OPT interface - No Internet Access



  • Hi all,

    I have set up a new pfsense box, imported the config from our old box to the new one. All seemed to be working well. We upgraded to the new server as it has 4 onboard NIC's and a PCI-E dual NIC. On the dual NIC (bce4 &5) I have added an opt interface. No matter what I do I cannot get internet access through these ports. I can ping the gateway IP I have set on the ports, from a PC. I can also ping that PC (Dhcp enabled) from PFsense.

    BUT no internet at all.

    I have added an allow all rule into the firewall on the OPT interface, still no joy. I cna ping my entire internal network from the PC connected to bce4.

    if I was to ping google or 8.8.8.8 I get no response.

    Any ideas ?

    Thanks in advance



  • The default is to block, so you need a allow rule any-opt1-any-any-any-any. That will allow traffic to your lan network also though. So in my case I placed a block rule to Lan from Opt1 then a allow rule for DNS to the firewall, then a block rule to the firewall to block any other access to the firewall, then a allow all rule. It seems to work well for me.


  • Rebel Alliance Global Moderator

    "I have added an allow all rule into the firewall on the OPT interface,"

    Post the rules you have on lan and the rules you placed on opt.  Its quite common for users to just do tcp when they create the any any rule.  TCP would not allow for icmp (ping) nor would it allow for dns which is UDP on 53, etc..

    Yes the default is deny.  So you have to create rules on the interface that allow the traffic you want/need - the lan interface out of the box is any any.  But when you create a new interface there is no rules.  So yes you have to add the rules you want/need to allow the traffic you want.

    Rules are evaluated as the traffic enters the interface going toward pfsense.  Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.  So if the traffic hits a block rule that it matches on.  Does not matter if there is a rule below that rule that would allow the traffic.



  • Did you check the Firewall->NAT->outbound
    if you setup manual outbound nat you have to enter the mappings in there manually if its setup as Hybrid (my choice) then new interface mappings are automatically added and you can also enter manual ones.