Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense WAN on private network

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      penguin-nut
      last edited by

      Hi. I have an instance of pfsense running entirely on a private network where WAN interface is getting a DHCP of 192.168.x.x and 2 other interfaces: 172.16.5.x and 172.16.6.x. This whole setup is purely for learning.

      A host on either 172.16.x.x network can ping through the gateway to hosts on the WAN network (192.168.x.x), but I can't access any web servers, so port 80 and 443 are inaccessible.

      NAT appears to work correctly, a host on the WAN network sees icmp traffic as from the WAN interface.
      The "Reserved Networks" 2 check boxes are unchecked for both 172.16.x.x interfaces
      I can ping www.google.com, so routing also works. Any suggestions would be appreciated, next step probably would be to reinstall.

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire
        last edited by

        On the WAN interface did you uncheck "Block private networks and loopback addresses"?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        P 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          @penguin-nut said in pfsense WAN on private network:

          NAT appears to work correctly, a host on the WAN network sees icmp traffic as from the WAN interface.

          Great start.. So do sniff on pfsense wan - do you send pfsense send the SYN for the http/https connection to the host on your 192.168 wan network?

          What firewall rules do you have on your 2 172.16 interfaces? While the first lan side interface (lan) would default to any any... When you create a 2nd interface it would have no rules.

          You say you can ping google, but can you access google?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            penguin-nut @SteveITS
            last edited by

            @teamits I did, that didn't seem to allow traffic through. I ended up doing a "Reset to factory defaults", it now works. Very strange. There is nothing different that I can tell from what I configured then and now. Maybe switching the configuration back and forth so many times something got messed up?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              @penguin-nut said in pfsense WAN on private network:

              Maybe switching the configuration back and forth so many times something got messed up?

              Zero mention of any of that in OP.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • P
                penguin-nut
                last edited by

                So I've discovered a couple things related to my test environment. My pfSense instance runs on Xenserver 7.x on Dell hardware. NICs are plugged into Cisco 2960 (IOS 15.x).

                1 - Reconfiguring interfaces, sometimes requires re-saving firewall rules. I reconfigured an interface, DHCP works but unable to ping gateway or dig/nslookup fails. Re-saving firewall allow rule for that interface fixed everything.
                2 - System->Advanced->Networking
                Disable hardware checksum offload
                Above fixed a recurring problem I could not resolve with pfSense running on Xenserver 7.x, Dell hardware.
                3 - VLANs configuration can get very confusing. There are VLANs configured on the Cisco 2960 switch Xenserver is plugged into; Xenserver allows assigning ports to VLANs; pfSense has VLANs. It is easy to break this and just as easy to fix.

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @penguin-nut
                  last edited by

                  @penguin-nut said in pfsense WAN on private network:

                  Disable hardware checksum offload

                  FYI, documented at https://www.netgate.com/docs/pfsense/book/config/advanced-networking.html?highlight=xen#hardware-checksum-offloading

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.