Help me!!! 2.0-RELEASE Firewall Rule can't to access internet.



  • Picture my firewall rule.
    ![pfsense firewall rule can't access internet.jpg](/public/imported_attachments/1/pfsense firewall rule can't access internet.jpg)
    ![pfsense firewall rule can't access internet.jpg_thumb](/public/imported_attachments/1/pfsense firewall rule can't access internet.jpg_thumb)
    ![pfsense firewall rule can access internet.jpg](/public/imported_attachments/1/pfsense firewall rule can access internet.jpg)
    ![pfsense firewall rule can access internet.jpg_thumb](/public/imported_attachments/1/pfsense firewall rule can access internet.jpg_thumb)



  • try adding a Pass rule for destination port 53



  • Thank you. But it same can't to access internet.

    ![pfsense firewall rule 80_53 can't to access internet.jpg](/public/imported_attachments/1/pfsense firewall rule 80_53 can't to access internet.jpg)
    ![pfsense firewall rule 80_53 can't to access internet.jpg_thumb](/public/imported_attachments/1/pfsense firewall rule 80_53 can't to access internet.jpg_thumb)



  • am i right that the problem resides, when upper picture config is in use? if so, then add that dns service, like ericab mentioned
    if the other picture rules is in use and is creating problems, then try to ping from firewall itself to 8.8.8.8 and www.google.com



  • I'm try ping to 8.8.8.8 and www.google.com, It's no-problem. But if I try ping to other website it's problem.

    My pfsense system

    • pfsense 2.0 Release(1wan,1lan) + Squid proxy + Firewall Rule.

    PING 8.8.8.8 (8.8.8.8) from 192.168.13.161: 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=59.702 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=60.070 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=59.951 ms

    –- 8.8.8.8 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 59.702/59.908/60.070/0.153 ms

    PING www.l.google.com (209.85.175.103) from 192.168.13.161: 56 data bytes
    64 bytes from 209.85.175.103: icmp_seq=0 ttl=51 time=60.588 ms
    64 bytes from 209.85.175.103: icmp_seq=1 ttl=51 time=69.933 ms
    64 bytes from 209.85.175.103: icmp_seq=2 ttl=51 time=69.371 ms

    --- www.l.google.com ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 60.588/66.631/69.933/4.279 ms

    PING www.manager.co.th (202.57.155.203) from 192.168.13.161: 56 data bytes

    --- www.manager.co.th ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss



  • well i have fully working settings, and even i'm not capable of pinging www.manager.co.th, so that address don't allow icmp echo.
    did you tried ping also from client?



  • Yes, I'm try ping to www.manager.co.th, www.cnn.com, www.sanook.com from client. It's same.



  • well ping can't work only tcp connections.. it's done by icmp and udp53 works faster than tcp53

    what you have selected to in those rules, to capture a log?



  • @mots:

    Thank you. But it same can't to access internet.

    you need to switch the protocol to UDP.

    do your clients obtain their IP through DHCP, or are they setup up independently ?

    if you were to ssh into pfSense, can you ping anything ?


  • Rebel Alliance Global Moderator

    "- pfsense 2.0 Release(1wan,1lan) + Squid proxy + Firewall Rule."

    if you wanting your clients to use squid proxy, they would not be directly accessing anything on the internet anyway.  Why would they not be using your pfsense box for dns?  And or the proxy should be doing the dns lookups anyway.

    If you wanting for clients to access the net while using a outside dns server, you rules need to allow for tcp http (80), and tcp/udp 53 (dns) to whatever dns server you wanting them to use say 8.8.8.8

    But not understanding the point of the proxy if that is what you want to do?



  • By default the firewall rule blocks. So if you disable the default allow rule, then it stops working. If all you want to allow is surfing, then LAN NET:any any:80|443|53 though with port 53 you need UDP and TCP. If you want to test ping, you must have an allow rule for ICMP.



  • Thank you, All Comments.

    Now, The pfsense 2.0 Release + Squid proxy + Firewall Rule can access to internet.
    I disabled "Default allow LAN to any rule" and allow TCP port 80,53,UDP port 53,ICMP.



  • you might want to add https also
    you got everything fixed?


  • Rebel Alliance Global Moderator

    "Squid proxy"

    Still not understanding if you using a proxy why your directly letting machines out?  Who are you having use the proxy?


Locked