Internet breakout

smk · Dec 12, 2022, 4:31 PM

Hi

Can someone please help me understand how to correctly configure pfsense to allow traffic from the yellow box (LAN) to the blue box (WAN). Currently I am not able to ping any internet address nor dns name. Neither of these work: ping 8.8.8.8 nor ping goole.com.

Configuration:

eth1-4 on Mikrotik are in bridge mode
pfsense has a DHCP server enabled on LAN interface. PC1-3 are getting DHCP assignments
pfsense FW > Rules > LAN has a "Allow LAN to any rule"
pfsense FW > NAT > Outbound Mode is set to "Automatic outbound NAT rule generation"

What am I missing to enable traffic from PC1-3 access the internet?

Thanks in Advance!

rcoleman-netgate · Dec 12, 2022, 4:37 PM

Are there entries in the Firewall Log on pfSense that show the traffic being blocked?
Have you run a packet capture on your LAN interface to see if the traffic is even getting to the pfSense?
Have you put a dumb switch where your Mikrotik is to see if it's the configuration issue?
3b) Are you running a CRS100-series or 300-series? Are you running it in SwitchOS? Mikrotik can be great hardware but the CRS100-series are routers only and not good switches... (ask me how I know).

mer · Dec 12, 2022, 4:47 PM

Item #3 from @rcoleman-netgate is a good quick test; it's pretty much how most home offices are going to be set up (mine is).

smk · Dec 15, 2022, 1:46 AM

@rcoleman-netgate & @mer : Thank you for your response. Your pointers were very helpful in determining that "IPv4 Upstream gateway" was set on the LAN interface which caused the issue. My lack of knowledge on what that setting does.

smk · Dec 15, 2022, 1:46 AM

@smk : But DNS resolutions still not happening. Wondering why:

As you can see, I have a DNS resolver running pointing to all network interfaces with outgoing network interface set to WAN. Would that not cause DNS queries to be forwarded to the upstream DNS server in the home network (which works BTW) and be resolved there?

SteveITS · Dec 15, 2022, 1:57 AM

@smk Aren't the automatic outbound NAT rules missing a subnet? The source should include the LAN subnet, and not have the second two lines:

I would not expect to see outbound NATting for LAN.

Edit: how it got that way while set to "automatic" is the confusing part to me. Was an interface removed?

If you leave the DNS Resolver outgoing interfaces set to the default of All, it will "figure it out" for you.

smk · Dec 15, 2022, 2:45 AM

@steveits Thank you for your response.

Under System> Routing> Gateways, still had a legacy config with LAN gateway pointing to the upstream gateway that is accessible via WAN. That is not correct. As I just learnt, LAN interface should not have an upstream gateway. After removing the upstream gateway, now hosts are able to resolve DNS as well.

The outbound NAT rules in the screenshot above (with the extra rules for LAN) were taken when the Upstream Gateway was incorrectly set for the LAN interfaces. Once I corrected that, mine looks just like what you posed - only has outbound rules for WAN (the outbound interface) and not LAN.

SteveITS · Dec 15, 2022, 2:50 AM

@smk Ah, that makes sense, thanks.