Internet on pfsense, no internet on lan

aepurvis

This is a new installation.  I've spent hours searching the forum and found lots of the same problem, but no solution that I hadn't already done.

isp (wan static ip 208.x.x.x, lan 192.168.1.1/24, dhcp enabled) -> wireless router (wan 192.168.1.118, lan 10.63.63.0/24, dhcp enabled) -> pfsense wan (WLAN 10.63.63.102/24, gateway 10.63.63.1 via dhcp) -> pfsense lan (192.168.10.1/24, dhcp enabled) -> pc (192.168.10.60/24, gw 192.168.10.1 via dhcp)

From pfsense, I have full internet access (ping, telnet, etc).  From lan pc I can resolve names (dns working), but I can't ping even 10.63.63.1 or access websites.  I can ping pfsense both on the lan ip and the wan ip from the pc.  The pings timeout.  If I change the wan address to static (and add dns server setting), instead of timeout I get pfsense.local reports destination host unreachable.

I have Block private networks unchecked.  Otherwise the settings are all default (no additional rules, no nat changes, etc)

Routing table:
default          10.63.63.1          UGS        0        59      wi0
10.63.63.0/24  link#8                UC          0        0      wi0
10.63.63.1      00:18:39:07:d7:b4 UHLW    2        70      wi0  1199
10.63.63.102  127.0.0.1            UGHS      0      142    lo0
127.0.0.1        127.0.0.1            UH        1          0      lo0
192.168.10.0/24 link#3              UC        0          0    nfe0
192.168.10.60  00:00:39:6b:d7:d0  UHLW  1        266  nfe0  682

ifconfig:
nfe0
  inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
  wi0  10.63.63.102 netmask 0xffffff00 broadcast 10.63.63.255

This is a test setup and the only hardware I have available has one ethernet port and one wireless port.  Otherwise I'd get the router out of the equation at least, although there are other pc's on the 10.63.63.x lan that still need access anyway.

Any pointers would be appreciated.

wallabybob

Please post the output of a traceroute to your WAN static IP address performed on a LAN PC, e.g.

traceroute -n 208.x.x.x

or on Windows: # tracert -d 208.x.x.x

Also, the following two sentences seem contradictory:

I can ping pfsense both on the lan ip and the wan ip from the pc.  The pings timeout.

Please clarify: which pings timeout?

aepurvis

Tracing route to  [208.x.x.x]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  pfsense.local [192.168.10.1]
  2    *        *        *    Request timed out.
  3    *        *        *    Request timed out.

That was unclear.  The pings to the lan and wan if of pfsense both work.  Pings to anything beyond that timeout.

orc4hire

I'm trying to make sense of this.  You have the Internet connected to the wireless router, which is plugged into the ethernet port on the pfSense box, and the PC is connected to the wireless network on the pfSense box?  Like this?

Internet –>Router -->pfSense -->PC

You're NATed through three different private networks before getting to the Internet.  I'd be a lot more surprised if that did work than if it didn't.

And you have other PCs connected directly to the router, in parallel with the pfSense box?  What is it you're actually trying to do?

wallabybob

The traceroute result would suggest to me that you have some problem on the pfSense link to the wireless router OR in the wireless router OR CMP responses have been disabled on the wireless router but your observation that pings from pfSense work while pings from a LAN client don't work is not consistent with ay of those possibilities.

How about doing a packet trace (tcpdump) on the pfSense WAN interface while you do the traceroute suggested earlier from pfSense. Then repeat  the traceroute but from a LAN client. Are there any "significant" differences between the two traces?

aepurvis

Wallabybob:

There is a significant difference.  From the lan pc, there is no sign of the ICMP packets on the wan i/f at all.  It's like I've got internet access disabled for the lan.  I thought the default rules, etc. enabled access.  I'll look into that.

aepurvis

I mean that the tracert performed on the lan pc results in no ICMP traffic on the pfsense wan i/f.  When the traceroute is performed from the pfsense machine, there is the expected ICMP request and reply traffic.

aepurvis

orc4hire:

This is a test setup at home with the equipment I had available, and trying to interfere with my wife as little as possible (she's the parallel connection directly to the wireless router).  Not an expected production environment at all.  And pfsense is actually connecting to the router wirelessly and my lan pc is connected to pfsense with a crossover cable.

Ultimately, I'll be connecting the pfsense machine to a static ip isp connection and it'll be the only thing doing any nat.

danswartz

Question: do you even see any traffic on the 10.63.63.0/24 subnet when the LAN PC tries to do anything?

aepurvis

I see no traffic at all coming from the lan side.  There is a background level of activity coming from the wan side, but nothing at all that correlates to when I issue a ping or tracert or try to open a web page on the lan pc.

I'm running from the live cd, so all I'm setting is the interfaces and all private addresses on the wan.

Is there some fundamental setting that I'm missing?  I was initially using my laptop in the same configuration with the same results, so don't think it's a hardware issue.

danswartz

Does a packet trace on the LAN see the packets?  If so, can you post a snippet?  I think it may be time for screenshots of your interfaces, rules, etc…

wallabybob

Your original post said you can ping the pfSense LAN IP from the LAN PC. Now if you try a tracert from the LAN PC to ISP's IP there is no traffic seen on the pfSense LAN IP.

Is the physical connection between LAN PC and pfSense up and running?

What is the default gateway on the LAN PC? (should be pfSense LAN IP)

What is the IP address of the LAN PC? (shouldn't be 169…)

aepurvis

Thanks to all for your suggestions.  I've changed hardware and now have dual network cards as well as the wireless.  If I use the wireless for the WAN, still no access to the WAN from the LAN.  When I switched to using a wired i/f for the WAN (still connecting to the same router), everything works as expected.  It must be a characteristic of pfsense that you can't use a wireless connection for the WAN, or at least it requires a special setup.  Since that's not a configuration I plan to use in production, I won't be pursuing this any further.

7lemo

Mister wallabybob: I've installed the system PF Sense to the stage for a final gave me wan -192.168.0.13 and 192.168.1.1  lan -worked prepare for because 192.168.0.10. Knowing that I am currently working Maikarotik system. But when I open the browser and type the IP Address 192.168.0.10 does not open my pFSense. Note that the local network there by a yellow triangle. A. In your opinion, why not call and thank you