LAN hosts can't connect to the Internet when the firewall and NAT is turned off!
-
Hi, I'm extremely new to this, and my general knowledge about Routing isn't very thorough yet.
My basic network setup looks like this:
Now, since there's already a firewall behind the Suyash PG 306 Access point (along with several other routers and stuff), the network 192.168.3.0/24 is completely trusted, and I don't need a firewall here. Further, I'd like to be able to talk to each other using their real IPs. So, I don't need NAT either, since it's all within a giant LAN. At this point I could connect to the internet through every VM host, i.e., vmInfra, vmPrime and vmDeux as well as lappyPrime had a working internet connection. So, I deactivated the firewall and NAT by:
-
System > Advanced > Firewall / NAT tab > Disable Firewall > Saved
-
Firewall > NAT > Outbound tab > Disable Outbound NAT rule generation (No Outbound NAT rules) > Deleted Existing Outbound rules > Saved.
Now, both networks 192.168.3.0/24 and 10.0.99.0/24 can talk to each other, however, while the 192.168.3.120 network still has internet access, the hosts on the internal LAN 10.0.99.0/24 doesn't! What makes this even weirder is that the router residing at 10.0.90.1 can ping google and 8.8.8.8 without a problem, but only the hosts on the LAN can't. My physical host at 192.168.3.108 still has an internet connection.
What's going on, and how can I fix it?
Details & Settings:
Router:
[2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ifconfig em0; ifconfig em1 em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c2:dd:83 hwaddr 00:0c:29:c2:dd:83 inet6 fe80::20c:29ff:fec2:dd83%em0 prefixlen 64 scopeid 0x1 inet 192.168.3.120 netmask 0xffffff00 broadcast 192.168.3.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:c2:dd:8d hwaddr 00:0c:29:c2:dd:8d inet6 fe80::20c:29ff:fec2:dd8d%em1 prefixlen 64 scopeid 0x2 inet 10.0.99.1 netmask 0xffffff00 broadcast 10.0.99.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>From the Router, I can ping:
[2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ping -c 2 google.com PING google.com (172.217.163.174): 56 data bytes 64 bytes from 172.217.163.174: icmp_seq=0 ttl=57 time=14.355 ms 64 bytes from 172.217.163.174: icmp_seq=1 ttl=57 time=30.919 ms --- google.com ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 14.355/22.637/30.919/8.282 ms [2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: ping -c 3 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=48 time=48.690 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=55.283 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=44.418 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 44.418/49.464/55.283/4.469 msThe routing table is:
[2.4.2-RELEASE][somu@pfSense.localdomain]/home/somu: netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.3.1 UGS em0 10.0.99.0/24 link#2 U em1 10.0.99.1 link#2 UHS lo0 127.0.0.1 link#3 UH lo0 192.168.3.0/24 link#1 U em0 192.168.3.120 link#1 UHS lo0
Host on the LAN side:
The following were performed from IP 10.0.99.11 on the LAN :
[somu@vmPrime ~]$ ping 192.168.3.108 # Pinging LappyPrime (Physical Host) PING 192.168.3.108 (192.168.3.108) 56(84) bytes of data. 64 bytes from 192.168.3.108: icmp_seq=1 ttl=63 time=2.31 ms 64 bytes from 192.168.3.108: icmp_seq=2 ttl=63 time=1.24 ms ^C --- 192.168.3.108 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.246/1.782/2.318/0.536 ms [somu@vmPrime ~]$ ping -c 2 192.168.3.120 # Own WAN Port PING 192.168.3.120 (192.168.3.120) 56(84) bytes of data. 64 bytes from 192.168.3.120: icmp_seq=1 ttl=64 time=1.28 ms 64 bytes from 192.168.3.120: icmp_seq=2 ttl=64 time=0.459 ms --- 192.168.3.120 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.459/0.869/1.280/0.411 ms [somu@vmPrime ~]$ ping -c 2 10.0.99.1 # LAN Router's IP PING 10.0.99.1 (10.0.99.1) 56(84) bytes of data. 64 bytes from 10.0.99.1: icmp_seq=1 ttl=64 time=0.601 ms 64 bytes from 10.0.99.1: icmp_seq=2 ttl=64 time=0.774 ms --- 10.0.99.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.601/0.687/0.774/0.090 ms [somu@vmPrime ~]$ ping -c 2 10.0.99.99 # vmInfra PING 10.0.99.99 (10.0.99.99) 56(84) bytes of data. 64 bytes from 10.0.99.99: icmp_seq=1 ttl=63 time=3.57 ms 64 bytes from 10.0.99.99: icmp_seq=2 ttl=63 time=2.72 ms --- 10.0.99.99 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 2.723/3.146/3.570/0.427 msHowever, when I try to ping google.com or 8.8.8.8:
[root@vmPrime network-scripts]# ping google.com PING google.com (172.217.163.174) 56(84) bytes of data. ^C --- google.com ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 4999ms [root@vmPrime network-scripts]# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 9 packets transmitted, 0 received, 100% packet loss, time 8001msThe Interface is configured as :
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.99.1 0.0.0.0 UG 100 0 0 ens33 10.0.99.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens33 10.0.99.11 0.0.0.0 255.255.255.255 UH 100 0 0 ens33 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 [root@vmPrime network-scripts]# cat /etc/sysconfig/network-scripts/ifcfg-Ethernet_connection_1 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none IPADDR=10.0.99.11 PREFIX=32 GATEWAY=10.0.99.1 DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=somuVMnetLAN10 UUID=e5a60b57-c03d-4c0a-9ece-338f565b7759 ONBOOT=yes DEVICE=ens33 DNS1=10.0.99.1Please help!
-
-
Well if you turn off nat at pfsense than that device SG306 you have label would have to nat your downstream networks, and it would also have to know how to get to the downstream networks. And its firewall would have to allow the downstream networks out.
-
Well if you turn off nat at pfsense than that device SG306 you have label would have to nat your downstream networks, and it would also have to know how to get to the downstream networks. And its firewall would have to allow the downstream networks out.
I'm sure that's configured somewhere in the rest of the WAN already since I and many other hosts can connect successfully using the existing infrastructure! In fact, I'm typing this right now from a computer that uses the same PG 306 Access point I mentioned. It's honestly just a router that's been put in AP mode. Every device is connected to it, but for some odd reason, the internal LAN network can't connect to the internet even though the Gateway can!
-
No from your drawing that devices knows about 192.168.3.. So sure any device that is on a 192.168.3 would be able to get out.. Does that device or the devices if any above it know about 10.0.99
Do they have settings to nat that network to whatever the actual public IP is, do that sg306 or whatever above it know how to get to 10.0.99 do they allow it out even if they nat it..
When you have pfsense natting then the network above pfsense thinks its just some 192.168.3 device, which it knows about… If you turn off nat on pfsense then your network above pfsense need to know about 10.0.99
If want to just use pfsense as a downstream router from your network - then it should be connected to your upstream router via a transit network, and the upstream router has to be configured to allow or nat this downstream network and know to there it needs to know to route to the pfsense IP in the transit network to get to the downstream networks of pfsense.
If you do not use a transit network then you run into a whole asymmetrical routing mess when downstream networks are wanting to talk to IP that are in this 192.168.3 network or those devices want to talk to devices downstream of pfsense when their gateway is 192.168.3.x etc..
-
No from your drawing that devices knows about 192.168.3.. So sure any device that is on a 192.168.3 would be able to get out.. Does that device or the devices if any above it know about 10.0.99
Do they have settings to nat that network to whatever the actual public IP is, do that sg306 or whatever above it know how to get to 10.0.99 do they allow it out even if they nat it..
When you have pfsense natting then the network above pfsense thinks its just some 192.168.3 device, which it knows about… If you turn off nat on pfsense then your network above pfsense need to know about 10.0.99
If want to just use pfsense as a downstream router from your network - then it should be connected to your upstream router via a transit network, and the upstream router has to be configured to allow or nat this downstream network and know to there it needs to know to route to the pfsense IP in the transit network to get to the downstream networks of pfsense.
If you do not use a transit network then you run into a whole asymmetrical routing mess when downstream networks are wanting to talk to IP that are in this 192.168.3 network or those devices want to talk to devices downstream of pfsense when their gateway is 192.168.3.x etc..
So, if I'm understanding you correctly, the NAT is an absolute must since the devices between Suyash PG 306 and the Suyash Gateway (the edge router connected to the ISP, which also performs NATting for the entire network) doesn't know about my private 10.0.99.0/24 network, right?
So, if that be the case, any way I could force them to update their routing tables? Would that even work? I'm sensing NATting at the pfSense router would be a better solution overall, right? If so, how do I do this? When I try to insert a rule into the firewall that allows me to access the LAN hosts via the WAN port, it doesn't work. Is there perhaps a tutorial that could show me how to do this? Thanks for all your help, by the way!!
-
If you do not have control of the upstream router and its routes, and nat functions and firewall rules then yes you would have to nat at pfsense to use it..
As to getting to stuff behind pfsense from stuff on the wan network you would need to port forward and hit the pfsense wan IP to get forwarded to the stuff behind pfsense.
Why not just replace whatever is at the edge with pfsense? And let pfsense handle all your networks and the nat to the public, etc. Then you would not need to nat between your network and could just firewall.
Worse case is just move everything behind pfsense and live with the double nat to the internet, etc. You would just need a AP to put behind pfsense if you can not just use that sg306 device as AP and need it to be your modem/gateway to the internet.
While your at it get a smart switch so you can do vlans and AP that can do vlans and now you would be cooking with gas! ;)
