[SOLVED] pfsense in VirtualBox - physical clients have no HTTP traffic



  • I have installed pfsense in VirtualBox, and created two virtual NICs that are bridged to the two physical NICs on my server. My Internet connection connected directly to NIC-01 (no router or anything) and that is bridged to EM0 on the pfsense VM. I then have NIC-02 (LAN) bridged to EM1 in pfsense. Next I have a wifi router (dd-wrt) setup as a basic access point with a cord from one of its LAN ports to the LAN port on the server (NIC-02).

    pfsense provides DHCP to everything. All my clients connected to the Wi-Fi router get a IP. They can ping the:
      - LAN IP for pfsense
      - Server the VM runs on
      - External DNS (8.8.8.8)
      - Gateway
    They can even play videos and music from my PLEX server on the LAN. In fact everything seems to work except that whenever they try to browse to any sites, it just says "ERR_Connection_Timed_Out". In pfsense:
      - The WAN gets its IP and Gateway via DHCP from the ISP
      - NAT is set to automatic
      - I have a rule on both the WAN and LAN to allow any protocol, on any port to and from any address and port.

    Here is a simple diagram of my setup. Just want to use pfsense as a virtual router and firewall for clients connected to my wifi router.


    (located here: https://drive.google.com/file/d/1pLv7S9K_FvDfb54hUolXxzzcfb_55VAa/view?usp=sharing)



  • if hosts from LAN can ping 8.8.8.8 (what does traceroute show?), I would say, that somewhere there is a rule, which blocks tcp connection to port 80 (443?) or the all-allowing rule does not work.

    @atxcoder:

    • I have a rule on both the WAN and LAN to allow any protocol, on any port to and from any address and port.

    Do you mean a floating rule? Is it configured as a quick rule?

    I would not use floating rules at all for your purposes, just "disable all" rule on WAN, "enable tcp dest. ports 80, 443" then "disable all" rules on LAN.

    BTW, if the configuration is correct, your pfsense box should be fully accessible from outside. Are you sure, that this is what you want?

    P.S. There was also an issue with check-sums, but I am not sure, if this problem happens on VirtualBox too. Look at https://forum.pfsense.org/index.php?topic=88467.0



  • I didn't find any mention of VirtualBox having the issue, but I disabled the checksum and rebooted the VM anyway.

    I don't have any floating rules

    I disabled all rules and nothing worked. So I then added TCP 80 and TCP 443 (Firewall > Rules > LAN). Here are what my rules look like:

    ====FLOATING====
    None

    ==== LAN ====
    default no lockout rule
    IP4 - TCP - any source, any port, any destination, port 80, any gateway, none queue
    IP4 - TCP/UDP - any source, any port, any destination, port 53, any gateway, none queue
    IP4 - TCP/UDP - any source, any port, any destination, port 443, any gateway, none queue

    ==== WAN ====
    IP4 - TCP - any source, any port, any destination, port 80, any gateway, none queue
    IP4 - TCP/UDP - any source, any port, any destination, port 443, any gateway, none queue

    Now, PING and TRACE ROUTE no longer work (no rule for them so I would expect them not to work).

    The weird thing is now that I use Google Chrome and enter a term, "pfsense" for example, into the address bar and Google returns a page full of search results. I click on any link and get a "ERR_CONNECTION_CLOSED". Still in the same browser tab I search again for "pfsense" and get back a "ERR_QUIC_PROTOCOL_ERROR" error page. Close that tab, open a new tab, search for "pfsense" and search results come up. Click on any link and again "ERR_CONNECTION_CLOSED"

    I am new to pfsense, and have limited knowledge in firewalls and their rules (work as a Server Admin). Any help or recommendations is greatly appreciated!



  • So, disabling check-sums offloading seems to bring a new behavior.

    I would try another virtual NIC or maybe another version of VirtualBox.

    P.S. For this test configuration the "==== WAN ====" rules are not necessary.



  • I have a TP-LINK TG-3468 PCIe NIC as my WAN adapter for pfsense. I had to switch the VirtualBox "Adapter Type" for that NIC from Intel PRO/1000 MT Desktop to Paravirtualized Network (virtio-net). From what I have read in the VirtualBox documentation the Paravirtualized Network (virtio-net) adapter type is special in that it doesn't virtualize the network hardware when it is already supported out of the box by the guest OS. (https://www.virtualbox.org/manual/ch06.html#nichardware)

    In any case, after making that change, pfsense worked like a champ! I guess I'll see if it has any ill effects as I begin to get deeper into pfsense. Thanks for all your help yarick123 and point me down the right path. ;D