LAN traffic blocked from accessing Internet
-
Hello, i'm a new Pfsense newbie.
I've installed 2.4.2 with WAN having a direct public ip of lets say 5.5.5.5/28 with google DNS on nic1
LAN is configured 192.168.1.0/24 and has DHCP enabled (it works and I can get leases etc…) on nic2WAN has outbound access and can reach the internet (I can see updates and can download packages)
LAN, however, cannot ping or reach anything on the internet. I've had a look at the logs and can see the following:
Default deny rule IPv4 (1000000103) on both interfacesLAN has not been setup with an upstream gateway and NAT has been set to Manual Outbound NAT rule generation
Are there any thing I can check to get it to work?
any help will be greatly appreciated.
-
"LAN has not been setup with an upstream gateway"
Well that is borked right there.. LAN interface on pfsense would not have a gateway set…
Are you trying to setup a transit network to a downstream router?
-
I've got an uplink from a HSRP link that im using to distribute my /28.
AFAIK LAN is not setup with an upstream gateway as it's supposed to forward all traffic to WAN -
My bad I read that as HAS been setup ;) – sorry about that!
Why would you have turned off outbound nat to manual.. Pfsense works out of the box auto devices connected on the lan.. If you disabled the outbound nat that is most likely your problem. Post up your outbound nat settings.
Rules on lan are any any out of the box - did you change those?
Do your clients on lan get an IP, can they ping pfsense IP on the lan?
-
I turned outbound nat to manual when In my troubleshooting quest. The below is my summary for the outbound nat to manual:
WAN 127.0.0.0/8 -> port 500 -> WAN address ->ISAKMP
WAN 127.0.0.0/8 -> * -> Auto created rule - localhost to WAN
WAN 192.168.1.0/24 ->port 500 WAN address (Auto created rule for ISAKMP - LAN to WAN)
WAN 192.168.1.0/24 -> WAN address -> (Auto created rule - LAN to WAN)If I choose automatic outbound NAT no lan rules are created
-
If you automatic and it doesn't create the nats for you lan networks then you have something wrong..
Here is mine for example… I have it in hybrid mode, notice all the networks it created nats for to the wan interface. Even creates nats for vpn tunnel networks.
This really is clickity clickity up and running.. You really should not have to do anything other than setup whatever dhcp pool you want, etc.
Did you modify the lan rules? Can your dhcp client ping your pfsense wan IP? Lan rules are default any any - so how would you get anything listed and default deny rule on your lan? So you must of changed something in the rules or you client is from different IP range than your lan? Or the traffic is out of state anyway, etc.
-
I've figured out how to attach stuff.
![nat settings.png](/public/imported_attachments/1/nat settings.png)
![nat settings.png_thumb](/public/imported_attachments/1/nat settings.png_thumb) -
automatic nat
![automatic mode.png](/public/imported_attachments/1/automatic mode.png)
![automatic mode.png_thumb](/public/imported_attachments/1/automatic mode.png_thumb)
![automatic mode.png](/public/imported_attachments/1/automatic mode.png)
![automatic mode.png_thumb](/public/imported_attachments/1/automatic mode.png_thumb) -
So those are the auto created rules when you switched to manual… Again there is ZERO reason to be in manual - why would you change to that??
So can your clients on 192.168.1.0/24 that get a dhcp address which points to pfsense as the gateway actually ping pfsense lan IP which is what? 192.168.1.1? What are the rules on your lan interface?
-
i took the screenshot in manual to show the rules. It's currently in auto at the moment. the lan ip is 192.168.1.1. The rules on the interface are to allow 80/443 on the lan network and a rule allowing all traffic from LAN all outbound access which I added for testing.
-
Screenshots are always the best option..
Well then it would work - can you ping pfsense IP 192.168.1.1? If not with an any any rule then something not right for sure.. Can you ping your wan IP? If you can ping your want IP and say no internet - you mean no dns? Can you ping your ISP gateway, and outside IP like 8.8.8.8 or 4.2.2.2?
-
the problem was caused by a faulty nic which i was using for LAN. I changed the card and without any configuration, it started working as expected.
-
Don't remember having a NIC failed on me after thousands… probably like 30 years! Ur a lucky man.