Can resolve names OK, can't pass traffic otherwise to OPT1 (wireless)

nickz

Hi,

I've worked with pfSense a few times for work, quite successfully (making an OpenVPN router) and that's great.  Thanks for that, guys,  ;).  However, now I am trying to configure pfSense for my self an a few neighbors and am having trouble, probably due to my own ignorance as pfSense is very intuitive and well-designed!

My pfSense box is a Soekris box with a wireless NIC in it.  I am running 1.2-RC2 embedded.  It seems to work fine.  For my test network, I have a mac computer sharing its internet connection to the LAN.  On the pfSense box, I have bridged the LAN interface to the WAN interface and have enabled the filtering bridge.  The pfSense box is connecting via its WAN port.  I don't know if this is right, but in production, there will be no wired LAN and this was the only way I could find to let the box run with the LAN port disconnected.  So from the pfSense box, I can ping the internet just fine from the LAN and WAN interfaces.  When I try to ping from the OPT1 interface (Wireless) I cannot ping past the interfaces.

Now, if I take a wireless laptop, and connect to my WLAN/OPT1 on the pfSense box, (which works flawlessly), I can bring up the admin web pages just fine.  If I try to ping, or other wise go past the box, I get 'host unreachable errors' or somesuch.  However, I can resolve names using nslookup on the laptop from OPT1.

My rules are very relaxed [ *  *  *  *  *  *] on all three interfaces (LAN,WAN,OPT1) for now.  I've tried disabling the firewall altogether and I still can't get traffic to actually pass to OPT1 from the internet , even though I can resolve names.

So something is getting through, I just need an education in either rules or routing and I will be very grateful.

Thank you all very much! –  ;D

Nick

GruensFroeschli

take a look at
http://pfsense.trendchiller.com/transparent_firewall.pdf

as i understand your setup is something like this:

bridged
                                /             
next-hop –------WAN---pfSense-----LAN
                                            ____ OPT1

Clients on your LAN need as Gateway the IP of your next Hop.
Clients on your OPT1 need as Gateway the IP of your pfSense on OPT1.

Or could you post a figure as how your network should look if the above picture is wrong.

nickz

@GruensFroeschli:

take a look at
http://pfsense.trendchiller.com/transparent_firewall.pdf

as i understand your setup is something like this:

bridged
                                /             
next-hop –------WAN---pfSense-----LAN
                                            ____ OPT1

Clients on your LAN need as Gateway the IP of your next Hop.
Clients on your OPT1 need as Gateway the IP of your pfSense on OPT1.

Or could you post a figure as how your network should look if the above picture is wrong.

Yes, your picture is correct, thank you, and my OPT1 clients are using the ip of OPT1 as default gateway. What else could be missing?  This is so close, I just can't quite get it to work.  AFAIK, I am following the pdf, making the proper interface substitutions. Thanks, Gruens.  –Nick

sullrich

Make sure you are on 1.2-RC1.

nickz

@sullrich:

Make sure you are on 1.2-RC1.

Will do.  Thank you very much.  Will I be able to restore my config. from RC2?
Nick

sullrich

RC1 or better.  If you are already on RC2 then you are on the latest.

nickz

Thank you, Scott.  Have tried both RC1 and RC2.  Still can't ping past the pfSense box, although nslookup works.  Any help/pointers appreciated.

Thanks,
Nick

sullrich

Enable advanced outbound NAT in Firewall -> NAT.  Click Save.  Does it work now?

Also, did you add a rule to OPTX permitting everything to test?

nickz

Hi Scott,

I enabled advanced outbound NAT in Firewall -> NAT and saved.  Still no change.  Now I do have a Firewall rule for OPT1 that is:
[ *  *  *  *  *  *    ].  Is that right?

Also, in Firewall > NAT > Outbound, I created a rule:
[ WAN  192.168.3.0/24  *  *  *  *  *  NO] (Similar to the auto-created rule for LAN) where 192.168.3.0/24 is my OPT1 subnet.  Am I on the right track?

Thank you

nickz

OK, some progress!  ;)  Since I am bridging LAN to WAN, I created an Advanced, NAT, Outbound Rule like this:
[ LAN    192.168.3.0/24  *  *  *  *  *  NO] where 192.168.3.0.24 is my OPT1 Subnet.  I can now ping from OPT1 to the internet via the GUI.  Now to just get that working on a client machine associated to OPT1.  Thanks in advance.

NickZ