Basic statically routed set up not working!

edb49

I'm trying to set up pfSense with a really basic setup, and I can't for the life of me work out why it's not working. The set up is as follows:

WAN: 1.1.1.8/27 (with default gateway set to the service provider's IP)
LAN: 2.2.2.1/29

WAN and LAN default rules added to allow all traffic.

I have a host, 2.2.2.3, that I can ping locally from the pfSense firewall. I can access the firewall remotely over the Internet, but when I try to access the host I get this message:

ping 2.2.2.3
PING 2.2.2.3 (2.2.2.3) 56(84) bytes of data.
From 1.1.1.8 icmp_seq=1 Destination Host Unreachable
From 1.1.1.8 icmp_seq=2 Destination Host Unreachable

The same behaviour happens if I try to access a TCP port. I know that 2.2.2.3 has remote desktop open, so I try from my remote host 4.4.4.4:

telnet 2.2.2.3 3389
Trying 2.2.2.3…
telnet: Unable to connect to remote host: No route to host

When I go to Diagnostics->Show States I see this:
tcp 2.2.2.3:3389 <- 4.4.4.4:57304 CLOSED:SYN_SENT
tcp 4.4.4.4:57304 -> 2.2.2.3:3389 SYN_SENT:CLOSED

I can't for the life of me work out why pfSense is reporting the host is unreachable, when it is directly attached? I am sure this is something incredibly simple, any help would be really appreciated!

hoba

Did you shutdown NAT or add any static routes? We need more details on this.

edb49

There's no NAT or static routes set up on the box.

hoba

pfSense does NAT by default, so if you have not disabled it it DOES nat. That's why I was asking.

edb49

OK, under the "Firewall"->"NAT" section in the web interface, there are three tabs. There are no entries set up on any of the tabs. On the "Outbound" tab the radio button "Enable IPSec passthru" is selected.

I've been logging on with SSH and the rules all look like they're configured correctly, I can't see a rule that would block traffic.

hoba

You have to enable advanced outbound nat at firewall>nat, outbound tab and then delete the autocreated rules at the bottom. if advanced outbound nat is not enabled pfSense will do NAT on any interface with a gateway (like WAN).

edb49

Thanks for the tip. I'm not sure this has had the desired effect, I turned it off as per your instructions, and checked with a "pfctl -a nat" command, which showed no NAT rules. I still get the "destination host unreachable" error when trying to connect to a host behind pfSense.

hoba

Is your WAN in a private subnetrange? If yes you need to uncheck "block private IPs" at interfaces>wan.

edb49

No, the WAN is in a public range. I've unblocked the private IPs anyway; I'm trying to run with the minimum feature set.

sai

If your LAN is private IPs then you need NAT.

edb49

Turns out the cause of this was the bridging was not working as anticipated; I was under the impression that bridging an interface with another effectively gave you a layer 2 connection between the two ports. Moving the computer from the bridged port into the port the bridged port was bridged with resolved this.