A specific zone does not have internet access

Dave07186

I have several machines and a pfSense running on a Proxmox server which is connected to internet.
The WAN has an IP address assigned through DHCP and is connected to the internet.

I would like to give access to internet on a specific zone called ZONE C (192.168.2.0/24).
ZONE A (LAN / 192.168.1.0/24) can access to internet without any problem.
ZONE B (192.168.2.0/24) is isolated from internet and can communicate only with specifics assets. I have no problem on this zone.

Here are the firewall rules for ZONE A:
LAN rules.png

Here are the rules for ZONE C:
ZONE C.png

Here are the debug commands for an asset on ZONE C:
ZONE C DEBUG.png

Please not I can't ping 1.1.1.1 for example:
ZONE C DEBUG PING.png

Where is my problem?
Thanks in advance.

NollipfSense

@Dave07186 That would suggest it's connected via local but not to gateway...

viragomann

@Dave07186
Is your outbound NAT in automatic mode and is there a rule shown up for the zone C subnet?

Dave07186

Here is the gateway rule I added to be able to have Internet on ZONE_A:

Am I supposed to add another gateway for ZONE_C? Why ZONE_A takes the gateway without adding a specific rule?
This is ZONE_A interface configuration, no particular gateway specified but I can have access to Internet:
Capture d’écran du 2023-11-05 09-46-37.png

Which rule should I add to ZONE_C to indicate to use this gateway?

Here are the NAT Outbound rules:
Capture d’écran du 2023-11-05 10-01-25.png

Thanks for your help.

viragomann

@Dave07186
As you have defined a default gateway, this one is used by pfSense to pass out traffic if there isn't stated any other for it.
So there is no need to add an additional gateway for zone C.

Are there no outbound NAT rules displayed below "Automatic rules"?

Dave07186

I added NAT rule and it works:
Capture d’écran du 2023-11-05 10-22-06.png

I can now have access to internet on ZONE_C. But, It remains a mystery to me, why there is no automatic rule created for ZONE_A (LAN) and so: Why it works?

OK I have created a gateway for WAN but there is not for this reason that I have Internet on ZONE_A?

EDIT: I just realize that speed test upload can't be realized without added NAT Outbound rule for ZONE_A, only speed download test works:
Capture d’écran du 2023-11-05 10-41-34.png

Works perfectly after adding the NAT Outbound rule.

viragomann

@Dave07186
Yeah, automatic outbound NAT rule generation requires that there is a gateway stated in the WAN interface settings.
Without that I wouldn't expect any IPv4 subnet behind pfSense to have internet access, apart from one which is bridged to WAN.