Firewall rule or Static IP issue? No internet on LAN

  • Installed pfsense 2.4 > Setup WAN using the last static IP available in my block. Setup LAN as C ending 1.1 > updated pfsense to latest > checked to see if it would show package addons, it did. Dns lookup, ping, tracert all working but no internet on for clients on the LAN. LAN clients getting DHCP from pfsense and GW pointed at 1.1 correctly.

    Im pretty sure pfsense auto creates a firewall rule for default LAN but I even tried adding a manual from LAN to ANY ANY. what am i missing?

    There is a zywall with the other Static IPs on block using the same SMC cable moden. Could this be it?

    btw pfsense is absolutely amazing. I cannot believe Ive been missing out for so long.

  • By last I hope you don't mean the highest address within the subnet. That's the broadcast address and not usable as a host address. On IPv4, the lowest address, which represents the network address and highest are not usable by hosts. On IPv6, the lowest is not usable, but there's no such thing as broadcast, so you can use the highest address, instead of wasting it, when there are ony 18.4 billion, billion addresses available. 😉

  • Hello,
    I have a x.x.203.x /28 should give me 16 addresses
    I'd assume you're saying 203.0 is the network
    I know 203.14 is my gateway leaving 203.15 as the broadcast

    The zywall is 203.1 and had everything provisioned up to 203.13
    203.13 was a PTRG monitor on HTTPS working fine so i removed those rules from the zywall and provisioned the pfsense box as 203.13. I mean its definitely usable by a host I would think...

    Does this sound right?

  • LAYER 8 Global Moderator

    if your saying pfsense has internet using this 203.x address.. ie it can check for packages, and if its latest version..

    Yeah out of the box lan is any any and you don't need to do anything for clients on the lan network to have internet. Did you mess with the outbound nat and turn if off automatic?

    Your not using the same network on your lan as yoru wan are you? You didn't setup a gateway on your lan interface of pfsense did you?

    Can clients ping your 203.x gateway IP?

  • Yes pfsense is using 203.13 and can do things on the internet.

    I did not mess with the NAT initially but have since changed to hybrid thinking it may not have created a rules and i need to manually create one.

    the LAN is 192.168.1.x with pfsense 1.1 and clients getting DHCP 1.100-200. I did not setup a gateway on the LAN as it said not to. Clients can ping pfsense but nothing passed that. Cant ping 203.14 gateway or

    What do you think I should try. Reinstall, swap out NICs. The console doesnt seem to be complaining about anything / showing NIC alerts.

  • LAYER 8 Global Moderator

    out of the box this should just work.. Your outbound nat should be auto, and it should show your wan interface and your local network(s)..

    This really should just work out of the box with really little to do.

    I would do a sniff on your wan when your clients try and ping your wan gateway IP.. Do you see traffic go out towards your wan gatway, when your set pfsense wan IP as the source.

    Out of the box pfsense should take all of like 1 min to get up and running with almost zero to do.. default would any clients on your lan to your wan IP, etc.

    If you did not mess with lan rule and or outbound nat it should just be working.

    The only thing that really comes to mind as a problem would be your isp not allowing the nat.. pfsense would change the ttl towards your isp by 1, and pfsense itself talking to your isp gateway and internet would have the full ttl set on the traffic.

    This is why I want to see the sniff on pfsense wan, while you say ping - do you see this traffic? With your correct wan IP? Other thing is you didn't mess up mask on your wan did you? The dropdown on on static defaults to /32

    BTW - no you shouldn't be setting gateway on your lan interface... But you wouldn't believe how common a mistake that is - even when it screams at you that NO you do not need a gateway ;) Common users set this to pfsense own lan IP... Like that makes any sense ;)

  • wow what craziness is this...get into the office. plug in a laptop into the LAN and it has internet.

    checking my IP from the LAN client shows 203.13 as it should. Didnt change a thing.

    Possibly ISP modem was power cycled but I didnt get any PTRG alerts for it going down. unfortunately it doesnt show up time to confirm.

    I appreciate the detailed response and im kicking myself for not sniffing the traffic. DUH. I just assumed I wasnt grasping pfsense setup. Thanks for your time John.

  • LAYER 8 Global Moderator

    They try and make it pretty idiot proof ;) It really is just plug in - follow a few bouncing ball questions and bing bang zoom its working.

    Now where it gets fun is how much "MORE" you can do with it after the idiot proof turning it on setup.

Log in to reply