LAN Network No Internet
-
Hi all,
Deploying a fresh install pfSense box at home to create a new private network for a homelab. pfSense is version 2.5.2-release.
Setup is as follows:
Main Router: Virgin Superhub 4 (Can't set to modem mode as other parts of my home network rely on it as a router and for WiFi.) Has 1 static public IP, and currently uses the 192.168.0.x/24 network for DHCP.
pfSense box
em0 - WAN: 192.168.0.2
igb0 - LAN: 192.168.1.1/24WAN -> 1.1.1.1 100% success, as expected.
LAN -> 1.1.1.1 100% packet loss
LAN -> 192.168.0.1 100% packet loss
Client -> LAN 100% success, as expected.NAT is currently set up as automatic. I've looked around and see people have set up 1:1 NAT rules with my Static IP as a Virtual IP, but I am not sure whether that's necessary here.
Connected to the LAN side at the moment, I just have my laptop, which can connect to LAN fine, but it can also not connect to the internet.
Routes:
NAT:
I have also unchecked the "Block private networks and loopback addresses" for both my WAN and LAN interfaces. "Block bogon networks" is still checked for WAN.
Any suggestions? Happy to try them out as necessary.
-
Welp, I appear to have solved it by disabling DHCP. The only DHCP was on the LAN network, I'd love an explanation to that!
This actually works better for me as it means I can now run maas as the DHCP server behind pfsense. I have failed successfully.
-
@elliotl said in LAN Network No Internet:
Welp, I appear to have solved it by disabling DHCP.
Were you running a DHCP server on the WAN connection??? Normally, you'd use the DHCP client.
-
From the connection results it looks as though the client you were testing from had a bad default route or no default route. pfSense would normally hand out it's own interface IP for clients to use as their gateway though, which should have worked fine here. Some conflict on the client perhaps?
Steve
-
Nope, just on the LAN interface. :)
-
@jknott @stephenw10 Doesn't appear to be an issue client-side. When DHCP was enabled, both letting it accept a DHCP lease or by setting a static IP client side didn't seem to work.
I have now stumbled into my next issue regarding devices WAN side of pfsense interacting with LAN devices. I don't seem to be able to set up a static route like this:
What would suggest is the best possible way of allowing devices WAN side (192.168.0.x) to connect to 192.168.1.x devices without using a static route? I've tried a hybrid NAT setup as shown here but it doesn't seem to work. Disabling NAT isn't an option since it drops internet connectivity LAN side.
Perhaps a 1:1 NAT rule using my GW IP as a virtual IP?
EDIT: Should also note I have set up a FW rule for this to work:
EDIT 2: Just tried 1:1 NAT from WAN to LAN and no luck there.
-
pfSense will route that traffic by default as long as a firewall rule exists on WAN.
Where you need the static route is on the WAN devices so they know how to reach the LAN subnet via the pfSense WAN address. Not in pfSense.
If you want to route, rather than NAT, the other way you probably want a do-not-NAT outbound rule for traffic from the LAN subnet to the WAN subnet.
Steve
-
Hi Stephen,
I've created the NO NAT rule for LAN, sadly it still doesn't seem to work.
Here is my updated outbound rules table for your reference:
Since I can't do static routes from the WAN devices (things like phones ect, and the hub won't either) is there an alternative approach?
Additional info that might be helpful:
Routes:
-
Fixed once again! I've set up a Open VPN service and that seems to have solved all of my problems.
-
Yeah you can't test that with ping like that because the route-to rules will force anything sourced from the WAN via the WAN gateway. But even if it didn't that only tests routing inside pfSense, which should work by default.
An alternative to adding routes on the clients is to add routes to the upstream router so traffic from clients is sent back to pfSense but that is a classic asymmetric route with all that implies:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.htmlA VPN will allow it even if you don't really need the encryption there.
Steve
