LAN Traffic Problem

Sergio77

Hi all,

I have a strange problem...

My PfSense has 192.168.1.1 IP, my VM has 192.168.1.2 IP.

From VM I try this:
curl -k www.google.it
with this output:
curl: (7) Failed to connect to www.google.it port 80: Connection timed out

In My Pfsense shell, I see this:
19:05:40.453877 IP 192.168.1.2.54272 > 142.251.209.3.80: Flags [S], seq 1666965013, win 64240, options [mss 1460,sackOK,TS val 2090814887 ecr 0,nop,wscale 7], length 0
19:05:41.454741 IP 192.168.1.2.54272 > 142.251.209.3.80: Flags [S], seq 1666965013, win 64240, options [mss 1460,sackOK,TS val 2090815888 ecr 0,nop,wscale 7], length 0
19:05:43.470746 IP 192.168.1.2.54272 > 142.251.209.3.80: Flags [S], seq 1666965013, win 64240, options [mss 1460,sackOK,TS val 2090817904 ecr 0,nop,wscale 7], length 0
19:05:47.630780 IP 192.168.1.2.54272 > 142.251.209.3.80: Flags [S], seq 1666965013, win 64240, options [mss 1460,sackOK,TS val 2090822064 ecr 0,nop,wscale 7], length 0
19:05:55.822812 IP 192.168.1.2.54272 > 142.251.209.3.80: Flags [S], seq 1666965013, win 64240, options [mss 1460,sackOK,TS val 2090830256 ecr 0,nop,wscale 7], length 0
19:06:11.950894 IP 192.168.1.2.54272 > 142.251.209.3.80: Flags [S], seq 1666965013, win 64240, options [mss 1460,sackOK,TS val 2090846384 ecr 0,nop,wscale 7], length 0
19:06:44.463081 IP 192.168.1.2.54272 > 142.251.209.3.80: Flags [S], seq 1666965013, win 64240, options [mss 1460,sackOK,TS val 2090878896 ecr 0,nop,wscale 7], length 0

I attach screen where you can see that traffic is allowed... but it doesn't work really...

What can I check and change to let my VM navigate on Internet?

Thanks
Sergio

viragomann

@sergio77
Is pfSense able to access the internet for update check and package installation? Or other local devices behind it?

Is your outbound NAT in automatic mode?
Is there a rule for the source network?

Sergio77

@viragomann I attached some screen to answer your question.
Thanks
Sergio

viragomann

@sergio77
So the ping works from pfSense WAN, but not from LAN. This almost indicates that the outbound NAT doesn't work properly.
However, there is an automatic rule in place for the LAN network.
Did you try to reboot pfSense?

Is pfSense installed in a VM? If so, which hypervisor?

Sergio77

@viragomann updated and rebooted yesterday...

Yes, It's a virtual server on Esxi 6.7.0 Update 3 (Build 17167734).

viragomann

@sergio77
There should be nothing special on ESXi, as long as you're not running an HA system with CARP.

To investigate if the outbound NAT is working properly run a packet capture on the WAN interface, while you ping a public IP from a LAN device.
You should see packets going out from the WAN address.

Sergio77

@viragomann I did the test, but my capture log is empty...

viragomann

@sergio77
In the host box enter the destination IP you“re pinging not a source.

Sergio77

@viragomann nothing is changed :-(

viragomann

@sergio77
Maybe nothing from the VM is coming to pfSense?
Check that out by capturing ICMP packets on the LAN interface, while you try to ping a public IP on the VM.

If there is also nothing you're VM may use a different gateway, not pfSense LAN IP, or there is something wrong with the ESXi network.

Sergio77

@viragomann This is the result...

viragomann

@sergio77
Did you specify an gateway IP address in the LAN interface settings? If so remove it, please.

Sergio77

@viragomann It doesn't seem...

Sergio77

@viragomann another screen from LAN Server...

viragomann

@sergio77
Yes, the VM might be okay. The upstream packets are arriving on pfSense LAN and you might see also the ICMP packets as passed in the firewall log.
Can't understand, why there is nothing on the WAN.

Do you have a basic interface configuration on pfSense, no CARP?

Did you the ESXi configuration accordingly to the pfSense docs: Virtualizing pfSense with VMware vSphere / ESXi

ahsunh

@sergio77 check your firewall rule on lan interface allow all lan traffic for protocol any and ipv4 is available?