OPT1 / OPT2 interfaces not able to access the Internet
-
Hello,
I'm running a Pfsense 2.3.1 ITX Firewall Router 1-WAN 3-LAN. The WAN and LAN interfaces are working as expected. I've enabled the OPT1 & OPT2 interfaces and the DHCP server for each interface. I connect a PC to OPT1 & OPT2 and am given an IP address on each interface. I can hit other computers on my network, but neither OPT1 or OPT2 can get out to the internet. I have firewall rules set up for each interface as shown in the attached screenshots. When I use Diagnostics > ping, I can ping from the LAN interface but not OPT1 or OPT2. Might anyone have suggestions about how to resolve this issue?
Thanks!
-
In your network config for OPT1 and OPT2, did you specify a gateway?
-
This typically signals an absence of the GATEWAY parameter.
GATEWAY (literally) = This is the door to the Internet.
-
Thank you. This must be the problem. I didn't see a gateway specified on the LAN interface (as it is on the WAN interface). This is why I thought it wouldn't be needed on OPT1 or OPT2.
I've taken a stab at setting up a new Gateway (using the same IP address as the gateway on WAN) but that dog doesn't hunt.
Can I set up multiple gateways for a single upstream gateway (from ISP modem)? Anyone aware of some documentation I could follow?
-
No… Anything connected up to opt1, should have gateway=IP of opt1. Anything connected up to opt2 should have gateway=IP of opt2.
A gateway is always an IP on the SAME SUBNET as you are in. Think of opt1 as a room, and you have multiple doors, and that's all you can see, most of those doors are other clients but one of them is, as mentioned, the door to the Internet and that is opt1 IP.
I haven't done this myself under pfsense but you may have to run multiple instances of the DHCP server in order to dish out the different gateways, and on top of that am not sure if there is any advantage to run opt1/opt2 on the same subnet as LAN or better run separate subnets.
-
Please correct me if I am wrong but I don't think it is a gateway issue.
Looking at the firewall rules you posted I think you are missing the source as you have it set to any. For OPT1 add OPT1 net as source and for OPT2 add OPT2 net as source. If you look at your LAN firewall rule you will see the source is LAN net.
Please add the source to each rule and report back.
-
I don't think this is the problem. I've updated the rules per your guidance (see attachments) and am still unable to access internet from OPT1 or OPT2.
I really appreciate the help I'm receiving here. Before we burn too many cycles, I'd like to highlight my ultimate goal is to run 1 interface (LAN) with an OPENVPN client (specifying LAN as the interface) and the other two WITHOUT VPN. Does the approach I'm trying to take make sense to address this goal?
Much appreciated.
-
I don't think this is the problem. I've updated the rules per your guidance (see attachments) and am still unable to access internet from OPT1 or OPT2.
Ok but it is a start as atleast your firewall rules are now correct.
Could you post a screenshot of your DNS Resolver settings and your Outbound NAT settings?
Also, are your LAN, OPT1 and OPT2 each in a different subnet? Maybe throw in a screenshot of one of your OPT interfaces?
Concerning your VPN, yes you can use the VPN on just one interface but lets first get your internet working on OPT1 and OPT2.
The problem here is that setups can vary greatly so it makes it hard to identify the issue. It could be something very simple or something complex. Best bet is to post as much info about your settings as possible.
It sounds like you have a setup similar to mine or should I say your setup goal is similar to what I have so we should be able to figure this out.
-
Hello,
I've included the following:
-
DNS Resolver - I did not include my host overrides. Let me know if they're needed
-
OutBound NAT
-
OPT1 configure - running on different subnet
-
OPT2 configure - running on different subnet
Please let me know what you think.
-
-
You're trying to NAT on a LAN (OPT1) interface that won't work, you need to learn how NAT works.
-
So you took your outbound nat out of automatic - why??
And you didn't create outbound nat to the wan interface from the networks you put on your opt1 and opt2… But you have an outbound nat out into opt1..
There is you problem... Change your outbound nat to automatic and it will fix it your problem. Then change it to to hybrid and setup what you want for any sort of vpn service.
-
Thanks for posting the screenshots, very helpful :)
johnpoz is correct and this should fix your problem. Below is a screenshot of what you should end up with when it is correct. You can either do what johnpoz said or edit it manually to match the settings in my screenshot. Of course I use a different VPN so substitute with your own VPN. Unless you need them you can also delete the Auto created rules for ISAKMP to clear up some of the clutter.
As for your VPN, if you only want it on your LAN.. Goto your LAN firewall rule, edit and scroll down to advanced options and choose your VPN for the gateway. For OPT1 and OPT2 the same except choose your WAN gateway in Advanced Options.
-
An edit to my last post.
Since you only want your VPN on your LAN you can probably disregard the outbound VPN NAT rules for your 192.168.20.0 and 192.168.30.0 subnets.
As you can see I have my VPN setup on all interfaces. Basically everything on my network goes through the VPN and I use firewall rules to run certain devices through the WAN by specifying the devices IP and choosing my WAN as the gateway. This is why I have VPN outbound NAT rule for each subnet.
Also for your OPT1 and OPT2 firewall rules, probably no need to choose a gateway in advanced options.
-
I forgot to mention that you may need to make some other changes in pfSense so that you do not have DNS leak issues with your VPN but first please follow the advice given earlier to get your internet working on each interface then report back. I only mention this because of your resolver settings and the fact that you are using a VPN for a reason. The VPN is useless if it is leaking DNS to your ISP.
-
Hi,
I believe we're getting close.
Per my screenshot for outbound NAT, I now have NAT mode set to hybrid and I've removed the ISAKMP rules. I've left the WAN rules for subnets 168.192.20.0 and 168.192.30.0 in place.
As for setting my LAN interface to use the OpenVPN gateway, I've tried setting up a new gateway under System > Routing and/or Status > Gateway. I didn't know what to use for an IP address so I left them blank. The screenshot of the Gateways shows this new OpenVPNGW gateway is in a "pending" status, I'm not sure where to go next with this.
Then, I tried setting up the LAN firewall rule to refer to the OpenVPNGW gateway. I also referred the OPT1 and OPT2 rules to the non-VPN gateway WANGW. Unfortunately, I'm still getting the same results – neither OPT1 or OPT2 can access the internet when OpenVPN is active.
Regards.
-
Looks like you took johnpoz and my advice together. I am sorry I should have stated to do one or the other in regards to your NAT rules.
Below is a copy of your screenshot with some added text. You can safely delete the rules I marked as duplicates as they were already created automatically at the bottom, do this if you want to keep it in Hybrid Outbound NAT. If you want to do the rules like I have in my screenshot you will need to switch to Manual Outbound NAT.
With that said I don't believe the duplicate NAT rules would stop your internet from working so there must be something else going on here.
Then, I tried setting up the LAN firewall rule to refer to the OpenVPNGW gateway. I also referred the OPT1 and OPT2 rules to the non-VPN gateway WANGW. Unfortunately, I'm still getting the same results – neither OPT1 or OPT2 can access the internet when OpenVPN is active.
Do you have internet on OPT1 and OPT2 when the VPN is disabled?
If I were you I would remove the VPN completely until I had internet working on all interfaces just to rule it out. I personally had a lot of strange issues while trying to set up my VPN.
Though it probably won't make a difference please fix your NAT rules as I mentioned above and then reboot your pfSense box. If you still have no internet on OPT1 and OPT2 the best advice I can give is try to get this all working WITHOUT your VPN. Once you have your internet working, then add the VPN back in.
-
Hello,
I've played around with things a bit more and am in a slightly different situation. All interfaces - LAN, OPT1 and OPT2 – work whether the VPN is active or not. However, now when I run the VPN, I'm no longer getting connected as I was before. Running the VPN or not, has no impact on any of the interfaces at the moment. I haven't deleted the VPN client yet but will do so if you feel it's necessary. I also tried setting up a gateway for the VPN but must not be getting the configuration right.
Please let me know what you think.
-
Hello,
I've played around with things a bit more and am in a slightly different situation. All interfaces - LAN, OPT1 and OPT2 – work whether the VPN is active or not. However, now when I run the VPN, I'm no longer getting connected as I was before. Running the VPN or not, has no impact on any of the interfaces at the moment. I haven't deleted the VPN client yet but will do so if you feel it's necessary. I also tried setting up a gateway for the VPN but must not be getting the configuration right.
Please let me know what you think.
Hi,
So you are saying you do have internet on all interfaces now?
If so no need to disable your VPN.
I'm not sure what you mean by "However, now when I run the VPN, I'm no longer getting connected as I was before". Do you mean you loose internet or you are not getting expected speeds? Please elaborate.
I can say, I think it is normal to see less speed while using a VPN.
-
Confirmed – I am able to connect to the internet from all interfaces now: LAN, OPT1 & OPT2. The problem I'm having now is when I start my OpenVPN service, I'm still seeing my home IP address and not the IP address(es) of my VPN provider. Somehow, I managed to disconnect something. BTW - I did reboot my router which seemed to get things working better (except the VPN).
Thanks.
-
Could it be that I need to set up a VPN Gateway as you recommended? If so, I'm in the dark on how to do this.
Thank you.
