Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    LAN clients can access internet but pfSense itself can't

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 390 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Andrew453
      last edited by

      I'm experiencing some odd behaviour on my firewall.

      When the WAN is connected with an internet address (i.e. not RFC1918), all the LAN clients can access the Internet, as well as pfSense itself (e.g. for updating packages, or pfBlockerNG lists etc).

      But when the WAN has an RFC1918 address (i.e. double NATted), while the LAN clients can still access the Internet without any problem, pfSense itself cannot. i.e. package updates fail, as do pfBlockerNG or Snort updates. (I'm stuck with the double NAT, but I don't think that's the problem here).

      Block private networks is not checked on WAN (bogon networks is checked).

      There's no blocking of packets being shown on the firewall logs.

      Any ideas what might be causing this please?

      Andrew

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Sounds like whatever the issue is is probably in your WAN Firewall > NAT, Outbound settings. You probably want to post those.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A Offline
          Andrew453
          last edited by

          Thanks for replying.

          For whatever reason, the issue appears only to arise after a configuration restore when pfSense seeks to reinstall all packages (which then fails due to lack of internet connectivity).

          If I connect to a WAN with a real internet address to do that, it works. If I subsequently (i.e. after the restore has completed ok) switch the WAN to the RFC1918 address it still works ok and pfSense can access the internet.

          It looks like a quirk that affects package reinstallation only (e.g. perhaps pfBlockerNG, DNSBL or DNS Resolver related before the packages have been properly restored). Given I can get it working as above, I suspect I'll just leave it for now.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            I'd fix it. But OK.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.