[SOLVED] No Internet/NAT from OPT1

ShiroiKuma

I'm trying to set up an OPT1 (Guest) NIC with full Internet Access, basically, a mirror of LAN is my goal for now. At the moment I am running pfSense on a XenServer with 3 NIC's attached to it. To test out all the rules/filtering I will need before rolling out to the main network.

My Interfaces are:

WAN 10.25.0.200/24 (will change in future to a public IP once un-VM'd)
LAN 10.25.0.2/24 (Static)
OPT1 10.25.1.2/24 (Static) (Xen Host-only Network)

No IPv4 Upstream Gateways' are set on any of the Interfaces.

I have enabled DHCP on OPT1 as my VM can receive an IP address. I can tell this from the DHCP Leases panel.

My Firewall->NAT->Outbound is set to Automatic and has the following autogenerated rules.

0_1539183421616_a2c30fd6-7c94-488d-97c0-956c9a88b84d-image.png

Under Firewall->Rules->OPT1 I have cloned the LAN rules and set to 'any'

0_1539183523056_c66ee49d-5676-4768-b137-8d38f8f135f7-image.png
0_1539183493201_6d5034fd-153b-4321-abe0-4c6296364103-image.png

Under Diagnostics->Ping I can ping from LAN to google. I can ping from OPT1 to LAN (including the Gateway), but not OPT1 to google.

0_1539183603205_2675565e-989d-47c2-90d4-7fec7301874e-image.png
0_1539183640094_eb84bc2d-c40b-4330-8c22-7c68c8cd5f1c-image.png
0_1539183794499_db643870-b2d4-4d41-aae6-f46380787f0d-image.png
0_1539183673337_2b7ced81-2960-498f-b49b-aac9fbc7534a-image.png

I have left the Routing->Gateways at their default from a fresh install
0_1539183753086_ecc28de1-57b4-46b1-8637-8e89ecb437f5-image.png

I'm clearly missing something here. I am new to Networking and hence doing all of this in a HomeLab environment first. Any idea's or pointers on where to go next?

https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html suggests an Outbound NAT problem, but then why would LAN be fine in this scenario. I went through the tests substituting LAN for OPT1 where applicable.

KOM

@shiroikuma said in No Internet/NAT from OPT1:

WAN 10.25.0.200/24 (will change in future to a public IP once un-VM'd)
LAN 10.25.0.2/24 (Static)

How did you think this would ever work? Your WAN and LAN are on the same network. OPT1 should be another bridged NIC on the same network as WAN but a different IP address.

ShiroiKuma

I'm aiming to replace an ASUS Router with pfSense as a drop-in replacement, so testing in Isolation to minimize disruption. But only 1 public IP exists, hence the temporary one. I figured pfSense would route via the Gateway on the WAN.

Derelict

No. @KOM is talking about your WAN and LAN being the same subnet.

WAN 10.25.0.200/24 (will change in future to a public IP once un-VM'd)
LAN 10.25.0.2/24 (Static)

Make your WAN transit network something different in your testing since it sounds like changing the LAN will invalidate your test environment.

You might have to create another interface on whatever is currently your edge on a separate subnet that does not conflict with 10.25.0.0/24 to use for the pfSense WAN.

ShiroiKuma

@Derelict I assumed having gateways defined would allow the network to smartly know the route to take and so having them on the same subnet would work. Literally never had to think about subnets until this week.

To test, I ended up doing all my Lan stuff on 10.25.1.x instead with a Xen Private Network. Once all the VM's worked, downloaded the configuration from pfSense and did a search replace on the rules before 'restoring' the xml file and swapping the modem cables over.

Got the home network running on a virtual pfSense okay at the moment, bare a few weird dns issues with kube-dns and dns resolution from pods. This will make it easier to move to a physical machine once ready. Just hope Xen doesn't crash at all.