices like pcs and dhcp servers on what is your transit is normally not one of them.

How many devices do you have to manage?  From how many different devices - what are the security concerns?  Are the devices that will manage the infrastructure secured to only a specific vlan, etc.  In this example where you only show L3 and Pfsense you could leverage pfsense transit IP for managment - just put in a firewall rule that only allows specific devices to access the management ports.  As to your switch - you could use any of the SVIs you have setup to manage - depending on the feature set of the L3 you could put ACLs in place to limit what devices can access it.  Or you could setup a isolated vlan that routes through pfsense that limits access to this managment vlan, etc.

jahonix

johnpoz, honestly, I know that.
My questions are why he designed it this way and what else he had in mind. You don't come up with such a design for no apparent reason.
Often enough we found OP to throw in a crucial piece of information nearly at the end of a thread, turning it all around again.
That's why I ask before I make uninformed suggestions.

But thanks for taking your time to explaining it again.

torres

Tks for all of your comments.

I design my network for a building. My customers stay in 3 floors, so i created 3 vlan for them.

I built a DHCP server to lease IP for my 3 vlans /23 because i don't want the pfsense take this action, i only want pfsense act like a firewall and router to internet.

The mission of L3 switch is routing vlans. On the L3 switch, i put a default route (ip route 0.0.0.0 0.0.0.0 10.0.2.254). As you see, that default route is pointing to LAN interface of pfsense. Some configuration about vlans in L3 switch like this :

interface Vlan1
description Connection to pfsense
ip address 10.0.2.1 255.255.255.0
!
interface Vlan11
description F10
ip address 172.31.0.1 255.255.254.0
ip helper-address 10.0.2.200
!
interface Vlan12
description F11
ip address 172.31.2.1 255.255.254.0
ip helper-address 10.0.2.200
!
interface Vlan13
description F12
ip address 172.31.4.1 255.255.254.0
ip helper-address 10.0.2.200
!

ip route 0.0.0.0 0.0.0.0 10.0.2.254

On pfsense i have two gateways :

• Local gateway : 10.0.2.1/24 - status : online
• Internet gateway (default gateway): xxx.xxx.114.173/30 - status : online

After building all of the above, i want to test my pfsense, for internet access ofcourse. I pick a vlan to test and that is vlan 1 and i have my problem is missing connection to internet. So i just wanna know WHY ? Did i do something wrong ?

johnpoz

Dude fix it your design is BROKEN!!!  Your pc is not going to get to internet talking to the L3 off the transit network.  Point your pc to pfsense since its in that vlan - does it work then?

Ping this
WAN_GW : x.x.114.173/30 (online)

In your L3 are you blocking intervlan with ACL - or these 3 buildings can talk to each other without any firewall rules?

"My questions are why he designed it this way and what else he had in mind"

Because he doesn't know what he is doing - that is not how you would design it..

doktornotor

I don't understand WTH you don't set up those VLANs on pfSense. Way to burn yourself for absolutely no reason.

jahonix

@torres:

I design my network for a building. My customers stay in 3 floors, so i created 3 vlan for them.

Obviously you don't want traffic between those VLANs.
Run a trunk to pfSense with all those VLANs and let pfSense do the routing to the internet (and firewalling between subnets, DNS and DHCP).
It doesn't get much easier. Only way more complicated. Or broken. Honestly!

Well, the longer version of what doktornotor and johnpoz told you already.

jahonix

@doktornotor:

I don't understand WTH you don't set up those VLANs on pfSense.

Several possibilities:
-new to pfSense
-new to VLANs
-new to routing
-needs to justify the expenses of an L3 switch
-someone told him it's done this way
-his old company always does it like this
-no coffee
-square-headed German … eh, sorry, that's me

SCNR  ;)