Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN Clients can Ping out, but nothing else

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 3 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      theokonos
      last edited by

      Good morning --

      I'm admittedly new to pfSense, but I've got it running on proxmox in a VM using the official guide. The issue I'm running into is that my LAN clients seem to be unable to get properly out to the Internet. Here is my basic topology:

      Clients -> LAN interface | WAN interface -> router -> internet

      I have pfSense on a VM behind a normal router, so there's double-NAT going on. My intent is to use pfSense for VMs that I want to connect to a VPN service. What's really strange is that:

      • clients can ping out (to 1.1.1.1) without issue
      • clients can resolve DNS addresses but only if the pfSense LAN IP is their DNS server
      • clients cannot browse to websites or connect to any TCP/UDP port beyond pfSense
      • pfSense can access the internet through my router without issues

      The thing that gets me is the successful pinging and the fact that pfSense can reach the internet no problem. I've tried removing pfSense from the equation, and the VMs have internet, so the issue doesn't appear to be with my router. Right now I have pfSense in factory defaults except for the initial wizard setup -- so I'm not using any VPNs or anything else that could complicate my troubleshooting.

      Any help would be greatly appreciated!

      Cheers,
      Theo

      RicoR 1 Reply Last reply Reply Quote 0
      • RicoR Offline
        Rico LAYER 8 Rebel Alliance
        last edited by

        https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

        -Rico

        1 Reply Last reply Reply Quote 1
        • T Offline
          theokonos
          last edited by

          Thanks @Rico! I went through those steps, it was very informative for finding the different diagnostics methods within pfSense.

          However, everything checks out as far as the configuration goes. Looking at the firewall logs though, I'm getting basically everything coming from my LAN blocked:

          cd76eeab-224d-4e6b-933f-5a376eadb6e9-image.png

          The rule it references doesn't seem to exist, and when I click for more info it says the rule that caused the block is " " without any more information.

          ad4371bf-5346-412d-b6e6-c271c4e463b0-image.png

          I tried forcing an any/any outbound rule for LAN but this didn't seem to change things:

          0d2bb0ca-7d1e-43f3-93bb-d4d2cd05be86-image.png

          And my NAT rules are all default and working since I can ping out from my clients:

          48761cb9-cd85-482a-9fd5-5bf0db7a34ac-image.png

          What compounds the issue is that most of the diagnostics in the guide are ping-related. I can ping, I just can't do anything else.

          Thanks again for your help!
          Theo

          1 Reply Last reply Reply Quote 0
          • RicoR Offline
            Rico LAYER 8 Rebel Alliance
            last edited by

            The Default allow LAN to any rule is fine, your custom rule is TCP only (not any/any) - delete that.
            Can you post the Firewall Log for TCP traffic?

            -Rico

            1 Reply Last reply Reply Quote 1
            • T Offline
              theokonos
              last edited by

              Good catch, thanks -- I deleted the custom rule.

              Hm, so the firewall doesn't seem to be showing any TCP logs... only UDP (DNS) and IPv6 TCP traffic. Also, what's the preferred method for posting logs in the forum?

              1 Reply Last reply Reply Quote 0
              • RicoR Offline
                Rico LAYER 8 Rebel Alliance
                last edited by

                With pfSense defaults, anything is allowed incoming from LAN out the WAN.
                So you have either a really basic config problem or something is borked upstream to pfSense.

                -Rico

                1 Reply Last reply Reply Quote 1
                • RicoR Offline
                  Rico LAYER 8 Rebel Alliance @theokonos
                  last edited by

                  @theokonos said in LAN Clients can Ping out, but nothing else:

                  using the official guide

                  This one https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox.html ?

                  -Rico

                  T 1 Reply Last reply Reply Quote 1
                  • T Offline
                    theokonos @Rico
                    last edited by

                    @rico Yes, that one. but how could something be borked upstream when pfsense has no issue without outbound access? I can ping and port-test beyond my router from pfsense itself. And all of my LAN traffic is being NAT'd with the WAN IP of pfsense, so it should all appear the same to the upstream router.

                    1 Reply Last reply Reply Quote 0
                    • RicoR Offline
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      Can you draw how your stuff is connected together including IP/network addresses?

                      -Rico

                      T 1 Reply Last reply Reply Quote 1
                      • T Offline
                        theokonos @Rico
                        last edited by

                        @rico So, here are a couple of illustrations. One is more proxmox-centric and the other is more topology-centric.

                        Basically, I have three gateway interfaces on my router: one for proxmox's management subnet (.100), one for my other normal VMs (.200), and one for a point-to-point link between my router and pfsense's WAN (.201).

                        Proxmox is enabled with two bridges; one that allows VMs to connect to my router directly (vbridge0), and one without any ports in it (just an empty virtual switch) that allow other VMs to connect to pfsense (vbridge1).

                        pfsense has its WAN on vbridge0 and its WAN on vbridge1.

                        In this topology, pfsense should be able to talk directly to my router's vlan 201 address as its upstream gateway. Then any VMs connecting to pfsense would connect to vbridge1 on vlan 199. (I'm doing all of my VLAN tagging actually on the individual VM interfaces, not in the OS or pfsense config.)

                        Here is an illustration of the bridges and the system architecture:

                        b1ac8f67-73e0-487a-9363-571e187ee5ad-image.png

                        And here is one that's more straightforward regarding the network topology:

                        635764a2-b154-4b73-bedc-43e12cc4c8ba-image.png

                        (all IPs are 10.1.x.x)

                        stephenw10S 1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator @theokonos
                          last edited by

                          Hmm, well that should pass. I would look in the rules file /tmp/rules.debug to see what rule that tracker is for.

                          Are you using dhcp on the LAN side?

                          You have any floating rules?

                          Steve

                          T 1 Reply Last reply Reply Quote 1
                          • T Offline
                            theokonos @stephenw10
                            last edited by

                            @stephenw10 @Rico Well, thank you both for your input and your help. Time for me to eat some crow!

                            Because while I said that I had followed the official pfsense guide for proxmox installation, I had neglected to change a configuration setting toward the end of the guide. I think I had done it initially, but after several factory resets I at some point forgot to re-apply the setting.

                            In proxmox, hardware checksum offloading must be disabled in pfsense for proper functionality. The guide makes it seem like it's just for performance reasons, but in a virtual environment like proxmox, the hardware obviously isn't available. And apparently this can mess with pfsense's routing, because as soon as I disabled the offloading, everything started passing.

                            The setting in question is found here in the guide: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox.html#configuring-pfsense-software-to-work-with-proxmox-virtio

                            Thanks again for your help!
                            Theo

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              Using VirtIO NICs?

                              I have a number of pfSense VMs in Proxmox without that disabled and they work fine.

                              That would not explain that blocked traffic either. I suspect there might have been more happening here. Disabling Hardware Checksum Offloading is certainly a good idea though.

                              Steve

                              T 1 Reply Last reply Reply Quote 1
                              • T Offline
                                theokonos @stephenw10
                                last edited by

                                @stephenw10 Yeah, VirtIO NICs. And yeah that's another one of the reasons why I hadn't re-applied it. But low and behold, after trying everything else, I disabled it and it started working.

                                stephenw10S 1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator @theokonos
                                  last edited by

                                  Take the win and move on. 😉

                                  1 Reply Last reply Reply Quote 0
                                  • RicoR Offline
                                    Rico LAYER 8 Rebel Alliance
                                    last edited by

                                    Glad you have it working now. ☺

                                    -Rico

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.