Enable internet access from LAN



  • Hi, I am new to pfsense and sorry for my basic questions.
    This is a school lab environment on a VMware with 2 interfaces, LAN interface (wired connected), and WAN interface, my pfsense is installed on free BSD and only connected through the WAN interface with an external IP is 104.x.x.x, I can work on my firewall from one of my machines in my LAN network, I can only access the internet through my school proxy 199.x.x.x: xxxx (on a specific port)
    I have also set a bind DNS 192.168.1.1 inside pfsense which was first was working good and was able to resolve all my LAN records, I can ping from any machine in my LAN only internal addresses
    I have configured pfsense as follows:
    WAN interface as follows;
    69436567-42ea-4c81-b1cc-6469cf699b5f-image.png
    LAN interface as follows and DHCP is enabled through LAN
    83babab4-611e-490c-9291-ca8df15b88cc-image.png
    My LAN network contains
    192.168.1.5 (have set static IPV4, default gateway is 192.168.1.1, DNS is 192.168.1.1, 199.100.16.100)
    192.168.1.122 ( have set static IPV4, default gateway is 192.168.1.1, DNS is 192.168.1.1, 199.x.x.x))
    I have also configured my LAN vm machines to use the school proxy. And I have set NAT port forward rules as follows and outbound is disabled:
    adeac021-42ae-495f-aa70-65ee525125b4-image.png
    My problems are:

    1. I cannot connect to the internet from my LAN or ping any external IP.
    2. My pfsense bind DNS has stopped to resolve my LAN machines.
      could you let me know what is wrong, here is my LAN rules:
      155b9336-fd9c-465f-8e27-4a89902e5d73-image.png
      Here is my WAN rules:
      d079bf74-3fd7-4109-9dbb-564887a5fe6b-image.png

    thanks

    Admin Edit from your other thread:

    Now I can ping the WAN default gateway from the internal machines, but still cannot ping addresses like 8.8.8.8.
    Any help or idea would be appreciated.


  • Netgate Administrator

    Hmm, there are many questions here!

    Why are you using Bind and not the default Unbound?
    You should start off using that and movce to Bind only once that is working.

    What are those port forwards for?
    They just forward traffic to the LAN IP. If you need to enable access to those on the WAN just add firewall rules on the WAN to allow it.

    You don't have any pass rules for UDP on LAN and DNS is primarily UDP port 53. Change your 'allow DNS' rule to TCP/UDP. Retest.

    Steve



  • @stephenw10
    Thanks for your help
    Now I am using the pfsense DNS resolver and have used host overrides to add my internal machines who have static IPs, it works well, by using nslookup it resolves correctly 192.168.1.5 to www.example.com.
    I have an internal web and email servers which I want to be them accessed from the external WAN. That is why I have added NAT rules>port forward >from any any to the internal IPs of the web server(HTTP and HTTPS) and also email ports on the email server, but I still cannot reach those internal servers from outside. Could you please let me know what can be the problem?

    Another question please, from an internal machine I can access other internal machine from the browser with its IP, but when I try to access it with its hostname e.g;http://www.example.com it gives me: Unable to retrieve the URL
    d3221b73-f714-471d-916e-62fbc6a9200d-image.png
    But when I use nslookup :www.example.com(internal web server) it gives me the correct IP , and also I can ping that web server with its hostname.


  • LAYER 8 Global Moderator

    You show .av there as your tld - that is not valid... Where do you expect that to resolve.. Your local would be fine, but that will never resolve publicly... its not a public TLD..

    You get a servfail.. So you have something misconfigured on where your doing the too.. Are you doing query to unbound and you have a host override setup for that? Is that your local domain?



  • @johnpoz
    Yes this TLD is locally, and yes I have a host override for that because it has a static IP.
    so if I want to reach a machine with its hostname locally, how can I do that?
    And how to reach that machine from the WAN?
    This is a lab environment where each student has his own subnet.


  • LAYER 8 Global Moderator

    @maale said in Enable internet access from LAN:

    And how to reach that machine from the WAN?

    You would never be able to resolve that from the WAN... It's not a public tld.. You mean some other local network that is just the wan of pfsense?

    As to locally - just query your local dns and it would resaolve - if you actually set it up correctly.. That you get servfail tells me you didn't..

    Here I will pretend my host is www.domain.av and its IP address 10.11.12.13 --- I create a host override with that..

    resolve.jpg

    If you want to access something from the internet - you would need to use a public resolvable name that points to your wan IP, and then port forward to whatever service you want to access on this server.



  • @johnpoz
    Thanks for the clarification.
    Yes I mean some other local networks that is just the wan of pfsense. My WAN interface IP is 104.x.x.x( subnet 104.x.x.x/24, and my lan interface IP is 192.168.1.1, and LAN router is 192.168.1.1 so I have set an inside web sever with IP 192.168.1.5 and its hostname is www.domain.av. How can I make this server accessible from the other local networks?
    And how to set the my local DNS correctly ? already I have set host names for each server in the /etc/hosts file

    thanks in advance


  • LAYER 8 Global Moderator

    @maale said in Enable internet access from LAN:

    My WAN interface IP is 104.x.x.x( subnet 104.x.x.x/24

    That is public space.. Where do these device point for dns? Again they would need to resolve your pfsense WAN IP via some fqdn.. Be it resolve in the dns they point to or publicly resolvable - or ok in their host file.

    Now you would have to do a port forward..

    Why do you have devices on public space that are local, but then have pfsense using rfc1918? You didn't just pull 104 out of thin air and start using it on your local network?



  • This is a school lab


  • LAYER 8 Global Moderator

    So pfsense wan IP is 104.x.x.y, for you to get to whatever is behind it when your also on the 104 network or anywhere on the wan side then you need to resolve whatever.domain.tld to this 104..x.x.y address... Be that public dns, be that some local dns you point to that resolves that for you, or host file on your machine.

    Once you resolve that fqdn to that IP... Then setup port forward on pfsense.

    https://docs.netgate.com/pfsense/en/latest/nat/forwarding-ports-with-pfsense.html



  • @johnpoz
    "then you need to resolve whatever.domain.tld to this 104..x.x.y address... Be that public dns, be that some local dns you point to that resolves that for you,"

    So I have added host overrides to my local DNS resolver, does that can work?
    2f6be96d-628b-41bd-9b73-23cbbd0b036b-image.png


  • LAYER 8 Global Moderator

    And are you using the resolver - do your boxes on 104 even have access to pfsense wan IP on dns?

    Show me your query.. You did a dig, a host you used nslookup - what.. Did you open udp/tcp on your wan for your clients on 104 to be able to query this 104.x.x.y address for dns?


  • Netgate Administrator

    The port forwards, like the firewall rules, are parsed from the top down.

    You have a rule that forwards port 443 to the LAN IP address (192.168.1.1) above the rule for 192.168.1.5 so nothing can ever hit that.

    Please show us a current port-forward list if you have made changes since.

    Steve



  • @stephenw10
    ok, This a query using dig while using the DNS resolver of pfsense

    a8b53193-f087-4bfe-90df-0bfb5847009f-image.png
    And this is WAN rules, and NAT

    7e9d3e79-bef6-4179-b194-9b1f8eeaefbe-image.png
    380050c4-7bb7-4bee-92c4-cb38ed8cb179-image.png ,
    Those internal machines are virtual machines that I have built them behind the pfsense. Do I need also to build the external machines for the external IPs?
    for the web and the email server?. I have built an external vm with and IP:104.x.x.z from this machine I can ping the pfsenseWAN address.


  • LAYER 8 Global Moderator

    And how exactly is this 104 box doing a query to 192.168.1.1... Their default gateway is pfsene wan IP...

    You show zero hits on any of your wan rules..

    How about you draw up how you have this put together... Cause I don't see how devices on a 104 school network would be pointing to pfsense wan as their gateway.. Or how they would query a rfc1918 address for dns.

    If anything would be a asymmetrical mess..


  • Netgate Administrator

    Ok, the port forward rules and linked firewall rules look good though.

    Where are you testing it from? What IP? I assume that 104.x.x.x IP is the schools external public IP, not the pfSense WAN?

    Test from something on the pfSense WAN subnet to the pfSense WAN IP address directly and it should work.

    Steve


  • LAYER 8 Global Moderator

    According to him the 104.x.x.x/24 is his pfsense wan.. And yeah its his school network..


  • Netgate Administrator

    Ah, yes. Ok then test from that subnet to the IP directly, with those rules it should connect.



  • Thanks

    Still doesnot work, I tested it from an external builted vm machine with IP 104.x.x.15 with gate way =104.x.x.254, although I can ping the external mail server address:104.x.x.35 but cannot connect to it!!!
    8e4464c6-ed66-414e-b010-fc5db5532498-image.png
    2b0dae74-55d8-4122-859a-c97defdec55f-image.png

    could you please let me know what can be the problem?


  • LAYER 8 Global Moderator

    There is all kinds of things that could be the the problem.. That just means your pinging something 104.x.x.35... Why would you think that would be your mail server if its behind pfsense, is that pfsense wan IP.

    Which I doubt - since from you rules on your wan your not allowing to ping its wan ip.. Or any icmp even, so highly much doubt that is even psfense.. And sure isn't something behind it, etc. etc..

    If you want help - I suggest you get with your teacher.. I'm not here to teach a class in basic networking, so you can get an A..

    To troubleshoot port forwarding.
    https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

    But again, from what you posted I highly doubt that .35 is even pfsense wan IP... Since you do not allow that on your wan interface - so you wouldn't get an answer if you pinged it..


  • Netgate Administrator

    I agree. If you're genuinely testing from the WAN subnet and the pfSense WAN IP is 104.190.x.35 then your firewall rules should be blocking that ping.

    So either you're pinging something else or you changed the rules since you last screenshot.

    Steve



  • @stephenw10
    yes I have only changed the WAN rules to alow ICMP.
    064cb4aa-c5fa-4104-acff-9db37f1b69ec-image.png .
    thanks


  • Netgate Administrator

    Ok, what ports do you have in the web alias?




  • Netgate Administrator

    Ok it looks like your port forward for that server is listing at 104.x.x.5 but you are trying to open 104.x.x.35.
    Is that just a typo? Correct it if so.

    If it's a VIP on the WAN then try to open that IP.

    Steve



  • @stephenw10
    I have 2 servers, one is web sever has external IP 104.190.X.X.5 and internal 192.168.1.5, second is mail server has external IP 104.X.X.35 with internal IP 192.168.1.5, I want both be behind pfsense and accessible from outside through port forwarding
    3118887d-69a1-4875-8d1f-ac7aaea1b662-image.png
    yes I have virtual IPs
    sorry, what do you mean by opening that IP?
    do you mean set a LAN rule with destionation address =104.x.x.5 ?



  • @maale
    Sorry, I mean a WAN rule


  • Netgate Administrator

    I mean try to open the page by IP address directly rather than URL which would need to resolve.

    Both those IPs look like they should work though assuming the server can respond.

    Check the pfSense state table in Diag > States while you;re testing. You should see the states on WAN and LAN complete with NAT on WAN.

    Steve


  • LAYER 8 Global Moderator

    So what is your actual IP of your pfsense wan? You have vips of .5 and .35 - what is the actual IP?

    Have you gone through the troubleshooting doc I Linked too - finding the issue with port forwarding is 2 minutes work tops!!! do a sniff do you see the traffic on your wan or not? Sniff on lan - do you see it send the traffic on?

    For all you know the traffic is being forwarded and your system your forwarding to firewall is blocking the traffic - very common!!!



  • @johnpoz
    Thanks!

    The problem was that the routing environment doesnot support Virtual IPs.
    All traffic should be hit the pfsense WAN IP at 104.x.x.10 .So, I have set an external DNS with an IP 104.x.x.25 with my domain and records www.x.av for web server and mail.x.av for mail server, with port forward rules.
    b2404f7e-03cb-43c8-89c0-f9acec5b054b-image.png
    Now from an external machine 104.x.x.15 using the domain www.x.av I can access the web server, but using the domain mail.x.av, this directs me to the same webpage for the web server but not for the mail server. Is NAT reflection what I need to do?


  • LAYER 8 Global Moderator

    @maale said in Enable internet access from LAN:

    routing environment doesnot support Virtual IPs.

    Huh - that makes no sense at all.

    Is NAT reflection what I need to do?

    No its not... if you want host.domain.tld to get sent to X, and other.domain.tld to get send to Y behind pfsense then you need to use multiple wan IP, vips or not... Or you need to hit different ports in your url, or you need to setup a reverse proxy to know that host.domain.tld goes to X and that other.domain.tld goes to Y.. Look at the HA proxy package.



  • @johnpoz
    I mean the lab routing environment.
    ok I look for the HA package


  • LAYER 8 Global Moderator

    Lab routing environment or real routing environment... Has zero to do with anything - an IP address that is in same network, has zero to do with routing...


  • Netgate Administrator

    Mmm, that.

    Why can you not use multiple IPs on WAN? What VIP type were you trying to use? Use IPAlias if you were not.

    Steve


  • LAYER 8 Global Moderator

    Maybe he meant their virtual environment that pfsense is running on? Maybe issues with vips in some VM setups, where you might have to do some promiscuous setting. But if VM, he could just create some new virtual interfaces and since he is using dhcp in this network.. He could have 3 different wan interfaces using 3 different IPs and then port forward..



  • @johnpoz
    I am trying to install the HA proxy package, but I cannot see any packages listed. could you please let me know why? I can connect to www.pfsense.org successfully. And I have installed bind package before, but now a I cannot find available packages
    80f14da4-ad0c-4c25-8e47-8e9e8f542b7f-image.png


  • LAYER 8 Global Moderator

    That because your pfsense install can not resolve most likely, since you prob installed bind and F'd it up..

    Go to diagnostic menu, dns - lookup up something.. what does it show..

    You connecting to something is completely different than pfsense resolving something.. What is your client using for dns, what is pfsense?



  • @johnpoz
    I am using the pfsense DNS resolver and other 2 external DNS servers. diagnostic menu, dns - lookup google.com, gave no response from 127.0.0.1 but response from one of my external servers with google's IP address.


  • LAYER 8 Global Moderator

    @maale said in Enable internet access from LAN:

    I am using the pfsense DNS resolver and other 2 external DNS servers

    Not how it works - you are either resolving, or your using external dns via forwarding..

    Your resolver is not working most likely because whatever network pfsense is on is prob blocking direct dns queries - and only allows access to googledns or whatever.

    So change to forwarder mode..



  • @johnpoz
    Thanks so much, now I can see the available package list


Log in to reply