Basic routing help for noob

therampant · Jul 30, 2013, 9:29 AM

Hi,

I have an OVH server which has 1 physical NIC. This server has Xen Server installed. Inside Xen Server I have a pfSense virtual machine with 2 interfaces.

Xen center has an interface xenbr0 which is the wan connection from the server to the net. This has an ip address of 12.12.12.122, a broadcast address of 12.12.12.255 and a netmask of 255.255.255.0

re0 is the WAN interface with the same mac address as the physical NIC. However re0 uses one of OVH's fail over Ips with a virtual mac address. re0 has ip address 13.13.13.133, a broadcast address of 13.13.13.133, a netmask of 255.255.255.255 and the gateway is 12.12.12.255 This configuration is working ok, with pfSense able to download packages from the net.

re1 is a LAN, a virtual network interface created in Xen Server, has DCHP server turned on turfing out ip's between 172.20.10.1 and 172.20.10.254, cidr /24, the DNS servers are 8.8.8.8, and 8.8.4.4.

I am not able to access the internet from the LAN. If I run a live cd as a virtual machine and give it re1 as an interface, an Ip address is assigned, dhcp works and i can access the pfsense interface on 172.20.10.1. I am able to ping 13.13.13.133 but I am not able to ping 12.12.12.122 nor 8.8.8.8.

Please help. I am confused.

podilarius · Jul 30, 2013, 2:04 PM

On the WAN interface on the pfsense machine, is block private IPs option set?
If you traceroute, where does it stop?
What is the status of NAT?

therampant · Jul 30, 2013, 4:14 PM

@podilarius:

On the WAN interface on the pfsense machine, is block private IPs option set?

No but block bogon network is

@podilarius:

If you traceroute, where does it stop?

test vm only has tracepath installed
$ tracepath 8.8.8.8
1: vm.local 0.1ms pmtu 1500
1: 172.20.10.1 1.0ms
1: 172.20.10.1 1ms
2: no reply

@podilarius:

What is the status of NAT?

Firewall NAT port forward
Nothing set
Firewall NAT 1:1
Nothing set
Firewall NAT outbound
Automatic outbound NAT rule generation default rules

podilarius · Jul 30, 2013, 5:44 PM

Cannot trust tracepath. I tried it on system that can ping out and also traceroute and it just doesn't work.
If you are on a live CD, just do "sudo su -" or just a "su -" and see if traceroute is available.
Otherwise ping along the path you know. So, you should be able to ping LAN, and WAN of the pfsense. Then, you should be able to ping the default gateway of pfsense.
Try a reboot if you have not already.

kejianshi · Jul 30, 2013, 6:25 PM

Did you go into your pfsense firewall > rules > Lan and put in a rule to pass traffic to anywhere?

The fact that you can ping things inside the network but not outside makes me wonder about your firewall rules.