Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN hosts can't connect to the Internet when the firewall and NAT is turned off!

    General pfSense Questions
    2
    6
    243
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SomuNetAdmin last edited by

      Hi, I'm extremely new to this, and my general knowledge about Routing isn't very thorough yet.

      My basic network setup looks like this:

      Now, since there's already a firewall behind the Suyash PG 306 Access point (along with several other routers and stuff), the network 192.168.3.0/24 is completely trusted, and I don't need a firewall here. Further, I'd like to be able to talk to each other using their real IPs. So, I don't need NAT either, since it's all within a giant LAN. At this point I could connect to the internet through every VM host, i.e., vmInfra, vmPrime and vmDeux as well as lappyPrime had a working internet connection. So, I deactivated the firewall and NAT by:

      • System > Advanced > Firewall / NAT tab > Disable Firewall > Saved

      • Firewall > NAT > Outbound tab > Disable Outbound NAT rule generation (No Outbound NAT rules) > Deleted Existing Outbound rules > Saved.

      Now, both networks 192.168.3.0/24 and 10.0.99.0/24 can talk to each other, however, while the 192.168.3.120 network still has internet access, the hosts on the internal LAN 10.0.99.0/24 doesn't! What makes this even weirder is that the router residing at 10.0.90.1 can ping google and 8.8.8.8 without a problem, but only the hosts on the LAN can't. My physical host at 192.168.3.108 still has an internet connection.


      What's going on, and how can I fix it?


      Details & Settings:

      Router:

      [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ifconfig em0; ifconfig em1
      em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c2:dd:83
      	hwaddr 00:0c:29:c2:dd:83
      	inet6 fe80::20c:29ff:fec2:dd83%em0 prefixlen 64 scopeid 0x1 
      	inet 192.168.3.120 netmask 0xffffff00 broadcast 192.168.3.255 
      	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
      	status: active
      em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c2:dd:8d
      	hwaddr 00:0c:29:c2:dd:8d
      	inet6 fe80::20c:29ff:fec2:dd8d%em1 prefixlen 64 scopeid 0x2 
      	inet 10.0.99.1 netmask 0xffffff00 broadcast 10.0.99.255 
      	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
      	status: active</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast> 
      

      From the Router, I can ping:

      
      [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ping -c 2 google.com
      PING google.com (172.217.163.174): 56 data bytes
      64 bytes from 172.217.163.174: icmp_seq=0 ttl=57 time=14.355 ms
      64 bytes from 172.217.163.174: icmp_seq=1 ttl=57 time=30.919 ms
      
      --- google.com ping statistics ---
      2 packets transmitted, 2 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 14.355/22.637/30.919/8.282 ms
      [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ping -c 3 8.8.8.8
      PING 8.8.8.8 (8.8.8.8): 56 data bytes
      64 bytes from 8.8.8.8: icmp_seq=0 ttl=48 time=48.690 ms
      64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=55.283 ms
      64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=44.418 ms
      
      --- 8.8.8.8 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 44.418/49.464/55.283/4.469 ms
      
      

      The routing table is:

      [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: netstat -rn
      Routing tables
      
      Internet:
      Destination        Gateway            Flags     Netif Expire
      default            192.168.3.1        UGS         em0
      10.0.99.0/24       link#2             U           em1
      10.0.99.1          link#2             UHS         lo0
      127.0.0.1          link#3             UH          lo0
      192.168.3.0/24     link#1             U           em0
      192.168.3.120      link#1             UHS         lo0
      
      

      Host on the LAN side:

      The following were performed from IP 10.0.99.11 on the LAN :

      [somu@vmPrime ~]$ ping 192.168.3.108 # Pinging LappyPrime (Physical Host)
      PING 192.168.3.108 (192.168.3.108) 56(84) bytes of data.
      64 bytes from 192.168.3.108: icmp_seq=1 ttl=63 time=2.31 ms
      64 bytes from 192.168.3.108: icmp_seq=2 ttl=63 time=1.24 ms
      ^C
      --- 192.168.3.108 ping statistics ---
      2 packets transmitted, 2 received, 0% packet loss, time 1001ms
      rtt min/avg/max/mdev = 1.246/1.782/2.318/0.536 ms
      [somu@vmPrime ~]$ ping -c 2 192.168.3.120  # Own WAN Port
      PING 192.168.3.120 (192.168.3.120) 56(84) bytes of data.
      64 bytes from 192.168.3.120: icmp_seq=1 ttl=64 time=1.28 ms
      64 bytes from 192.168.3.120: icmp_seq=2 ttl=64 time=0.459 ms
      
      --- 192.168.3.120 ping statistics ---
      2 packets transmitted, 2 received, 0% packet loss, time 1001ms
      rtt min/avg/max/mdev = 0.459/0.869/1.280/0.411 ms
      [somu@vmPrime ~]$ ping -c 2 10.0.99.1  # LAN Router's IP
      PING 10.0.99.1 (10.0.99.1) 56(84) bytes of data.
      64 bytes from 10.0.99.1: icmp_seq=1 ttl=64 time=0.601 ms
      64 bytes from 10.0.99.1: icmp_seq=2 ttl=64 time=0.774 ms
      
      --- 10.0.99.1 ping statistics ---
      2 packets transmitted, 2 received, 0% packet loss, time 1002ms
      rtt min/avg/max/mdev = 0.601/0.687/0.774/0.090 ms
      [somu@vmPrime ~]$ ping -c 2 10.0.99.99 # vmInfra
      PING 10.0.99.99 (10.0.99.99) 56(84) bytes of data.
      64 bytes from 10.0.99.99: icmp_seq=1 ttl=63 time=3.57 ms
      64 bytes from 10.0.99.99: icmp_seq=2 ttl=63 time=2.72 ms
      
      --- 10.0.99.99 ping statistics ---
      2 packets transmitted, 2 received, 0% packet loss, time 1002ms
      rtt min/avg/max/mdev = 2.723/3.146/3.570/0.427 ms
      
      

      However, when I try to ping google.com or 8.8.8.8:

      
      [root@vmPrime network-scripts]# ping google.com
      PING google.com (172.217.163.174) 56(84) bytes of data.
      ^C
      --- google.com ping statistics ---
      6 packets transmitted, 0 received, 100% packet loss, time 4999ms
      
      [root@vmPrime network-scripts]# ping 8.8.8.8
      PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
      ^C
      --- 8.8.8.8 ping statistics ---
      9 packets transmitted, 0 received, 100% packet loss, time 8001ms
      
      

      The Interface is configured as :

      
      $ route -n
      Kernel IP routing table
      Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
      0.0.0.0         10.0.99.1       0.0.0.0         UG    100    0        0 ens33
      10.0.99.1       0.0.0.0         255.255.255.255 UH    100    0        0 ens33
      10.0.99.11      0.0.0.0         255.255.255.255 UH    100    0        0 ens33
      192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
      
      [root@vmPrime network-scripts]# cat /etc/sysconfig/network-scripts/ifcfg-Ethernet_connection_1 
      TYPE=Ethernet
      PROXY_METHOD=none
      BROWSER_ONLY=no
      BOOTPROTO=none
      IPADDR=10.0.99.11
      PREFIX=32
      GATEWAY=10.0.99.1
      DEFROUTE=yes
      IPV4_FAILURE_FATAL=no
      IPV6INIT=yes
      IPV6_AUTOCONF=yes
      IPV6_DEFROUTE=yes
      IPV6_FAILURE_FATAL=no
      IPV6_ADDR_GEN_MODE=stable-privacy
      NAME=somuVMnetLAN10
      UUID=e5a60b57-c03d-4c0a-9ece-338f565b7759
      ONBOOT=yes
      DEVICE=ens33
      DNS1=10.0.99.1
      
      

      Please help!

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Well if you turn off nat at pfsense than that device SG306 you have label would have to nat your downstream networks, and it would also have to know how to get to the downstream networks.  And its firewall would have to allow the downstream networks out.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

        1 Reply Last reply Reply Quote 0
        • S
          SomuNetAdmin last edited by

          @johnpoz:

          Well if you turn off nat at pfsense than that device SG306 you have label would have to nat your downstream networks, and it would also have to know how to get to the downstream networks.  And its firewall would have to allow the downstream networks out.

          I'm sure that's configured somewhere in the rest of the WAN already since I and many other hosts can connect successfully using the existing infrastructure! In fact, I'm typing this right now from a computer that uses the same PG 306 Access point I mentioned. It's honestly just a router that's been put in AP mode. Every device is connected to it, but for some odd reason, the internal LAN network can't connect to the internet even though the Gateway can!

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            No from your drawing that devices knows about 192.168.3.. So sure any device that is on a 192.168.3 would be able to get out..  Does that device or the devices if any above it know about 10.0.99

            Do they have settings to nat that network to whatever the actual public IP is, do that sg306 or whatever above it know how to get to 10.0.99 do they allow it out even if they nat it..

            When you have pfsense natting then the network above pfsense thinks its just some 192.168.3 device, which it knows about… If you turn off nat on pfsense then your network above pfsense need to know about 10.0.99

            If want to just use pfsense as a downstream router from your network - then it should be connected to your upstream router via a transit network, and the upstream router has to be configured to allow or nat this downstream network and know to there it needs to know to route to the pfsense IP in the transit network to get to the downstream networks of pfsense.

            If you do not use a transit network then  you run into a whole asymmetrical routing mess when downstream networks are wanting to talk to IP that are in this 192.168.3 network or those devices want to talk to devices downstream of pfsense when their gateway is 192.168.3.x etc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

            1 Reply Last reply Reply Quote 0
            • S
              SomuNetAdmin last edited by

              @johnpoz:

              No from your drawing that devices knows about 192.168.3.. So sure any device that is on a 192.168.3 would be able to get out..  Does that device or the devices if any above it know about 10.0.99

              Do they have settings to nat that network to whatever the actual public IP is, do that sg306 or whatever above it know how to get to 10.0.99 do they allow it out even if they nat it..

              When you have pfsense natting then the network above pfsense thinks its just some 192.168.3 device, which it knows about… If you turn off nat on pfsense then your network above pfsense need to know about 10.0.99

              If want to just use pfsense as a downstream router from your network - then it should be connected to your upstream router via a transit network, and the upstream router has to be configured to allow or nat this downstream network and know to there it needs to know to route to the pfsense IP in the transit network to get to the downstream networks of pfsense.

              If you do not use a transit network then  you run into a whole asymmetrical routing mess when downstream networks are wanting to talk to IP that are in this 192.168.3 network or those devices want to talk to devices downstream of pfsense when their gateway is 192.168.3.x etc..

              So, if I'm understanding you correctly, the NAT is an absolute must since the devices between Suyash PG 306 and the Suyash Gateway (the edge router connected to the ISP, which also performs NATting for the entire network) doesn't know about my private 10.0.99.0/24 network, right?

              So, if that be the case, any way I could force them to update their routing tables? Would that even work? I'm sensing NATting at the pfSense router would be a better solution overall, right? If so, how do I do this? When I try to insert a rule into the firewall that allows me to access the LAN hosts via the WAN port, it doesn't work. Is there perhaps a tutorial that could show me how to do this? Thanks for all your help, by the way!!

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                If you do not have control of the upstream router and its routes, and nat functions and firewall rules then yes you would have to nat at pfsense to use it..

                As to getting to stuff behind pfsense from stuff on the wan network you would need to port forward and hit the pfsense wan IP to get forwarded to the stuff behind pfsense.

                Why not just replace whatever is at the edge with pfsense?  And let pfsense handle all your networks and the nat to the public, etc.  Then you would not need to nat between your network and could just firewall.

                Worse case is just move everything behind pfsense and live with the double nat to the internet, etc.  You would just need a AP to put behind pfsense if you can not just use that sg306 device as AP and need it to be your modem/gateway to the internet.

                While your at it get a smart switch so you can do vlans and AP that can do vlans and now you would be cooking with gas! ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post