Classless ip does not go to the internet
-
Gentleman, I'm trying to use a classless subnet here where I work, but I'm encountering some errors with pfsense.
The scenario is, I need a /22 subnet in order to use a full range of 192.168.252.1 to 192.168.255.254. My pfsense is configured as 192.168.254.6/22, and the dhcp machines I need to set them as 192.168.253.x/22. But, when I do this the internet on them does not work, windows is set to 192.168.253.100/22 with gateway 192.168.254.6.
They all ping each other, but the machines does not access the internet at all. I'm trying this setting the IP manually, I did not put that on the DHCP server yet.
Can you guys help me??
Thanks in advance.
Regards.
-
And what did you setup as dns? Kind of hard to use the internet without dns - can you ping pfsense lan IP? Can you ping pfsense wan IP? Can you ping your pfsense gateway from pfsense or client?
Have you reboot pfsense sense you changed its lan IP from default? What is your lan firewall rules?
-
Hi John. Thanks for the initial help, and sorry for the lack of info. Here to answer your questions:
1 - The DNS setting, both on the computer and the pfsense is: 208.67.222.222 and 208.67.220.220 (OpenDNS);
2 - Yes I can ping the pfsense lan IP;
3 - From outside, no because I've forbiden it, but once I changed the firewall rule, I can;
4 - From pfsense I can ping my wan IP and wan gateway from my ISP and the internet itself;
5 - Yes, I've rebooted it, once I changed only the mask of it, from /24 to /22;
6 - My firewall rules I've put them attached.
Thanks again for the help.
Another info is my configs, the two scenarios:
How it works:
IP Address: 192.168.254.100
Mask: 255.255.252.0
Gateway: 192.168.254.6
DHCP: 192.168.254.6
DNS: 208.67.222.222;208.67.220.220How it does not work:
IP Address: 192.168.253.100
Mask: 255.255.252.0
Gateway: 192.168.254.6
DHCP: 192.168.254.6
DNS: 208.67.222.222;208.67.220.220
-
For starters your rules don't seem right to me - since when does anything talk from 25 to 25? I find this quite unlikely that smtp using using source port of 25..
What is the alias for Ramais IP - your blocking it from going anywhere - so where are you testing from?
What is BloqueioInternet alias - your blocking it as well.
Also dns can sometimes use tcp - so if your going to allow your client to go directly out for dns then you should allow udp/tcp.. But what I found odd is you allow this Ramais IP to go out dns, but then block him from doing anything? What is the point of allowing dns? Also you do understand that pfsense can run dnsmasq – so you don't have to allow your clients directly out on dns - they can just use the pfsense lan IP as their dns server - and then pfsense will go ask who you set it use for dns.
Are you doing manual NAT that might not be setup for your new /22? I would leave outbound nat as Auto and once you change your pfsense lan IP make sure you reboot. If not working - set to manual and look what it setup?
I am also curious as to what your trying to do with your port 25 smtp rules in general outside the odd source port setting - 99.9% the time your not going to be seeing source ports in firewall rules? I have not seen a client talk direct to 25 in quite some time.. Most everything is now done over tls/ssl etc on non 25 ports.. 25 is normally is used for email server to deliver email to another email server.. Normally not a client talking to their email server -- Are you really sending mail over just open 25?
But if your changing from /24 to /22 on your pfsense - check your outbound nats for sure.
On a side note a /22 is a fairly large broadcast domain -- do you really have that many clients on 1 segment that you need to use a /22??
-
Are you doing manual NAT that might not be setup for your new /22? I would leave outbound nat as Auto and once you change your pfsense lan IP make sure you reboot. If not working - set to manual and look what it setup?
But if your changing from /24 to /22 on your pfsense - check your outbound nats for sure.
John, that helped. When I first started using pfsense, I already had a VOIP PABX inside my network. When I tried to make it work it did not. I've opened some tickets here to try and solve the issues of them not communicating. Some of the users said that I shoud try and put the manual NAT so it should work, but it didnt. And i did not undo it.
The port 25 I guess it was a misconfiguration mine, because some of my users directly conected with my SMTP provider, wich used directly connected on port 25, now (since late 2012) they are using port 587, but I've forgot to undo it, or I've decided to wait until I made another pfsense with 2.1.
The alias Ramais IP is for my IP ext numbers, from my PABX that are plugued inside my network. They should not use the internet. And they gain IP directly from pfsense, and the DNS is the lan IP from my pfsense, but they were not sync time, until I set this rule, wich was copied from the firewall block log, I did not understand why, not even now when you said:
Also you do understand that pfsense can run dnsmasq – so you don't have to allow your clients directly out on dns - they can just use the pfsense lan IP as their dns server - and then pfsense will go ask who you set it use for dns.
Does pfsense have any other config, to make the DNSmasq that I'm not aware of??
Anyways…
The use of /22 is for segment a little bit more my machines and servers.
BloqueioInternet is set to block some of my machines form accessing the internet, some of my machines is for using only the system, not internet.
I'm still having issues to make the ext ip to talk from outside of my network. When I bypass pfsense, using another router, quite simple where I do only port foward on the SIP port and the talks port, it works, so this is not my ISP issue.
I'm going to try again when I configure another pfsense, since this one is running since early 2010, I guess.
But thanks a lot for the help ;D
-
As have to do anything for dnsmasq to work.. Should be on by default - but look under Services: DNS forwarder if it is enabled or not.. And tweak or adjust setting as wanted/needed.
Same goes for ntp - your pfsense box can act as ntp for your whole network. No reason to allow this outbound.
As to blocking devices on your network from using internet.. Im a bit confused with the ext in "my IP ext numbers" Are these IPs that are not part of your pfsense lan ip range? If so how would they be talking to pfsense in the first place?
But sure you can setup rules to block specific IPs from using the internet – keep in mind your current rules block ANY.. So they would not even be able to talk to the pfsense lan IP.. Which you prob want to allow if using pfsense for any local dns or forwarding of dns, or ntp for your network. A better rule would be to block them from !lan IP - which means they can only talk to lan IP of pfsense - if anything else is there destination then they would be blocked.
As to inbound forward -- is pfsense wan actually a public IP from your ISP, or is it behind some other router doing nat - you mention another router.. So I take it pfsense is behind a NAT??
-
BTW, the first 11 allow rules are pointless and not needed. You are allowing everything with the last rule anyway