Upgraded to 2.0.1 now LAN cannot ping past gateway



  • I was using ver 1.2.3, and then upgraded to 2.0.1 this weekend.  I first noticed a problem when I attempted to check the auto-update url in the Firmware menu, and then also the packages were not showing up and it gave the error that it couldn't contact pfsense to retrieve the list.  pfsense in my setup serves as a simple bridged firewall.  It does not perform any routing, pppoe, dhcp, nothing like that.  Just a firewall.

    Here's my current setup:

    Static LAN: 192.168.1.252 /24 (no gateway)
    Static WAN: 192.168.1.253 /24 (uses .254 gateway)
    Gateway: 192.168.1.254 /24

    General Setup
    DNS Server    Gateway
    4.2.2.2          None
    4.2.2.3          None

    Toggling the Gateway to WAN (the only option listed) does not make any difference here.

    Interface, (assign), Bridges
    Interface: Bridge0 with members LAN & WAN

    Ping
    LAN to .253 = success
    LAN to .254 = success
    LAN to 4.2.2.2 = fail
    LAN to 8.8.8.8 = fail

    WAN to .252 = success
    WAN to .254 = success
    WAN to 4.2.2.2 = success
    WAN to 8.8.8.8 = success

    Firewall rules
    All default rules are still enabled.  No additional rules have been added that would restrict the LAN interface from talking to the outside.  I would have though the default LAN rule "Default LAN -> Any" should have allowed the interface outside access but I guess not.

    Attempting DNS lookup on any ip address or internet hostname always fails, I'm assuming because it uses the LAN interface.  So this tells me that the firmware update and packages both use the LAN interface.

    I didn't have this issue until after the upgrade.  Is there a way to get it to use the WAN interface, or is there some setting I'm missing somewhere to get the LAN to talk to the outside?



  • Never put the same subnet on two different interfaces. Put LAN to type "none". That kind of setup has always been hit and miss on connectivity.



  • Since your pfSense doesn't do DHCP I presume your LAN client have static configuration of default gateway. If you remove the IP address from LAN interface then your LAN clients will need to use the pfSense WAN IP address as default gateway.



  • @wallabybob:

    Since your pfSense doesn't do DHCP I presume your LAN client have static configuration of default gateway. If you remove the IP address from LAN interface then your LAN clients will need to use the pfSense WAN IP address as default gateway.

    No, never do that. When bridging, the default gateway MUST be upstream of the firewall, not an IP on the firewall. Doing that will lead to all kinds of odd issues in this type of scenario.



  • @cmb:

    No, never do that. When bridging, the default gateway MUST be upstream of the firewall, not an IP on the firewall. Doing that will lead to all kinds of odd issues in this type of scenario.

    Thanks for the correction.



  • @cmb:

    Never put the same subnet on two different interfaces. Put LAN to type "none". That kind of setup has always been hit and miss on connectivity.

    Hello…
    I wanted to follow-up on this thread from earlier as I was hoping to glean a bit of extra advice in getting my new setup online.  First, I do want to say that I read this thread that has been helpful for me in understanding exactly how a transparent firewall is ideally supposed to function: http://forum.pfsense.org/index.php/topic,36562.0.html

    In previous versions of pfsense and monowall I've been used to the 2 interface setup, ip addresses on both with traffic just flowing between them.  Using 3 interfaces is a little different for me, so please correct me here if I misunderstand anything.  To make things easier for anyone answering, I've numbered and bolded the specific questions I'm hoping to receive feedback on.

    I did setup the new box as you suggested with the LAN type at none (my WAN type is still the same static address posted in the OP), which was a little confusing to me at first in getting traffic to even flow through properly.  While I have been able to get traffic to flow through as I'm used to, the problem I am running into is that the "default deny rule" (found in the firewall logs) on the LAN side seems to keep blocking everything.  I have to manually add all sorts of rules to get traffic flowing...traffic to the gateway, icmp traffic to the internet, dns lookups, http traffic, etc.

    1. My first follow-up question is, why is the default rule "Default allow LAN to any rule" with the LAN subnet as the source, passing any protocol to any destination, not covering this?  To me, I should not have to add all of these different exceptions to get traffic flowing; to me this rule should allow traffic to pass but it isn't.
    Edit: I sort of understand why this isn't working.  Since the LAN port is set to type "none", the LAN subnet really has no meaning in the ruleset.  So instead of manually adding each host on the network to allow its traffic out, is there anything I can do to get the entire network's traffic going outside to pass?

    Perhaps I may be answering my own question here, but I did go ahead and add a third interface into the box after reading the thread I linked to above.

    2. If I change my WAN port type to "none" as was stated in the linked thread, and then create this third interface (I'll call it OPT1), should OPT1 be assigned Bridge0 or the fxp0 name the system has assigned my Intel nic?

    This presents a couple of other questions….

    3. I have always needed a port forwarded from my gateway from the internet into the box, using ssh.  I assume if I create this third interface as mentioned above with a static ip, obviously the traffic will have to go to this interface.  Is there any issue here I should be aware of with routing ssh traffic to the third interface?

    4. How will I need to physically wire the box?  In my previous setup, the gateway was wired into the WAN port, the LAN port was then wired to the switch.  With 3 interfaces, how does this need to be wired?   Gateway to OPT1, then both WAN and LAN to the switch?



  • @pfnoober:

    1. My first follow-up question is, why is the default rule "Default allow LAN to any rule" with the LAN subnet as the source, passing any protocol to any destination, not covering this?  To me, I should not have to add all of these different exceptions to get traffic flowing; to me this rule should allow traffic to pass but it isn't.
    Edit: I sort of understand why this isn't working.  Since the LAN port is set to type "none", the LAN subnet really has no meaning in the ruleset.  So instead of manually adding each host on the network to allow its traffic out, is there anything I can do to get the entire network's traffic going outside to pass?

    Sure, in the firewall rule change the Source IP from LAN subnet to Any, save the change and then go to Diagnostics -> States, click on the Reset tab, read the text and take the appropriate action.



  • @wallabybob:

    Sure, in the firewall rule change the Source IP from LAN subnet to Any, save the change and then go to Diagnostics -> States, click on the Reset tab, read the text and take the appropriate action.

    Hmmm…the way I read that though would be that any source, including external connections, would then be able to pass through to my internal network which I don't want.  At least that is my understanding of how the rule would work...please correct me if I'm wrong.



  • Firewall rules tied to an interface apply to connections received on that interface. The firewall rule under discussion does no apply to connection attempts initiated on the Internet because such connection attempts are not (unless there is something you haven't told us) received on the LAN interface.



  • I just wanted to follow-up on my own thread to let anyone in the future know that I've resolved this issue.  I have been able to get the transparent firewall up and running with just 2 interfaces, the LAN port set to type "none" as cmb suggested, the WAN port is still a static ip address port.  I still haven't tried the LAN, Any rule yet that wallabybob suggested to allow all traffic on the local network through; I'm still using the manually added rules in the firewall to get traffic out.

    The ssh requirement I posted about is also working, I just had to make sure the port forwarding on my gateway was pointed to the correct address/port.


Log in to reply