Can't ping from OPT1 to internet, but can resolve names

nickz

Hi pfSense community,

I've been informed that I have a NAT issue on my pfSense box so I am posting here.  Hope that is all right.

What I have is LAN bridged to WAN .  I did this because it was the only way I could find to have pfSense run without LAN connected.  My third interface, OPT1 is a wireless card and that works fine.  Hopefully, my box will be a wireless-only router connected to the internet and serving WiFi clients in my apartment complex.

After bridging, and after some advice from Scott and others, I switched on Advanced Outbound NAT with the following mappings:

LAN    192.168.3.0/24  *  *  *  *  *  NO
WAN  192.168.2.0/24 * * * * *      NO

where 192.168.3.0/24 is my OPT1 subnet and 192.168.2.0/24 is my LAN subnet.

With this configuration, I can ping all three interfaces of pfSense from a WiFi client, but not past.  Using the ping utility of pfSense, I can ping internet hosts by name from OPT1.  I can also resolve names from the Wifi client.  Just can't make a connection to an internet host.

I don't know what to do but I will keep trying .  Perhaps a virtual IP?

Any help GREATLY appreciated.

Thanks,
NickZ

GruensFroeschli

one thing that jumps just in my eye:

What I have is LAN bridged to WAN .  I did this because it was the only way I could find to have pfSense run without LAN connected.

if one interface of the bridge is down the whole thing will be down.
if you dont want to use your LAN you dont need to bridge it. just leave it be.
what i dont understand is why you created a NAT-rule for your LAN. if you bridge it you shouldnt need NAT for this interface since the gateway of the clients on the LAN is the next hop past pfSense (–> pfSense does NO NAT for them).

the rules you created allow you to ping from your OPT1 into your LAN.
you dont have a rule that allows you to the internet.
for that you need an additional line like:

Interface	Source		Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port
LAN		192.168.3.0/24	*		192.168.2.0/24	*			*		*		NO
WAN		192.168.3.0/24	*		*		*			*		*		NO
WAN		192.168.2.0/24	*		*		*			*		*		NO

nickz

OK,

I've broken the bridge and created the mappings you outlined.  Now I can ping the next hop in my home network from a Wifi client, but not the internet anymore from pfSense.  So partial progress!  ;)  I've tried re-setting states but no change.

Anything else I might try?

Thank you so much, Gruens,

Nick

GruensFroeschli

ok if you broke the bridge it get's easier:
i assume you want that your OPT1 and your LAN get NAT'ed to the internet:

you can remove the rules above and replace them with a single line:

Interface	Source		Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port
WAN		any		*		*		*			*		*		NO

or if you're paranoid change that to two lines with as source your two subnets (on OPT and LAN)
like that:

Interface	Source		Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port
WAN		192.168.2.0/24	*		*		*			*		*		NO
WAN		192.168.3.0/24	*		*		*			*		*		NO

after that you just need to create rules under firewall–>rules for each interface:
allow traffic from your LAN and  allow traffic from your OPT to internet or from LAN to OPT or from OPT to LAN (rules are processed on the interface on which the traffic comes in, and from top to bottom)

nickz

Okay,

So far so good. Could you provide an example of such rules?  Do I create them on each interface (LAN,OPT1), or on the WAN interface?  I think I have them already but it still does not work.  Sorry to be so uneducated.

Thank you again, Gruens,

NickZ

GruensFroeschli

you create the rules on the interface:
i allow from everywhere to everywhere.
if you want to restrict access change the rule accordingly.

one thing i just remembered: you said you ping another router as next hop.
could you check at: "Interfaces –> WAN" at the bottom if you have checked "Block private networks"

nickz

Now I've lost the whole box.  I had that ping to next hop working, then it just stopped.  I've rebooted.  Man I feel like a fool.  Should I re-install?

Sorry Gruens,
NickZ

nickz

OK, I'm back.  I restored a config., then put in your settings.  I am pinging my gateway again, although not the internet.  So thanks for your help, Gruens.  I really appreciate it.  It must be router or something external to pfSense, although if there is more to this, I'd gladly hear it and acknowledge it.

NickZ

nickz

OK,

I think I got it!  Through setting my outbound advanced NAT mappings for each interface with a rule of source any, * * *, etc.. and enabling the filtering bridge in the advanced setup, it all worked!  Granted, traffic seems to be flowing through my LAN interface rather than WAN, but I can sort that out later (this is on a test network with a software router on my mac so… ;) ).  So thanks!!!

NickZ

P.S. I've attached a screen-shot of my routes-table here.