No WAN access from inside LANs...
-
I am struggling with this, probably a simple thing, but new to this all.
I have a pfSense CE device with 4 physical ports (WAN, LAN, IOT, DMZ). IOT and DMZ have unfettered egress, while LAN has some blocked egress rules. I have two PCs on LAN that are working fine, and accessing the internet (Google, YouTube, etc.) just fine. One machine in the IOT subnet which is working fine, and the one I am using now to type this. DMZ is empty. I have simple switch (no VLANS, nothing else) between LAN and pfSense applliance, and another switch in the IOT subnet, this one PoE, but otherwise in default/factory mode.
The issue -- I am trying to repurpose an old 32-bit laptop (Thinkpad T42, 2004 vintage) to help me learn Linux, and I have installed Debian 11 from downloaded DVD iso. However it fails to be able to reach the internet. I have networking installed as DHCP, and have tried hooking it up to all 3 subnets, LAN, IOT, and DMZ, all with the same result -- no access to internet.
I have looked in pfSense, and can see that a DHCP lease has been granted for the machine in the corresponding interfaces, so initial traffic is reaching the firewall, but further egress is being blocked. While on LAN and IOT I could ping the switch fine, but whenever I try pinging the actual pfSense gateways (i.e. 192.168.2.1, 192.168.1.1, and 192.168.4.1), I get no returns.
It seems to me pfSense is blocking the access through the gateways, but I have rules allowing all traiifc out, rules that are being used by the other devices I have connected, and which are accessing the internet just fine.
Is there some reason pfSense is blocking this particular machine ? ...and if so how can I correct that ? THe DHCP leases that show, have the correct MAC address for the laptop, judging from what Debian settings show on the laptop networking app.
Any tips would be greatly appreciated, as it has been 3 days of trying things with no luck.
Cheers -
@njaimo Thought I mention I've re-installed Debian twice, thinking the installation was flawed, but it seems not. The one thing I have not tried is hooking up the laptop directly to my ISP bypassing the firewall, though not sure if this is a good idea ? Given that I can ping the switches while on the 2 respective subnets, it seems that Debian's networking settings are fine, and the laptop outgoing network traffic is working.
Another thing to mention is the the laptop, an old IBM Thinkpad used to have a private "IBM partition" on the disk, that I wiped out when repartitioning/formatting for Debian. Not sure if this has anything to do with it, but I recall, under Windows XP, there was a special IBM utility to assign the networking interface, either wired or wireless.
I have not mentioned that I have tried both, the wired and wireless connections (one at a time) with the same "no internet" result. Both connections show that pfSense has assigned them with a DHCP connection (Status>DHCP leases), but that is as far as it goes, no access to the gateway or to the internet through the WAN interface.
-
@njaimo If you can't ping the pfSense interface it's connected to then obviously the firewall isn't blocking it. You need to make sure the pc is getting the proper addresses, not in the dhcp leases, in the pc itself.
-
@jarhead Many Thanks for the note. I have checked on the laptop, the network config settings, and it reports the same IP address that shows in the DHCP lease in pfSense... Is this what you mean?
I was looking through the system logs, trying to learn, and found this in the DNS log, seems to be related to my troubles... The IP adresses ending in .11 are the DHCP addresses that the firewall assigns the laptop, for both subnets that I have tried, seems I have the same issues on both subnets ? but not sure what the issue is...
EDIT -- 192.168.1.11 is another IOT device, not the laptop which is 192.168.4.11
-
...looking through more logs, maybe I've found something BAD !?
IN the logs below, I am "njaimo", and also created another user "njaimo2", but there is no-one else, so who is "Charlie" !.... have I been hacked ?!
ALSO -- I have not removed and then re-added both "njaimo" and "njaimo2", so who/what has done this ? as per the logs below ?
-
@njaimo checked System > User management, and there is no "charlie" or anyone else there...
-
@njaimo Don't worry about charlie, it's in all pfSense installs.
Can you ping any other devices from the pc? -
@jarhead Thanks again for the note. Thanks for the info on "Charlie".
Yeah< I can ping the switches, when I am in those networks. Right now I am in the DMZ network, (192.168.4.1) where there is nothing else.... so I think that the traffic OUT of the laptop is OK,.
Have also found this in the DHCP logs... I sorted the log by PID, and PID 40459 I believe refers to the laptop, which has the DHCP lease of 192.168.4.11. Not sure what "Permission Denied" points to...
-
@njaimo ....ahh... OK, so I've switched the laptop to the IOT network, 192.168.1.1, and got assigned a DCHP lease in pfSense of 192.168.1.18, and confirmed it in the laptop connection settings.
Interestingly, I can ping the switch, but I cannot ping the other PC in the network...
...nor can I ping 8.8.8.8
-
@njaimo You need to check the switch, are the ports configured correctly?
-
@jarhead yeah, I have reset the switch to factory settings, and everything else in that network, including this PC I am typing on now work fine. The networks I was on before the DMZ, did not have any switches, and still could not ping 8.8.8.8
I can also ping the two wireless access points 192.168.1.245 and 246, but cannot ping this PC at 192.168.1.100
-
@njaimo here are th efirewall rules for my IOT net, "HPDesk1_OIT is this computer I am typing on, but the first rule allows anything to go out.
-
...starting to think the issue may be in the laptop ?... ping does not use TCP/IP, I think, but not sure how it is receiving its DHCP lease from the firewall... then again, not sure why I can ping the Unifi access points and the switch, but not this PC the access points have a PoE wired connection to a port in the switch, so it seems ping commands are getting out of the switch
-
@njaimo Starting to think that?? Yeah, my first post said not to look at the firewall.
Plug the laptop directly into the lan port and see if you can get out from there.
If all you're doing is ping tests, did you disable the firewall in the laptop? -
Ok, got some time until the next football game so I can actually put some effort into this...
So you say you defaulted the switch. How are you separating all these networks on it?
What ports have you been using when you switch networks? -
@njaimo said in No WAN access from inside LANs...:
Is there some reason pfSense is blocking this particular machine ?
I happen to have a T43 here, in addition to my E520, with openSUSE Linux on both. They work fine with pfSense, just like every other device I have. Given you can reach the LAN, it makes me wonder if you have the correct info from DHCP. What does ifconfig show? What happens if you use a static config.
-
@njaimo said in No WAN access from inside LANs...:
ping does not use TCP/IP
It uses ICMP over IP.
BTW, that IBM partition you mentioned earlier would likely contain Windows and some drivers, etc. for the computer.
-
@jknott said in No WAN access from inside LANs...:
What does ifconfig show?
I forgot you might not have that command available, as it's been deprecated. I had to add it to openSUSE. If not, you can use ip address to show the address assigned to that computer and ip route, to show the default route.
-
...sorry guys, of course when I left for a bit is when you were off football... :)
I've had the laptop sitting in a closet for years, so thought maybe the internal battery was dead and causing some troubles, so I just took it apart and checked the coin battery, and indeed it is at 1.3 volts instead of the 3v it is supposed to be at. Unfortunately I do not have a replacement right now. So put it all back and just turned it on, and of course all the BIOS setting have to be checked now, but that tell me that before the CMOS had been keeping up, so the battery was not the issue.
Give me a few minutes to check what happens when I plug directly into my ISP modem, without a firewall or router. ...be back shortly...
-
OK, bad news, when connected directly to my ISP modem, I do get out to the internet, ping 8.8.8.8 works, and YouTube on Firefox works just fine. So it seems my issues are with the firewall probably after all ?...
So in summary I have 3 networks, LAN (with switch A, and one PC), IOT (with switch B, one PC, 2 access points), and DMZ (no switch, no PCs). LAN -- 192.168.2.1, IOT -- 192.168.1.1, DMZ 192.168.4.1 I have DHCP on all 3 set up on pfSense, and pfSense shows the DHCP leases and the IPs match those shown on the laptop Debian networking app settings, so clearly the laptop is talking to the firewall DHCP server. It also appears to be able to get NTP updates from somewhere when it boots.
When connected to either LAN, or IOT, I can ping the switch, and the wireless access points, but not the PC on IOT net. Have not tried the LAN PC as it is in another room.
When in DMZ, where there is no switch, I still cannot ping the gateway in pfSense. Given this, I do not think the issue is with the switches, though I cannot explain why I can ping the switch, but not the PC on the same net, as the traffic goes from the laptop, to the switch, and then out to the PC, unless this has to do with DNS and pfSense ?