OPT interface exit route nightmare

  • Hello,

    I'm not sure if it's the correct section for my thread but here is my problem :
    I currently have 6 interfaces :
    Everything is working fine except GUEST.
    After a lot of troubleshooting, the problem is more annoying than ever because I've opened everything in the FW guest rules (yeah yeah any) and it still doesn't work.

    • GUEST's clients : DHCP OK
    • GUEST's clients : ping GW (GUEST interface) OK
    • GUEST's clients : ping LAN/WAN/WAN2 interface OK
    • GUEST's clients : ping LAN net / DMZ net OK
    • GUEST's clients everything else : KO (including pinging the routers behind WAN & WAN2 interfaces)
    • Same problem when I go to diagnostics -> ping from the GUEST interface.

    It looks like anything coming from the guest network and trying to go on the internet falls into a blackhole.

  • If you do NAT on the WAN interfaces check if there is an outbound NAT rule in place for the guest network.

  • Like this one ?

    Int : WAN2
    Source : GUEST network
    source : *
    dest : *
    dest port : *
    NAT addr : WAN2 interface address
    NAT port : *

  • Yes.

  • LAYER 8 Global Moderator

    Is that wan2 nat being applied? Do a simple sniff on your wan2 - when you send traffic to say your wan2 gateway from this guest client which you say works is pfsense natting this to its wan2 IP?

    Can pfsense using wan2 get to the itnternet?

  • LAYER 8 Netgate

    Post your GUEST rules.

  • Thx @viragomann, now that I've added the NAT rule, it's working !
    I still don't know why this NAT rule is needed though... Isn't the interface supposed to forward the traffic to the default gateway / or rule specific gw ?

  • LAYER 8 Global Moderator

    If it doesn't NAT it how does the upstream know how to get back to this downstream network. You wuldn't have to nat it if your upstream knew how to get back to this network.

    If your wan2 is public - then yeah for sure it has to be natted, since rfc1918 doesn't route on the internet.

  • @mike315 said in OPT interface exit route nightmare:

    I still don’t know why this NAT rule is needed though… Isn’t the interface supposed to forward the traffic to the default gateway / or rule specific gw ?

    You have to distinguish routing and NAT.
    If your internet router have no static route to your guest network behind pfSense, you have to do NAT on outbound traffic.
    If the outbound NAT work in automatic mode, the necessary rules should be added by pfSense automatically, but sometimes that fails.

  • @viragomann

    But my internet router has a static route to my guest network, with pfsense as a GW...

  • LAYER 8 Netgate


    Draw a diagram. Please be specific and complete.

  • If it has a route for the guest network pointing to pfSense NAT shoudn‘t be needed. Maybe therer is something wrong with it.
    Since you have 2 WANs, does the route point to the right address?

  • Ok, it's working now that I've disabled the NAT rule, not sure what was wrong before...

Log in to reply