Device behind pfSense LAN (Azure install) can NOT get access to public internet



  • So I thought this would be a fairly simple thing, but I guess Azure network works different then a physical install. So anyway, my setup is fairly simple. I install a pfSense VM on Azure with WAN and LAN.

    Pfsense:
    WAN is on 10.2.0.4
    LAN is on 10.3.0.4

    Windows SERVER 2019 is on 10.3.0.5 (same segment as LAN of pfsnes)

    A UDR (route table) is set on the 10.3.0.xxx subnet with 0.0.0.0/0 next hop to 10.3.0.4

    Now, pfsense has no problem at all pinging the 8.8.8.8 or have access to internet at all. But WHY IS Windows Server 2019 NOT able to ping nor get access to internet at all??

    I do have "IP forward" turned "ON" on the LAN interface of pfsense. I did a packet capture both at the LAN and WAN interface of pfsense, I DO SEE the packet from the windows server on both of these interface when I try to ping 8.8.8.8

    So is there something I need to setup more in Azure??

    The funny thing is that I did setup a IPSEC tunnel between this pfsense install and my sonicwall firewall (a physical machine), and I WAS ABLE to ping between the devices at either end of the tunnel. But STILL NO DEVICE behind pfsense LAN interface can ping to ANY PUBLIC IP??

    Any thoughts?

    Any help is GREATELY appreciated!



  • Hi
    I am not using Azure but virtualization over KVM and you could try to disable
    Hardware Checksum Offloading

    Michaël



  • Hello Michael,

    Thank you for the reply but that didn't work. I almost feel this is an Azure/pfsense compatibility issue. So I thought if someone here did get pfsense work on Azure before, maybe they know something simple that needed to be "turned on" in order for this to work?

    Thank you.



  • How did you get pfsense to connect to the internet, I have deployed pfsense in azure, the only way I can ping/get internet access from pfsense is to assign the WAN nic with a public IP



  • Same problem here,
    I configured pfsense in this way :

    WAN 10Gbase-T <full-duplex> 10.0.1.4
    LAN 10Gbase-T <full-duplex> 10.0.2.254

    Azure configuration :
    Routes:
    Route-Default: 0.0.0.0/0 NEXT HOP 10.0.2.254
    Route-WAN: 10.0.1.0/24 NEXT HOP 10.0.2.254

    Subnets
    LAN-Customer 10.0.2.0/24

    Behind pfsense there is a VM with a NIC configured as follow:
    IPv4 Address. . . . . . . . . . . : 10.0.2.4
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.0.2.254

    From this VM i can't ping any internet address
    From psSense I can ping all internet hosts.

    Any ideas ?



  • Hello epasinetti,

    Try to do an outbound NAT rule in Pfsense. It seems azure will not like if the source IP is not the WAN IP. When a packet goes out public (in Azure VM) it wants the source IP to be same as the interface IP.

    So in your example, if your pfsense WAN interface IP (in azure) is 10.0.1.4 and if your VM (the one you want to be behind pfsense) LAN IP is 10.0.2.100 You need to setup a NAT rule in pfsnese where:

    Interface:WAN
    Source:10.0.2.100/32
    Port: up to you, you can do wildcard if you like
    NAT Address: 10.0.1.4

    So what this rule does is everything comes from the VM 10.0.2.100 that tries to go out on the WAN port (internet access) it will turn the source header IP (in the data packet) to 10.0.1.4 (which at that point, Azure would think that the packet is coming from the wan INTERFACE. Which then would allow it to go out.

    I am no Azure expert, maybe someone has a better solution, but this is what I am using now.

    But FYI, in the end, I am no longer using pfsense as the fireall. I am currently using Azure's firewall. I am simply using pfsense so that in can connect IPSEC with other company as Azure's own Virtual gateway is limited in IPSEC capability.


Log in to reply