Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can ping Internet from Pfsense but cannot from LAN

    General pfSense Questions
    5
    17
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lousylucky
      last edited by

      I installed pfsense on proxmox and I'm able to access the internet from Pfsense but can't from LAN. I can also ping pfsense from PC on LAN and from pfsense this PC. I don't have any rules, everything is as default which should allow me to connect Internet.

      alt text

      alt text

      In Interface/Wlan I uncheck "Block private networks and loopback addresses"
      I'm kindly asking for help

      NollipfSenseN V AKEGECA 3 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @lousylucky
        last edited by

        @lousylucky In default, your LAN would be 192.168.1.1 so you must have change the default settings

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • L
          lousylucky
          last edited by

          Yes sorry I made mistake on the graph, for LAN I'm using 192.168.1.1.

          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @lousylucky
            last edited by

            @lousylucky said in Can ping Internet from Pfsense but cannot from LAN:

            Yes sorry I made mistake on the graph, for LAN I'm using 192.168.1.1.

            If that's the case, you must have change the default firewall rules.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • L
              lousylucky
              last edited by lousylucky

              @NollipfSense Currently I have something like this, almost everything is allowed

              alt text

              NollipfSenseN 1 Reply Last reply Reply Quote 0
              • NollipfSenseN
                NollipfSense @lousylucky
                last edited by

                @lousylucky The problem is here ... above you said your WAN is 10.0.0.140

                Screen Shot 2021-05-06 at 9.30.29 AM.png

                pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                1 Reply Last reply Reply Quote 0
                • L
                  lousylucky
                  last edited by

                  @NollipfSense now I added any to any.

                  alt text

                  KOMK 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @lousylucky
                    last edited by

                    @lousylucky
                    Did you disable "hardware checksum offloading" on pfSense?

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM @lousylucky
                      last edited by

                      @lousylucky None of your WAN rules affect access from LAN. You can delete your 2nd LAN rule since the allow all rule underneath it handles all IP4 traffic. When you say you can't access the Internet, what exactly do you mean? How are you testing and what specific error message are you getting? Can you ping 8.8.8.8? Can you resolve www.netgate.com? Get rid of any rules you added to WAN and LAN. Get basic connectivity working before you start changing things.

                      1 Reply Last reply Reply Quote 0
                      • AKEGECA
                        AKEGEC @lousylucky
                        last edited by

                        @lousylucky first make a cup of tea or coffee and please watch this video on Youtube:
                        https://www.youtube.com/watch?v=wv1qTYR3faQ

                        Take a note on timestamps. For example Disabling IPv6 on 41:21 timestamp.

                        1 Reply Last reply Reply Quote 0
                        • L
                          lousylucky
                          last edited by lousylucky

                          @viragomann yes, I disable this in Advances/Networking.

                          @KOM now I have no rules. Everything is allowed from any to any

                          @AKEGEC I turned off IPv6

                          Still, problem exists, I'm trying to ping 8.8.8.8 from the machine behind the firewall and this failed. But from pfsense shell I can ping 8.8.8.8

                          alt text

                          KOMK 1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM @lousylucky
                            last edited by

                            @lousylucky OK so then start looking at that machine behind the firewall. What is its network config? Does it have the correct IP address, mask & gateway? If you're sure those are correct, then do a packet capture on pfSense LAN to ensure the pings are hitting it.

                            L 1 Reply Last reply Reply Quote 0
                            • L
                              lousylucky @KOM
                              last edited by

                              @kom so yes, the problem I think is on the machine side. Who I responsible for translating IP address? When I'm keeping by default in pfsense NAT to translate I think this is not working. When I disable and add iptables in /etc/network/interfaces I'm able to ping 8.8.8.8 but is data really go through pfsense?
                              As default gateway in PC, I have pfsense (192.168.1.1), but for example, when I add this in iptables in proxmox, I lost access to pfsense through the web browser and also pfsense can't ping my machine. But the same machine can ping pfsense.

                              alt text

                              KOMK V 2 Replies Last reply Reply Quote 0
                              • KOMK
                                KOM @lousylucky
                                last edited by

                                @lousylucky I don't want to touch your system config there. You have too much going on with multiple bridges & iptables rules and I don't know about your network and its details. That's beyond the scope of this forum.

                                1 Reply Last reply Reply Quote 0
                                • V
                                  viragomann @lousylucky
                                  last edited by

                                  @lousylucky said in Can ping Internet from Pfsense but cannot from LAN:

                                  Who I responsible for translating IP address?

                                  Both. Since your pfSense WAN is not in the Proxmox WAN-facing network, pfSense has to do the translation for LAN (to its WAN address) and Proxmox has to translate pfSense WAN address into its vmbr0 address.
                                  The latter might work, since you can access public IPs from pfSense itself.
                                  If also the outbound NAT on pfSense would work, it shouldn't make any difference for Proxmox if you ping 8.8.8.8 from pfSense or from a LAN device, when the packets are passing pfSense.
                                  So I suspect, that the outbound is not working properly.

                                  When I disable and add iptables in /etc/network/interfaces I'm able to ping 8.8.8.8 but is data really go through pfsense?

                                  Which one? The rules on vmbr2, I guess.
                                  If it works with that, the packets won't pass pfSense.

                                  So check the outbound NAT on pfSense. Possible there may a rule stayed wrong if you have changed the LAN network.
                                  Otherwise use the Packet capture tool fron the Diagnostic menu as @KOM already suggested to investigate what's going on. To a capture on LAN to see if the PC sends its packets to pfSense at all. If so, take also a capture on WAN to see if the NAT is working properly.

                                  1 Reply Last reply Reply Quote 0
                                  • L
                                    lousylucky
                                    last edited by

                                    @viragomann So I made Packet capture on LAN and I see that ping arrived to pfsense. I also made on WAN and I also see a request from my LAN to pfsense, redirected to Proxmox, and a reply to pfsense but pfsense didn't pass it to LAN. I also made some outbound rule, because before it was blank. Here's ss from WAN capture

                                    alt text
                                    alt text

                                    And those results, I'm obtaining with commented line with translating 192.168.1.0/224 on proxmox also, in this case, I can't get access to the internet (but as we can see data are going to the internet and stopped on pfsense)
                                    #post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
                                    #post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

                                    But when I'm applying the above translating on proxmox, I can access internet from LAN (with default network gateway 192.168.1.1 which is pfsense), I also can ping from LAN pfsense but I can't go on pfsense webpage and also pfsense can't ping my LAN PC

                                    V 1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann @lousylucky
                                      last edited by

                                      @lousylucky
                                      The ICMP replies you can see in the WAN capture might be the gateway monitoring from pfSense. There is nothing redirected to the Proxmox IP without any DNAT rule.

                                      The second line in the capture screenshot shows that the packets go out with the LAN address and the Outbound NAT screen shows no rule.
                                      So for sure, there is nothing translated when packets go out on WAN and therefor if you set the rule on Proxmox for the LAN subnet, ping to public IPs will work.

                                      @lousylucky said in Can ping Internet from Pfsense but cannot from LAN:

                                      I can't get access to the internet (but as we can see data are going to the internet and stopped on pfsense)

                                      Where do you think to see that?

                                      pfSense should add outbound NAT rules automatically for internal networks to interfaces which have a gateway defined. A assume the Proxmox IP is set as gateway in the WAN interface settings, cause of the gateway monitoring, but check it again, please. Then go to the outbound NAT, select "automatic rule generation" and hit save and check if an auto-rule is generated.
                                      If not switch to the hybrid mode and re-enable the manual rule.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.