DMZ interface has internet but LAN1 interface doesn't
-
Hi all,
I'm quite new to pfSense but do am familiar with networking and how firewall rules are working and the importance of how the rules are red.
However, I have some problems getting internet on my local machine connected to the LAN1 interface of my pfSense firewall.Some background of my setup:
I have an older Dell R720 (I know, heavily overkill) and have a fresh install of pfSence+ 23.01. (Yes, the upgraded version instead of the CE version)
This machine has 4 ethernet ports, which has been setup as WAN (egb0), LAN1 (egb1), WIFI (egb2) and DMZ (egb3).
At this moment I only use the LAN1 and DMZ interfaces. The WAN interface is connected to my local network so it has a local IP assigned to it.Now, I do have internet connection coming in the firewall because I can see traffic and also gets the correct timecode from the NPT Server and can connect to the update server from Netgate.
I have followed the firewall example on the Netgate's Doc section on the web, and copied it almost 1:1 to my setup:
https://docs.netgate.com/pfsense/en/latest/recipes/example-basic-configuration.htmlAttached I have some pictures of the firewall rules I currently have set up.
At the DMZ interface I have connected a Synology NAS. This NAS has internet connection because I can connect to it by Synology's Quick Connect.
The funny thing is, as soon as my laptop is connected solely to the LAN1 network, I can reach the pfSense firewall but I can not access the internet.
Also, in the bottom-right corner I see the "no-internet-globe" on my network connection.My plan was to first try to setup all interfaces and to see if these are working, before I make the switch to place the pfSense firewall to the real internet and taking out my current router.
I also want the Synology on the DMZ network to be able to act as a web & mail server but before that I need to be sure every adapter, interface and firewall- and port forwarding rules are setup correctly to make the transition as seemless as possible with as less as downtime as possible.Hope someone can shine a light on this! :-)
No rules setup on the WAN interface:
This is from the LAN1 ruleset:
And this is from the DMZ ruleset:
-
@stef_r said in DMZ interface has internet but LAN1 interface doesn't:
so it has a local IP assigned to it.
And what is that, does it overlap with lan1
Seems odd that none of your rules really show any hits on them at all.. Nor any states..
Really only thing see is traffic to pfsense web gui. with the 1 state and 4.65MB of traffic.
For example on lan1, don't show any dns hits or 80 or 443 hits at all they are all 0/0. With only 3KB on your any any rule at the end..
-
@stef_r Are you sure you're even connected to the LAN1? You show no hits on almost any rule. See the 0/0 on the left?
Enable the default any rule, then try the same testing you've been doing. That will help a lot. -
@jarhead exactly - I would expect to see hits if trying to use the internet - even if it didn't work..
Get a ping going to 8.8.8.8 for example - your icmp rule should show traffic, etc.
Here I added a specific rule for icmp, and then started a ping.. Then checked my lan rules, refresh the page or go to something else and then come back.. Even if the ping didn't work you should see some traffic on it
-
Thanks all for the fast replies! :-)
Yes, I'm sure I'm connected to the LAN1 network because thats the interface I use to connect to the pfSense GUI.
My laptop has a static IP address (172.16.10.10) and the DHCP Server is disabled for the LAN1 interface.As the screenshots show, I can ping my laptop's IP address from the pfSense menu and get a reply.
I also see data showing at the firewall rules.
This is as expected I think.However, I can aqlso ping to the LAN1 interface (172.16.10.1) from my laptop to the pfSence firewall, but don't see any traffic added on the firewall rules section...
After this, the states are 0/960B.
When I do a return ping from my laptop, I get a reply back, but the states are unchanged, no matter how many ping commands I send out.
-
@stef_r 15ms response from your local pfsense.. That seems really freaking insane high for a local network, even if you were wireless to be honest..
The lan1 rule wouldn't be counted if you were pinging from pfsense to the lan device.. Rules are evaluated as traffic enters an interface from the network its attached too.. You could ping 1000 times to lan device from pfsense, that rule would not be evaluated.
-
@stef_r
Are you plugging directly into pfSense?
Did you enable the default Any rule? -
@jarhead also odd is look at the first ping - normal or closer to normal 4ms, 1ms and from pfsense sub 1ms - and then drastic increase.. Something not right for sure.
-
I agree that something weird is going on here...
@jarhead said in DMZ interface has internet but LAN1 interface doesn't:
@stef_r
Are you plugging directly into pfSense?
Did you enable the default Any rule?Yes. I have a direct cable connection (CAT8) from the laptop to the pfSense router.
At first, I disabled the default Any Rule but even after enabling it, ping results still not stable, meaning sometimes I get two-in-a-row ping results from <1mS but the next one is 9mS and the last one again around 15mS.Next rond results are vary very much.
After enabling the WIFI interface and setup the firewall rules as I did with the DMZ interface and ruleset, I get consistent ping results of <1mS and I also see the normal WiFi icon in my Windows taskbar with only one bar of connection, so the WiFi speed is perfect for the distance of the router.
-
@stef_r said in DMZ interface has internet but LAN1 interface doesn't:
After enabling the WIFI interface
This interface is a wifi interface in pfsense? Yeah that not a good setup to be honest, freebsd and wifi just not a good mix at all. You would be better off buying whatever cheap 20$ wifi router you can find on amazon and just using it as AP to be honest.
is your test device connected to both wifi and wire at the same time?
-
@johnpoz Thanks, but in fact it is exactly what you describe.
I have just named the interface "WIFI" myself and don't use any WiFi functions of pfSense / FreeBSD.
The router I have connected is an old Synology RT1900AC set up as wireless access point. :-) -
@stef_r ok that is better.. Your using it as a true AP, not double natting. Ie you connect it your network with with one of its lan ports, disable its dhcp server.. Gave its gui an IP on your network so you can access its gui?
For testing of your firewall and its rules, etc. I would take wifi out of the equation. Connect device directly to pfsense interface or via a switch, etc.
That you pinging pfsense IP and not seeing anything on the rules - that would have me think you were actually pinging maybe the wifi routers IP, etc.
-
don't beat my drawing skills because I've worked very hard on it (ha ha just kidding!) but here is a small drawing on how I have (or want to) set my network.
With only one small difference:
At the moment I haven't connected my Cisco router between my PC and pfSense firewall, so there is a plain, straight UTP cable without any switch or router in between.
