Unable to access internet from remote site

Perry · May 24, 2007, 1:36 PM

We cannot access internet from a remote subnet.

I think I've set up all the needed routes, rules and such.

Use the latest beta if it should be a pfsense issue

Post your routes, rules and such. :) a bit hard to know what you have done so fare.

cmb · May 24, 2007, 7:45 PM

You need to make sure the static route(s) for these subnet(s) are entered properly, and also change the default LAN permit rule so it allows more than just the LAN subnet. by default only the subnet directly connected on the LAN is permitted out by the firewall rules.

PhatBot · May 25, 2007, 9:41 AM

Thanks for the reply guys.
Lets see if I can describe it better…

Interfaces:
IF1(WAN) - IP XXX.XXX.XXX.XXX
IF2(LAN) - IP 10.58.112.5/22
IF3(DMZ) - IP 192.168.0.1/24

Routes:
LAN 10.58.118.0/24 GW 10.58.112.12
LAN 10.58.204.0/24 GW 10.58.112.12
LAN 10.58.202.0/24 GW 10.58.112.1

NAT: (Advanced outbound)
WAN 10.58.0.0/16 * * * * * NO (LAN -> WAN)
WAN 192.168.0.0/24 * * * * * NO (DMZ ->WAN)

Rules: (on LAN IF)

10.58.0.0/16 * * * * * (Allow all out)

10.58.118.0/24 and 10.58.204.0/24 comes over VLAN via a routing switch with IP 10.58.112.12
10.58.202./24 comes in via a leased line through a router with IP 10.58.112.1

Entire LAN, 10.58.118.0/24 and 10.58.204.0/24 works flawlessly in every sense. However 10.58.202.0/24 never passes through the pfSense. It's like it refuses to do NAT for that subnet.

Hope this describes it better.

Thanks again!

PhatBot · May 26, 2007, 8:31 PM

bump :)

cmb · May 26, 2007, 10:53 PM

can you ping IP's on those subnets from pfsense itself?

Do you see the traffic getting dropped in your firewall log?

PhatBot · May 27, 2007, 6:48 AM

Yes, pinging from pfSense to the remote subnet works just fine.
And no, the log show thats the traffic gets through.

cmb · May 28, 2007, 1:52 AM

Based on what you said, your pfsense sounds fine. I didn't see it mentioned, what version are you running?

PhatBot · May 28, 2007, 8:00 AM

Version 1.0.1

Well it seems like it's doing fine yet it doesn't seem to NAT that subnet.

Can't really see any other things in my network typology that could cause this problem.

Perry · May 28, 2007, 8:30 AM

Then you should update http://pfsense.best-view.net/updates/

more info here http://pfsense.blogspot.com/2007/05/choosing-which-version-to-run.html

PhatBot · May 28, 2007, 7:14 PM

Ok upgraded to 1.2-Beta-1 (Excellent job on the firmware upgrade routine guys. Quick and accurate.)

Still no go though.
Passes firewall rules but seems to get stuck in NAT or something.

cmb · May 28, 2007, 9:52 PM

Yeah I would have suspected a NAT bug in 1.0.1, there are a few of those that have been fixed in 1.2b1.

Do you have advanced outbound NAT enabled?

PhatBot · May 28, 2007, 10:23 PM

Yes, advanced NAT enabled.

cmb · May 29, 2007, 12:01 AM

Then it's a problem with your advanced NAT rules. Do you need it for some reason? If not, just disable it and your problem goes away.

PhatBot · May 29, 2007, 7:31 AM

Changed to normal NAT.
Still same problem though.

Very odd.

Perry · May 29, 2007, 7:58 AM

Is there be anything special with that leased line?

10.58.202./24 comes in via a leased line through a router with IP 10.58.112.1

maybe do some trace with pftop or tcpdump ( just a though )

cmb · May 29, 2007, 8:25 PM

Yeah it's time to start capturing packets and seeing what's really happening.

PhatBot · May 29, 2007, 8:44 PM

Right… hehe... the thing is..... :-\

I havn't got a clue how to do that.???
Could someone give me some pointers?

Thanks!

Also. Thanks for the help on this subject. I really appreciate you guys taking your free time to help me. :)

PhatBot · May 31, 2007, 9:45 AM

Tried some TCPDUMP. Not really sure what to look for though.

The thing I find strange is that I'm able to ping hosts on the remote subnet from the pfsense box.
And the pfsense box also replies to pings from the remote subnet.
Feels like the data is flowing like it should in our internal network.
It just doesn't let me do nat for that subnet.

PhatBot · May 31, 2007, 10:39 AM

In the Webgui Diagnostics: Show States I see
ICMP 10.58.202.21:512 -> external-ip:35350 -> external-gw 0:0
ICMP external-gw:512 <- 10.58.202.21 0:0
when I try to ping from the host on the remote subnet to our ISP gateway.
This should indicate that NAT is working like it should right?

Perry · May 31, 2007, 11:22 AM

to check for a dns problem you could do something like this.

from shell tcpdump -i if2 dst port 21

from a client ftp://204.152.184.73/

By that your can see what happens on IF2 when you logon to a ftpserver

–--------------------------------------

http://your-pfsense-ip/status.php

you might find something under pfctl
–------ !! Warning this is written by someone sitting in the sun !! ------------