Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgraded to 2.0.1 now LAN cannot ping past gateway

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    10 Posts 3 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfnoober
      last edited by

      I was using ver 1.2.3, and then upgraded to 2.0.1 this weekend.  I first noticed a problem when I attempted to check the auto-update url in the Firmware menu, and then also the packages were not showing up and it gave the error that it couldn't contact pfsense to retrieve the list.  pfsense in my setup serves as a simple bridged firewall.  It does not perform any routing, pppoe, dhcp, nothing like that.  Just a firewall.

      Here's my current setup:

      Static LAN: 192.168.1.252 /24 (no gateway)
      Static WAN: 192.168.1.253 /24 (uses .254 gateway)
      Gateway: 192.168.1.254 /24

      General Setup
      DNS Server    Gateway
      4.2.2.2          None
      4.2.2.3          None

      Toggling the Gateway to WAN (the only option listed) does not make any difference here.

      Interface, (assign), Bridges
      Interface: Bridge0 with members LAN & WAN

      Ping
      LAN to .253 = success
      LAN to .254 = success
      LAN to 4.2.2.2 = fail
      LAN to 8.8.8.8 = fail

      WAN to .252 = success
      WAN to .254 = success
      WAN to 4.2.2.2 = success
      WAN to 8.8.8.8 = success

      Firewall rules
      All default rules are still enabled.  No additional rules have been added that would restrict the LAN interface from talking to the outside.  I would have though the default LAN rule "Default LAN -> Any" should have allowed the interface outside access but I guess not.

      Attempting DNS lookup on any ip address or internet hostname always fails, I'm assuming because it uses the LAN interface.  So this tells me that the firmware update and packages both use the LAN interface.

      I didn't have this issue until after the upgrade.  Is there a way to get it to use the WAN interface, or is there some setting I'm missing somewhere to get the LAN to talk to the outside?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Never put the same subnet on two different interfaces. Put LAN to type "none". That kind of setup has always been hit and miss on connectivity.

        1 Reply Last reply Reply Quote 0
        • W
          wallabybob
          last edited by

          Since your pfSense doesn't do DHCP I presume your LAN client have static configuration of default gateway. If you remove the IP address from LAN interface then your LAN clients will need to use the pfSense WAN IP address as default gateway.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @wallabybob:

            Since your pfSense doesn't do DHCP I presume your LAN client have static configuration of default gateway. If you remove the IP address from LAN interface then your LAN clients will need to use the pfSense WAN IP address as default gateway.

            No, never do that. When bridging, the default gateway MUST be upstream of the firewall, not an IP on the firewall. Doing that will lead to all kinds of odd issues in this type of scenario.

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob
              last edited by

              @cmb:

              No, never do that. When bridging, the default gateway MUST be upstream of the firewall, not an IP on the firewall. Doing that will lead to all kinds of odd issues in this type of scenario.

              Thanks for the correction.

              1 Reply Last reply Reply Quote 0
              • P
                pfnoober
                last edited by

                @cmb:

                Never put the same subnet on two different interfaces. Put LAN to type "none". That kind of setup has always been hit and miss on connectivity.

                Hello…
                I wanted to follow-up on this thread from earlier as I was hoping to glean a bit of extra advice in getting my new setup online.  First, I do want to say that I read this thread that has been helpful for me in understanding exactly how a transparent firewall is ideally supposed to function: http://forum.pfsense.org/index.php/topic,36562.0.html

                In previous versions of pfsense and monowall I've been used to the 2 interface setup, ip addresses on both with traffic just flowing between them.  Using 3 interfaces is a little different for me, so please correct me here if I misunderstand anything.  To make things easier for anyone answering, I've numbered and bolded the specific questions I'm hoping to receive feedback on.

                I did setup the new box as you suggested with the LAN type at none (my WAN type is still the same static address posted in the OP), which was a little confusing to me at first in getting traffic to even flow through properly.  While I have been able to get traffic to flow through as I'm used to, the problem I am running into is that the "default deny rule" (found in the firewall logs) on the LAN side seems to keep blocking everything.  I have to manually add all sorts of rules to get traffic flowing...traffic to the gateway, icmp traffic to the internet, dns lookups, http traffic, etc.

                1. My first follow-up question is, why is the default rule "Default allow LAN to any rule" with the LAN subnet as the source, passing any protocol to any destination, not covering this?  To me, I should not have to add all of these different exceptions to get traffic flowing; to me this rule should allow traffic to pass but it isn't.
                Edit: I sort of understand why this isn't working.  Since the LAN port is set to type "none", the LAN subnet really has no meaning in the ruleset.  So instead of manually adding each host on the network to allow its traffic out, is there anything I can do to get the entire network's traffic going outside to pass?

                Perhaps I may be answering my own question here, but I did go ahead and add a third interface into the box after reading the thread I linked to above.

                2. If I change my WAN port type to "none" as was stated in the linked thread, and then create this third interface (I'll call it OPT1), should OPT1 be assigned Bridge0 or the fxp0 name the system has assigned my Intel nic?

                This presents a couple of other questions….

                3. I have always needed a port forwarded from my gateway from the internet into the box, using ssh.  I assume if I create this third interface as mentioned above with a static ip, obviously the traffic will have to go to this interface.  Is there any issue here I should be aware of with routing ssh traffic to the third interface?

                4. How will I need to physically wire the box?  In my previous setup, the gateway was wired into the WAN port, the LAN port was then wired to the switch.  With 3 interfaces, how does this need to be wired?   Gateway to OPT1, then both WAN and LAN to the switch?

                1 Reply Last reply Reply Quote 0
                • W
                  wallabybob
                  last edited by

                  @pfnoober:

                  1. My first follow-up question is, why is the default rule "Default allow LAN to any rule" with the LAN subnet as the source, passing any protocol to any destination, not covering this?  To me, I should not have to add all of these different exceptions to get traffic flowing; to me this rule should allow traffic to pass but it isn't.
                  Edit: I sort of understand why this isn't working.  Since the LAN port is set to type "none", the LAN subnet really has no meaning in the ruleset.  So instead of manually adding each host on the network to allow its traffic out, is there anything I can do to get the entire network's traffic going outside to pass?

                  Sure, in the firewall rule change the Source IP from LAN subnet to Any, save the change and then go to Diagnostics -> States, click on the Reset tab, read the text and take the appropriate action.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfnoober
                    last edited by

                    @wallabybob:

                    Sure, in the firewall rule change the Source IP from LAN subnet to Any, save the change and then go to Diagnostics -> States, click on the Reset tab, read the text and take the appropriate action.

                    Hmmm…the way I read that though would be that any source, including external connections, would then be able to pass through to my internal network which I don't want.  At least that is my understanding of how the rule would work...please correct me if I'm wrong.

                    1 Reply Last reply Reply Quote 0
                    • W
                      wallabybob
                      last edited by

                      Firewall rules tied to an interface apply to connections received on that interface. The firewall rule under discussion does no apply to connection attempts initiated on the Internet because such connection attempts are not (unless there is something you haven't told us) received on the LAN interface.

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfnoober
                        last edited by

                        I just wanted to follow-up on my own thread to let anyone in the future know that I've resolved this issue.  I have been able to get the transparent firewall up and running with just 2 interfaces, the LAN port set to type "none" as cmb suggested, the WAN port is still a static ip address port.  I still haven't tried the LAN, Any rule yet that wallabybob suggested to allow all traffic on the local network through; I'm still using the manually added rules in the firewall to get traffic out.

                        The ssh requirement I posted about is also working, I just had to make sure the port forwarding on my gateway was pointed to the correct address/port.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.