Unable to use Static IP/Gateway for WAN
-
I am done in the office for the day so i can't check the live server, however i have the config.xml backup file with me, can i check in that, what XML key would i be looking for?
Cheers
Gareth
-
I have double checked and i do not have block bogons selected on any of my interfaces.
Any other ideas?
Cheers
Gareth
-
Hello, I think I am facing the same problem
my testbed setup:
modem1->full bridging mode
modem2->half brigding mode (ip 82.xx.xx.17/29fxp0->WAN1 (static ip) 75.xx.xx.xx/20
lan->LAN (static+dhcpd set for clients) 10.0.0.0/24
opt1->WAN2 (static ip) 82.xx.xx.18/29I have created routes for both WAN's
WAN1 wan1 78.105.0.1 78.105.0.1
WAN2 (default) wan2 82.152.129.17 82.152.129.17
then I created a gateway group
dualwan wan1
wan2
Tier 1
Tier 1I then amended the existing LAN firewall rule and set the gateway to dualwan
Proto Source Port Destination Port Gateway Queue Schedule Description
[add new rule]
[click to toggle enabled/disabled status] * LAN net * * * dualwan none Default allow LAN to any rulewith this configuration, i am facing the same problems as gazzer82, I get no network connectivity, pinging my half bridged modems ip (wan2) i get 100% pkt loss, if I then go back to the firewall rule for LAN, setting the gateway to "default" works fine, setting it to anything else is a no go.
I am using the latest snapshot
ipfw show
ipfw show
ipfw: getsockopt(IP_FW_GET): Protocol not available
cat /tmp/rules.debug
#SSH Lockout Table
table <sshlockout>persistLoad balancing anchor
rdr-anchor "relayd/*"
FTP proxy
rdr-anchor "ftp-proxy/"
rdr-anchor "tftp-proxy/"rdr on re0 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8021
rdr on re0 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969IMSpector rdr anchor
rdr-anchor "imspector"
UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "ftpsesame/"
anchor "relayd/"
anchor "firewallrules"
#–-------------------------------------------------------------------------default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for re0allow access to DHCP server on lan
anchor "dhcpserverlan"
pass in on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $lan proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
pass out on $lan proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for fxp1block anything from private networks on interfaces with the option set
antispoof for $wan2
block in log quick on $wan2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for fxp0block anything from private networks on interfaces with the option set
antispoof for $wan1
#System aliasesloopback = "{ lo0 }"
lan = "{ re0 }"
wan2 = "{ fxp1 }"
wan1 = "{ fxp0 }"User Aliases
set loginterface re0
set loginterface fxp1
set loginterface fxp0
set optimization normal
set limit states 95000scrub in on $lan all fragment reassemble
scrub in on $wan2 all fragment reassemble
scrub in on $wan1 all fragment reassemblenat-anchor "ftp-proxy/"
nat-anchor "natearly/"
nat-anchor "natrules/*"Outbound NAT rules
Subnets to NAT
tonatsubnets = "{ 10.0.0.0/24 }"
no nat on $wan2 to port tftp
nat on $wan2 from $tonatsubnets port 500 to any port 500 -> 82.152.129.18/32 port 500
nat on $wan2 from $tonatsubnets port 4500 to any port 4500 -> 82.152.129.18/32 port 4500
nat on $wan2 from $tonatsubnets port 5060 to any port 5060 -> 82.152.129.18/32 port 5060
nat on $wan2 from $tonatsubnets to any -> 82.152.129.18/32
no nat on $wan1 to port tftp
nat on $wan1 from $tonatsubnets port 500 to any port 500 -> 78.105.5.34/32 port 500
nat on $wan1 from $tonatsubnets port 4500 to any port 4500 -> 78.105.5.34/32 port 4500
nat on $wan1 from $tonatsubnets port 5060 to any port 5060 -> 78.105.5.34/32 port 5060
nat on $wan1 from $tonatsubnets to any -> 78.105.5.34/32#SSH Lockout Table
table <sshlockout>persistLoad balancing anchor
rdr-anchor "relayd/*"
FTP proxy
rdr-anchor "ftp-proxy/"
rdr-anchor "tftp-proxy/"rdr on re0 proto tcp from any to any port 21 tag PFFTPPROXY -> 127.0.0.1 port 8021
rdr on re0 proto udp from any to any port tftp tag PFFTPPROXY -> 127.0.0.1 port 6969IMSpector rdr anchor
rdr-anchor "imspector"
UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "ftpsesame/"
anchor "relayd/"
anchor "firewallrules"
#---------------------------------------------------------------------------default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for re0allow access to DHCP server on lan
anchor "dhcpserverlan"
pass in on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $lan proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
pass out on $lan proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for fxp1block anything from private networks on interfaces with the option set
antispoof for $wan2
block in log quick on $wan2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for fxp0block anything from private networks on interfaces with the option set
antispoof for $wan1
We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for re0allow access to DHCP server on lan
anchor "dhcpserverlan"
pass in on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $lan proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
pass out on $lan proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for fxp1block anything from private networks on interfaces with the option set
antispoof for $wan2
block in log quick on $wan2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for fxp0block anything from private networks on interfaces with the option set
antispoof for $wan1
block in log quick on $wan1 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan1 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan1 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan1 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
anchor "spoofing"loopback
anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"anchor "firewallout"
let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state label "let out anything from firewall host itself"
make sure the user cannot lock himself out of the webConfigurator or SSH
anchor "anti-lockout"
pass in quick on re0 from any to (re0) keep state label "anti-lockout rule"NAT Reflection rules
package manager late specific hook
anchor "packagelate"
anchor "ftp-proxy/*"
enable ftp-proxy
pass in quick inet proto tcp tagged PFFTPPROXY flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
User-defined aliases follow
User-defined rules follow
pass in quick on $lan from 10.0.0.0/24 to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on $lan from 10.0.0.0/24 to <direct_networks>keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on $lan route-to { ( opt1 82.152.129.17 ) } from 10.0.0.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"VPN Rules
anchor "limitingesr"
IMSpector
anchor "imspector"
uPnPd
anchor "miniupnpd"</direct_networks></vpns></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>
if there is any other things I can post to help solve the problem just let me know.
cheers
P.S I also have bogon's turned off, though i dont think it really related to this, I will also download latest full iso and start from scratch incase my present box is borked.
-
Try to set a default gateway and Firewall: NAT: Outbound manual outbound nat. For me this fixed the problem.
-
Hi XToni,
i have tried you suggestion with no success, i can now ping the gateway ip from the pfsense box, but i cannot ping from pfsense to the outside world, it is very very odd.
Firewall rules wise, all i have is an allow all from Lan to Wan using the default gateway, otherwise i loose access to the web config interface, then above that a rule which specifies that any traffic not destined for the pfsense ip (192.168.20.254) should be routed out of the static gateway i have set.
I have enabled DNS forwarder, and setup two DNS servers in preferences, OpenDNS with ip's of 208.67.222.222 and 208.67.220.220.
I have tried turning Outbound NAT to manual, leaving the default rules there and not changing/adding any rules here, do i need to?
Is there something in this config that is causing the problem?
I am just confused as to why when i set the interface to DHCP it works fine, but by manually specifying exactly the same config it does not work.
Cheers
Gareth
-
Go to System:routing:gateways, edit your gateway and choose default.
If nothing change Go to System:Advanced:Firewall and disable the entire firewall to see if it's a firewall issue.
-
Ha ha, we are getting somewhere, followed all of your steps.
As long as i set my gateway as default, and make sure that my firewall rule for gateway is set as use default, i finally have internet access.
However, if i set my firewall rules gateway to manually point at the correct gateway i get no net access. This is a problem as i am eventually going to be setting this up as a load balanced dual WAN so i need the ability to put the two gateways into a group and tell my firewall rules to use that group, not the default.
Any idea?
Do i need to create additional firewall/nat rules to make this happen?
Help very much appreciated!!
Cheers
Gareth
-
When you set the WAN addresses manually, make sure you have the netmasks set correctly for each wan interface, /20 for WAN1 and /29 for WAN2 based on your description.
-
thanks kpa, i did have the netmask set at 24, i have tried it at 20, but at the moment i am only using a single WAN for testing. However it hasn't helped things, i am still able to acces the net fine setting the gateway in the firewall rules to default, but setting it manually to my actual gateway leaves me with not access outside the network. Interestingly it appears that in this setup pfsense also cannot get to the net, from pfsense i can ping the gateway fine, but if i try to ping anything outside the gateway, be it by ip or dns name i get 100% packet loss.
By the way, for the sake of testing at the moment this device is still sitting behing my nat router, this is what i am using for the gateway, not that that should make any difference.
Anyone else got any idea, can anyone explain to me what the difference in rules/routing are between leaving the gateway set as default and manually selecting the gateway, see if i can work out where it's going wrong/getting blocked!!
Cheers
Gareth
-
Try to set ur net mask to 32 for DNS server.
Best Regards
Kambeeng
Try My Configuration
