LAN hosts can't connect to the Internet when the firewall and NAT is turned off!



  • Hi, I'm extremely new to this, and my general knowledge about Routing isn't very thorough yet.

    My basic network setup looks like this:

    Now, since there's already a firewall behind the Suyash PG 306 Access point (along with several other routers and stuff), the network 192.168.3.0/24 is completely trusted, and I don't need a firewall here. Further, I'd like to be able to talk to each other using their real IPs. So, I don't need NAT either, since it's all within a giant LAN. At this point I could connect to the internet through every VM host, i.e., vmInfra, vmPrime and vmDeux as well as lappyPrime had a working internet connection. So, I deactivated the firewall and NAT by:

    • System > Advanced > Firewall / NAT tab > Disable Firewall > Saved

    • Firewall > NAT > Outbound tab > Disable Outbound NAT rule generation (No Outbound NAT rules) > Deleted Existing Outbound rules > Saved.

    Now, both networks 192.168.3.0/24 and 10.0.99.0/24 can talk to each other, however, while the 192.168.3.120 network still has internet access, the hosts on the internal LAN 10.0.99.0/24 doesn't! What makes this even weirder is that the router residing at 10.0.90.1 can ping google and 8.8.8.8 without a problem, but only the hosts on the LAN can't. My physical host at 192.168.3.108 still has an internet connection.


    What's going on, and how can I fix it?


    Details & Settings:

    Router:

    [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ifconfig em0; ifconfig em1
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c2:dd:83
    	hwaddr 00:0c:29:c2:dd:83
    	inet6 fe80::20c:29ff:fec2:dd83%em0 prefixlen 64 scopeid 0x1 
    	inet 192.168.3.120 netmask 0xffffff00 broadcast 192.168.3.255 
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c2:dd:8d
    	hwaddr 00:0c:29:c2:dd:8d
    	inet6 fe80::20c:29ff:fec2:dd8d%em1 prefixlen 64 scopeid 0x2 
    	inet 10.0.99.1 netmask 0xffffff00 broadcast 10.0.99.255 
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast> 
    

    From the Router, I can ping:

    
    [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ping -c 2 google.com
    PING google.com (172.217.163.174): 56 data bytes
    64 bytes from 172.217.163.174: icmp_seq=0 ttl=57 time=14.355 ms
    64 bytes from 172.217.163.174: icmp_seq=1 ttl=57 time=30.919 ms
    
    --- google.com ping statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 14.355/22.637/30.919/8.282 ms
    [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ping -c 3 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=48 time=48.690 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=55.283 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=44.418 ms
    
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 44.418/49.464/55.283/4.469 ms
    
    

    The routing table is:

    [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.3.1        UGS         em0
    10.0.99.0/24       link#2             U           em1
    10.0.99.1          link#2             UHS         lo0
    127.0.0.1          link#3             UH          lo0
    192.168.3.0/24     link#1             U           em0
    192.168.3.120      link#1             UHS         lo0
    
    

    Host on the LAN side:

    The following were performed from IP 10.0.99.11 on the LAN :

    [somu@vmPrime ~]$ ping 192.168.3.108 # Pinging LappyPrime (Physical Host)
    PING 192.168.3.108 (192.168.3.108) 56(84) bytes of data.
    64 bytes from 192.168.3.108: icmp_seq=1 ttl=63 time=2.31 ms
    64 bytes from 192.168.3.108: icmp_seq=2 ttl=63 time=1.24 ms
    ^C
    --- 192.168.3.108 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 1.246/1.782/2.318/0.536 ms
    [somu@vmPrime ~]$ ping -c 2 192.168.3.120  # Own WAN Port
    PING 192.168.3.120 (192.168.3.120) 56(84) bytes of data.
    64 bytes from 192.168.3.120: icmp_seq=1 ttl=64 time=1.28 ms
    64 bytes from 192.168.3.120: icmp_seq=2 ttl=64 time=0.459 ms
    
    --- 192.168.3.120 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 0.459/0.869/1.280/0.411 ms
    [somu@vmPrime ~]$ ping -c 2 10.0.99.1  # LAN Router's IP
    PING 10.0.99.1 (10.0.99.1) 56(84) bytes of data.
    64 bytes from 10.0.99.1: icmp_seq=1 ttl=64 time=0.601 ms
    64 bytes from 10.0.99.1: icmp_seq=2 ttl=64 time=0.774 ms
    
    --- 10.0.99.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1002ms
    rtt min/avg/max/mdev = 0.601/0.687/0.774/0.090 ms
    [somu@vmPrime ~]$ ping -c 2 10.0.99.99 # vmInfra
    PING 10.0.99.99 (10.0.99.99) 56(84) bytes of data.
    64 bytes from 10.0.99.99: icmp_seq=1 ttl=63 time=3.57 ms
    64 bytes from 10.0.99.99: icmp_seq=2 ttl=63 time=2.72 ms
    
    --- 10.0.99.99 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1002ms
    rtt min/avg/max/mdev = 2.723/3.146/3.570/0.427 ms
    
    

    However, when I try to ping google.com or 8.8.8.8:

    
    [root@vmPrime network-scripts]# ping google.com
    PING google.com (172.217.163.174) 56(84) bytes of data.
    ^C
    --- google.com ping statistics ---
    6 packets transmitted, 0 received, 100% packet loss, time 4999ms
    
    [root@vmPrime network-scripts]# ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    ^C
    --- 8.8.8.8 ping statistics ---
    9 packets transmitted, 0 received, 100% packet loss, time 8001ms
    
    

    The Interface is configured as :

    
    $ route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         10.0.99.1       0.0.0.0         UG    100    0        0 ens33
    10.0.99.1       0.0.0.0         255.255.255.255 UH    100    0        0 ens33
    10.0.99.11      0.0.0.0         255.255.255.255 UH    100    0        0 ens33
    192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
    
    [root@vmPrime network-scripts]# cat /etc/sysconfig/network-scripts/ifcfg-Ethernet_connection_1 
    TYPE=Ethernet
    PROXY_METHOD=none
    BROWSER_ONLY=no
    BOOTPROTO=none
    IPADDR=10.0.99.11
    PREFIX=32
    GATEWAY=10.0.99.1
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=yes
    IPV6_AUTOCONF=yes
    IPV6_DEFROUTE=yes
    IPV6_FAILURE_FATAL=no
    IPV6_ADDR_GEN_MODE=stable-privacy
    NAME=somuVMnetLAN10
    UUID=e5a60b57-c03d-4c0a-9ece-338f565b7759
    ONBOOT=yes
    DEVICE=ens33
    DNS1=10.0.99.1
    
    

    Please help!


  • LAYER 8 Global Moderator

    Well if you turn off nat at pfsense than that device SG306 you have label would have to nat your downstream networks, and it would also have to know how to get to the downstream networks.  And its firewall would have to allow the downstream networks out.



  • @johnpoz:

    Well if you turn off nat at pfsense than that device SG306 you have label would have to nat your downstream networks, and it would also have to know how to get to the downstream networks.  And its firewall would have to allow the downstream networks out.

    I'm sure that's configured somewhere in the rest of the WAN already since I and many other hosts can connect successfully using the existing infrastructure! In fact, I'm typing this right now from a computer that uses the same PG 306 Access point I mentioned. It's honestly just a router that's been put in AP mode. Every device is connected to it, but for some odd reason, the internal LAN network can't connect to the internet even though the Gateway can!


  • LAYER 8 Global Moderator

    No from your drawing that devices knows about 192.168.3.. So sure any device that is on a 192.168.3 would be able to get out..  Does that device or the devices if any above it know about 10.0.99

    Do they have settings to nat that network to whatever the actual public IP is, do that sg306 or whatever above it know how to get to 10.0.99 do they allow it out even if they nat it..

    When you have pfsense natting then the network above pfsense thinks its just some 192.168.3 device, which it knows about… If you turn off nat on pfsense then your network above pfsense need to know about 10.0.99

    If want to just use pfsense as a downstream router from your network - then it should be connected to your upstream router via a transit network, and the upstream router has to be configured to allow or nat this downstream network and know to there it needs to know to route to the pfsense IP in the transit network to get to the downstream networks of pfsense.

    If you do not use a transit network then  you run into a whole asymmetrical routing mess when downstream networks are wanting to talk to IP that are in this 192.168.3 network or those devices want to talk to devices downstream of pfsense when their gateway is 192.168.3.x etc..



  • @johnpoz:

    No from your drawing that devices knows about 192.168.3.. So sure any device that is on a 192.168.3 would be able to get out..  Does that device or the devices if any above it know about 10.0.99

    Do they have settings to nat that network to whatever the actual public IP is, do that sg306 or whatever above it know how to get to 10.0.99 do they allow it out even if they nat it..

    When you have pfsense natting then the network above pfsense thinks its just some 192.168.3 device, which it knows about… If you turn off nat on pfsense then your network above pfsense need to know about 10.0.99

    If want to just use pfsense as a downstream router from your network - then it should be connected to your upstream router via a transit network, and the upstream router has to be configured to allow or nat this downstream network and know to there it needs to know to route to the pfsense IP in the transit network to get to the downstream networks of pfsense.

    If you do not use a transit network then  you run into a whole asymmetrical routing mess when downstream networks are wanting to talk to IP that are in this 192.168.3 network or those devices want to talk to devices downstream of pfsense when their gateway is 192.168.3.x etc..

    So, if I'm understanding you correctly, the NAT is an absolute must since the devices between Suyash PG 306 and the Suyash Gateway (the edge router connected to the ISP, which also performs NATting for the entire network) doesn't know about my private 10.0.99.0/24 network, right?

    So, if that be the case, any way I could force them to update their routing tables? Would that even work? I'm sensing NATting at the pfSense router would be a better solution overall, right? If so, how do I do this? When I try to insert a rule into the firewall that allows me to access the LAN hosts via the WAN port, it doesn't work. Is there perhaps a tutorial that could show me how to do this? Thanks for all your help, by the way!!


  • LAYER 8 Global Moderator

    If you do not have control of the upstream router and its routes, and nat functions and firewall rules then yes you would have to nat at pfsense to use it..

    As to getting to stuff behind pfsense from stuff on the wan network you would need to port forward and hit the pfsense wan IP to get forwarded to the stuff behind pfsense.

    Why not just replace whatever is at the edge with pfsense?  And let pfsense handle all your networks and the nat to the public, etc.  Then you would not need to nat between your network and could just firewall.

    Worse case is just move everything behind pfsense and live with the double nat to the internet, etc.  You would just need a AP to put behind pfsense if you can not just use that sg306 device as AP and need it to be your modem/gateway to the internet.

    While your at it get a smart switch so you can do vlans and AP that can do vlans and now you would be cooking with gas! ;)


Log in to reply