No Internet on OPT Interfaces



  • Hello. Time to trouble the pfsense forums again. I can't seem to get internet access on my OPT interfaces. DNS forwarder is on.
    I took a look at this thread:
    http://forum.pfsense.org/index.php/topic,11965.0.html

    I created rules just like Perry did, and it did not help.
    What is strange is I never had to do anything before. Everything just worked.  ???
    Thanks for any replies!


    More info:


    nslookup output on Server 2008 R2 on OPT1 Interface:
    http://i427.photobucket.com/albums/pp360/xtropx/nslookup_server08r2.jpg
    http://i427.photobucket.com/albums/pp360/xtropx/firewall_rules.jpg
    IP Configuration on Server 2008 R2 on OPT1:
    http://i427.photobucket.com/albums/pp360/xtropx/ipconfig_server08r2.jpg
    172.16.1.0/27 Network



  • @xtropx:

    I can't seem to get internet access on my OPT interfaces.

    Please be more specific about the way in which your internet access attempts don't work. DNS apparently works!

    What response do you get when you attempt to trace the route to www.google.com? (Use shell command_traceroute www.google.com_ on Unix or Linux, tracert www.google.com on Windows.)

    Is 172.16.1.33 the IP address of the OPTx interface on the pfSense system?



  • I can't ping external addresses. Network and Sharing center shows internet access, except I can't access the web.
    Yes, 172.16.1.33 is the OPT1 interface of pfsense.


    There doesn't appear to be anything amiss in the firewall logs. You can see port 53 allowed to 172.16.1.33 and you can see 172.16.1.44 (client) negotiate with google's IP address. So strange.
    http://i427.photobucket.com/albums/pp360/xtropx/firewall_log.jpg



  • On the pfSense console (or ssh session to pfSense) what do you see when you issue the shell command:
    # traceroute www.google.com

    Perhaps you have a problem upstream of pfSense. Some vmware network plumbing that needs tweaking?



  • I get an appropriate response. Hops all the way to google's IP address. This is what leads me to believe it is just some setting I have incorrect in pfsense. A firewall rule, perhaps. If it was something upstream I shouldn't be getting internet access on the LAN interface. I need to tell pfsense something I am not.



  • And the firewall rules on OPT1 are?

    What packages do you have installed? squid or some other web proxy?

    Why did you think http://forum.pfsense.org/index.php/topic,11965.0.html was relevant to your configuration? (Maybe there is something a bit unusual about your configuration.)

    @xtropx:

    I need to tell pfsense something I am not.

    Or maybe you need to not tell it something you are telling it :-)

    @xtropx:

    You can see port 53 allowed to 172.16.1.33 and you can see 172.16.1.44 (client) negotiate with google's IP address. So strange.
    http://i427.photobucket.com/albums/pp360/xtropx/firewall_log.jpg

    Those firewall logs just tell you the firewall allowed the access attempt. They don't tell you anything came back!



  • Firewall rules on OPT1:

    What packages do you have installed? squid or some other web proxy?

    No packaged. I installed TinyDNS but it is disabled.

    Why did you think http://forum.pfsense.org/index.php/topic,11965.0.html was relevant to your configuration? (Maybe there is something a bit unusual about your configuration.)

    Well they got DNS forwarder to work by adding certain rules. Yet critical information is left out. What the IP addresses are in the rules. (Are they the interfaces of pfsense?)
    My setup is pretty straightforward, I think. I just have:

    http://i427.photobucket.com/albums/pp360/xtropx/basicnetwork.png

    Or maybe you need to not tell it something you are telling it :-)

    Quite true.

    Not sure if it matters but I have manual outbound rule generation for NAT.



  • @xtropx:

    Not sure if it matters but I have manual outbound rule generation for NAT.

    I have no experience of outbound NAT rules. It seems to me that you have taken responsibility to provide rules for the translation of traffic leaving any internal network (including OPT1) to the IP address of the WAN interface on which the traffic leaves. (slight paraphrase of description in the pfSense book.)

    Do you understand the responsibility you have taken on? I suggest you take a backup of your configuration file (so you can restore things if necessary), enable automatic outbound NAT, go to Diagnostics -> States, click on Reset States tab, read the explanation and click on the Reset button and then try your internet access from the OPT interface. If it works, then the problem is most likely in your outbound NAT rules (or lack thereof!). Do you really need manual outbound NAT rules?



  • Success. The problem was fixed by adding these to the manual outbound rules in NAT:

    This thread could be marked as solved. A lot of good information/troubleshooting here. Thank you wallabybob for your assistance. You really helped me narrow this down; my home ESXi lab was looking pretty useless.



  • @xtropx:

    Success. The problem was fixed by adding these to the manual outbound rules in NAT:

    This thread could be marked as solved. A lot of good information/troubleshooting here. Thank you wallabybob for your assistance. You really helped me narrow this down; my home ESXi lab was looking pretty useless.

    xtropx…
    Sorry if this is a dumb question but I want to clarify since I had a recent issue with rules…
    So it appears that you added these rules to the WAN rules (is that correct since I see WAN?)
    Is that correct?

    Thx...

    H.



  • My apologies, I edited my last post so you could see all the information.



  • Xtropx…

    NP
    Thanks for the info and this gives me more understanding on rules....
    I see you have setup specific ports for specific services on the WAN side...

    Best Regards;

    H.


Locked