New PFSense can't get on WAN



  • Hello,

    I have a delegated /27 from our ISP and our servers currently have public and LAN ip addresses.  I was hoping to set up PFSense and NAT all the servers so that they'd only have private ip addresses.  But for some reason I am not able to get PFSense to work on the WAN.

    I have PFSense LAN on static 192.168.1.1 and able to connect to webconfigurator from a windows box in the LAN.

    I choose an available public ip address and assign it to the PFSense WAN static, with the designated gateway.  We have (For example / not really our address) 100.200.0.192/27 and the gateway is 100.200.0.193.  In PFSense WAN page I've tried the static ip 100.200.0.200 with both /32 and /27, in neither case am I able to ping the pfsense public ip 100.200.0.200 from another computer (maybe ICMP is being blocked by default?) and the "Status > Gateways" page always shows the gateway offline.

    In case it's relevant this is installed in ESXi and there is only 1 physical nic but PFSense sees it as 2 nics with 2 distinct MACs.  It's connected to a layer 3 switch with all our servers that currently have both public and private ip addresses.

    Thank you in advance for any suggestions



  • Couple of things. WAN subnet needs to be set at /27. All inbound traffic on WAN is blocked by default. You would need to setup a rule to allow ICMP if you want to ping. I am not sure why the gateway was showing as offline when you had the /27 set. With the /32, they are not in the same network and thus not pingable.
    There could be a problem with the ESXi network setup. Are you utilizing VLANs or something to segregate the networks?



  • Thanks for your reply podilarius

    @podilarius:

    There could be a problem with the ESXi network setup. Are you utilizing VLANs or something to segregate the networks?

    No, and I read something last night that implies ESXi needs two physical nics to do this without VLANS.  There is a 2nd nic in the ESXi host but it's not connected and a 2 hour drive to the datacenter; I've requested they connect it for me.  Do you think it's as simple as that, connecting the 2nd nic to the WAN even though they go into the same layer 3 switch?  Or are VLANs absolutely essential?
    I guess I'm reluctant to go VLANs mainly for lack of experience and afraid to get locked out of the host.

    UPDATE: Not sure what changed, but the WAN is online today!  Maybe rebooting the ESXi host had something to do with it, after changing the nic's assigned to this VM…?  So perhaps it all can work with a single nic and no VLANs.  Excited to try NAT next... will report back



  • It can work with only 1 NIC, I have done it before, but it is not very secure and as such is highly recommended that you get the second hooked up or go VLAN to separate the networks. Let us know how it goes.



  • @3zzz:

    perhaps it all can work with a single nic and no VLANs.  Excited to try NAT next… will report back

    Update: Inbound NAT works no problem.  For some reason the computers can't connect out to the 'net, which is only an issue when they need to get updates, install new packages, etc.
    I haven't been able to figure out what's wrong but the servers have for their gateway the PFSense LAN ip (192.168.1.1) and they can only ping addresses of other computers on the LAN, but not the gateway or beyond… I still have the default "Automatic Outbound NAT" rule in place and didn't add any new firewall rules that block anything.



  • To be sure, the pfSense box itself can ping correctly to for example google.com and the gateway ip? But the client lan computers cannot ping the internetprovider-gateway. Can the lan computers ping the wan ip of the pfSense box?

    The LAN interface should not have a gateway, but you do need a few firewall rules to allow outbound traffic. Can you check the firewall logs if trafic being blocked? What happens if you perform a "tracert 8.8.8.8" from a client pc?

    As for the esx machine make sure the switch has allow forge mac adresses and allow promisques mode..



  • @PiBa:

    To be sure, the pfSense box itself can ping correctly to for example google.com and the gateway ip?

    yes - from webconfigurator diagnostics > ping,  ping google.com, resolved and ping 3 times 100% success

    @PiBa:

    But the client lan computers cannot ping the internetprovider-gateway. Can the lan computers ping the wan ip of the pfSense box?
    The LAN interface should not have a gateway, but you do need a few firewall rules to allow outbound traffic. Can you check the firewall logs if trafic being blocked?

    Computers on LAN only cannot ping gateway but can ping WAN ip of pfSense

    LAN gateway = none
    I noticed in the firewall logs incoming traffic hitting port 80 of the public ip address being blocked, but when I try to ping the gateway etc nothing shows up with the internal addresses being blocked.

    @PiBa:

    What happens if you perform a "tracert 8.8.8.8" from a client pc?
    As for the esx machine make sure the switch has allow forge mac adresses and allow promisques mode..

    traceroute 8.8.8.8

    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
    1  * * *
    2  * * *
    3  * * *
    etc until expiration

    Hmm promiscous was disallowed on both the vnic and the vswitch - i wonder do i need to enable on both and what needs to be restarted aftewards..?

    Thanks for your help PiBa!



  • Ueas you need a bridge, you don't need promiscuous mode on. What is the ip and subnet on LAN?



  • I enabled promiscuous, rebooted pfSense and the server, and nothing seemed to change.

    @podilarius:

    Ueas you need a bridge, you don't need promiscuous mode on. What is the ip and subnet on LAN?

    OK thanks podilarius,

    I'd been using 192.168.1.1 in the example, in actuality it has 192.168.10.1 /24 (gateway none) and the servers are on the same subnet 192.168.10.X with their gateway set to 192.168.10.1, this how the routing looks on one I'm testing with:

    ip route show

    192.168.10.0/24 dev eth0  proto kernel  scope link  src 192.168.10.40
    169.254.0.0/16 dev eth0  scope link
    default via 192.168.10.1 dev eth0



  • But you cannot ping the LAN address? Is that correct? What rule have you modified on LAN and what have you done in NAT, more specifically outbound? Do the servers still have live ips?



  • @podilarius:

    But you cannot ping the LAN address? Is that correct? What rule have you modified on LAN and what have you done in NAT, more specifically outbound? Do the servers still have live ips?

    I can ping the LAN address and the pfSense public WAN address from the servers, I just can't ping the public WAN gateway that pfSense is using (or anything beyond) if I have the LAN address as the server's gateway.  If I switch the server's gateway to the WAN gateway ip address, then it can access anywhere. (the servers have both a public and LAN address currently, was hoping to remove the public once pfSense is set up)

    As far as rules in pfSense, I added one NAT rule for a specific port to forward to an internal address for SSH; and it works from outside, I can SSH to a server with only an internal address on the LAN subnet.

    The outgoing has only the default option checked "Automatic outbound NAT rule generation".
    There are a few "allow all" rules but that's about it.



  • It's working!

    I wish I knew what it was that fixed it; I went to the WAN settings paged and it said there were changes waiting to be applied, I applied them and after that I noticed there was no gateway set.  I set the gateway and applied the changes and suddenly it works.  So it must have been something dumb I was doing, not applying changes or something, boy that was frustrating but I am so glad it works.  Thanks for your help with this guys!


Locked