Basic statically routed set up not working!
I'm trying to set up pfSense with a really basic setup, and I can't for the life of me work out why it's not working. The set up is as follows:
WAN: 220.127.116.11/27 (with default gateway set to the service provider's IP)
WAN and LAN default rules added to allow all traffic.
I have a host, 18.104.22.168, that I can ping locally from the pfSense firewall. I can access the firewall remotely over the Internet, but when I try to access the host I get this message:
PING 22.214.171.124 (126.96.36.199) 56(84) bytes of data.
From 188.8.131.52 icmp_seq=1 Destination Host Unreachable
From 184.108.40.206 icmp_seq=2 Destination Host Unreachable
The same behaviour happens if I try to access a TCP port. I know that 220.127.116.11 has remote desktop open, so I try from my remote host 18.104.22.168:
telnet 22.214.171.124 3389
telnet: Unable to connect to remote host: No route to host
When I go to Diagnostics->Show States I see this:
tcp 126.96.36.199:3389 <- 188.8.131.52:57304 CLOSED:SYN_SENT
tcp 184.108.40.206:57304 -> 220.127.116.11:3389 SYN_SENT:CLOSED
I can't for the life of me work out why pfSense is reporting the host is unreachable, when it is directly attached? I am sure this is something incredibly simple, any help would be really appreciated!
Did you shutdown NAT or add any static routes? We need more details on this.
There's no NAT or static routes set up on the box.
pfSense does NAT by default, so if you have not disabled it it DOES nat. That's why I was asking.
OK, under the "Firewall"->"NAT" section in the web interface, there are three tabs. There are no entries set up on any of the tabs. On the "Outbound" tab the radio button "Enable IPSec passthru" is selected.
I've been logging on with SSH and the rules all look like they're configured correctly, I can't see a rule that would block traffic.
You have to enable advanced outbound nat at firewall>nat, outbound tab and then delete the autocreated rules at the bottom. if advanced outbound nat is not enabled pfSense will do NAT on any interface with a gateway (like WAN).
Thanks for the tip. I'm not sure this has had the desired effect, I turned it off as per your instructions, and checked with a "pfctl -a nat" command, which showed no NAT rules. I still get the "destination host unreachable" error when trying to connect to a host behind pfSense.
Is your WAN in a private subnetrange? If yes you need to uncheck "block private IPs" at interfaces>wan.
No, the WAN is in a public range. I've unblocked the private IPs anyway; I'm trying to run with the minimum feature set.
If your LAN is private IPs then you need NAT.
Turns out the cause of this was the bridging was not working as anticipated; I was under the impression that bridging an interface with another effectively gave you a layer 2 connection between the two ports. Moving the computer from the bridged port into the port the bridged port was bridged with resolved this.