[Solved] I can't get Internet access on the LAN side…



  • Hello. I've been at this for hours. Yes, I have googled this exact problem and found tons of people with the "same" issue, but of course, there is no direct solution that I can apply to my situation.

    Here is my set up so far: I have pfsense installed on a computer where the WAN port is connected to my Linksys router (so my home can still have internet access while I test my firewall). Pfsense WAN obtains a private ip via dhcp from the router. [Note: I am able to ping Internet hosts from my WAN nic via "Ping host" option of Pfsense command menu.] Pfsense LAN nic is set up as 10.0.0.1/24. LAN nic connects to a switching hub. My laptop is connected to the switch so I can be on the LAN and configure pfsense through the web interface.

    Now I know that pfsense initially blocks all traffic by default, so I spent some time playing with firewall rules trying to allow inbound and outbound traffic. After each change I try to connect to the internet from the LAN on the laptop, but every time it fails.

    I'm almost certain it has to be something with the firewall rules because I remember playing with this a few weeks ago and I got on the Internet from the LAN without a problem, both when my pfsense box's WAN nic was connected directly to my modem and when it was connected behind my Linksys router.

    Ultimately I assume this problems is because traffic is not being forwarded between the WAN and the LAN interfaces but I don't know what thing I have to do to get it to work.

    Attached is a composite screenshot of my firewall rules and gateway information. My NAT: Outbound is set to Automatic mode as well.

    ![pfsense help2.jpg](/public/imported_attachments/1/pfsense help2.jpg)
    ![pfsense help2.jpg_thumb](/public/imported_attachments/1/pfsense help2.jpg_thumb)


  • Netgate Administrator

    You should not have a gateway on the LAN interface. Remove it and you'll have no problems.

    You shouldn't have those allow rules on WAN, unless you want to allow any traffic from WAN to LAN. A firewall is usually in place primarily to prevent that traffic.  ;)

    Steve



  • Stephew10: I just tried this by going into Interfaces: LAN and chose "none" for gateway. I saved and even restarted pfsense but, 1: I still can't connect to the Internet from the LAN side; 2: Pfsense still shows that there is a gateway of 10.0.0.1 on the LAN under the Status: Gateways menu. I can't seem to remove that..

    Also, I don't quite understand why I wouldn't have a gateway on the LAN side since I have a dhcp server running on it and it essentially is a "gateway" to the other networks/Internet.

    And I don't understand why I would want to disallow traffic from WAN to LAN when that is the whole point of this. I want pfsense to act as a firewall and router for my home network. I want to filter and regulate traffic that comes into my LAN from the WAN.


  • Netgate Administrator

    You may have to remove the LAN gateway from System: Routing: Gateways: Make sure that the WAN gateway is set as default. You may also have to reset the firewall states or reboot the box.

    @dave247:

    Also, I don't quite understand why I wouldn't have a gateway on the LAN side since I have a dhcp server running on it and it essentially is a "gateway" to the other networks/Internet.

    Exactly. The LAN interface is the gateway for the clients, you would expect to find it passed via dhcp to the clients as the gateway. However it is not a gateway for the pfSense box itself and that's what you're setting there.

    @dave247:

    And I don't understand why I would want to disallow traffic from WAN to LAN when that is the whole point of this. I want pfsense to act as a firewall and router for my home network. I want to filter and regulate traffic that comes into my LAN from the WAN.

    Normally the point of the firewall is to prevent and random machine on the WAN side (usually the internet) from opening connections to machines on the LAN side. That is the default setup. LAN side clients can still open connections to the internet though. The stateful firewall knows that the connection was initiated from the LAN and allows traffic back from the internet. There is no need to add allow rules to the WAN interface unless you have servers running that need to accept new connections from the internet.

    Steve



  • ALright, I think I figured out the problem. It was my LAN network card. I started thinking it was that because I had been seeing this error message on the Pfsense console: "dc_setcfg failed to force tx to idle state".

    I tried using a USB to RJ45 instead and I am able to get out on the Internet. And it's running very fast. Before, everything was fairly slow. That's what I get for grabbing one of my many old network cards that have been floating around my stuff for years. Something was probably damaged on the card.

    Thanks Steve.



  • Don't use the installer interface to configure your firewall.  I did this for a day.  If you set the ip address to something rather than 192.168.1.1 you'll never get to the internet.  Don't turn on DHCP from the installer either.

    Do your change in the web interface.

    I re-installed several times, and until I stopped making changes in the installer and used the Web Interface I could not get to the internet.


  • Netgate Administrator

    That certainly shouldn't be the case. I have set a different LAN subnet at the initial console interface setup a number of times with no issues.
    If you have found a bug in 2.1 and can pin down the exact circumstances that trigger it I'm sure the devs would love to hear about it in a redmine report. https://redmine.pfsense.org/

    Steve



  • @rhmaddox:

    Don't use the installer interface to configure your firewall.  I did this for a day.  If you set the ip address to something rather than 192.168.1.1 you'll never get to the internet.

    Thank you for this four year old posting.  I built a new 2.3.3-RELEASE-p1 pfSense server today and set the IP address to a different address at the console.  Spent HOURS trying to get any routing from the LAN <> WAN while I could see the WAN was running fine, even with IPv6.  I did a factory reload and set the LAN IP using the web config and this time all is well.  There might be a four year old+ lurking bug in there somewhere!

    There were three gateways, one for the IPv4 and one for the IPv6 of my Comcast connection, but there was also a third one marked "Default" which I could never delete.  After the factory clear and functioning routing I only had the two normal gateways. I'm sure that odd third one was causing the problems.



  • Hello all and sorry for bumping an old thread.

    The reason for doing this is the exact problem that @DKirk had. I changed the LAN IP from console ==> no access to WAN. When I changed the LAN IP via the WebGUI. It worked straight away. I'm on pfSense 2.3.4-RELEASE.

    I have pfSense installed on ESXI 6.5 and I'm using 2 NIC's. If I can do anything to provide more info to eliminate this bug I'd be happy to :)


  • Netgate Administrator

    If you can replicate this reliably then please detail the steps taken and result and add it to a redmine ticket: https://redmine.pfsense.org/

    Thanks,
    Steve



  • Now I know that pfsense initially blocks all traffic by default

    And just to correct this sentence from the first post..

    pfSense does not block all traffic by default. It blocks all unsolicted inbound traffic and allows all outgoing traffic by default.  For those that might come along, read that and become confused.

    ;)



  • @chpalmer:

    And just to correct this sentence from the first post..

    pfSense does not block all traffic by default. It blocks all unsolicted inbound traffic and allows all outgoing traffic by default.  For those that might come along, read that and become confused.

    ;)

    My LAN cannot access the internet until I add a firewall rule for LAN to access any outside.


  • Rebel Alliance Global Moderator

    The default rule on LAN is ANY ANY…  So whatever you think your lan is, its not the actual lan interface..  Yes if you add an opt interface there will be no rules on it and you will have to create them.

    BTW this thread is from 2013, and then someone neco'd it back in 2017..



  • Hey Guys,
    I am new to pfsense and it is quite the journey.
    as for my issue
    when i first installed pfsense
    I had internet working fine but was not able to connect via openvpn so then i decided to reboot and was able to connect to openvpn then another issue was created i can no longer connect to the internet via the LAN or OpenVPN connect but able to access all resources on the lan
    LAN is 10.X.X.X/8
    VPN is 192.X.X.X/24
    DMZ is 172.16.X.X/12
    WAN
    WAN1
    WAN2

    I have surricata and squid on board but i have not blocking anything just alerting

    I am also get an error see image

    i am able to ping using the pfsense web interface ping tool using wan

    and able to connect to vpn

    also another question for you guys how can i use the same gateway for all the wan interfaces.






  • Hi,

    Your question is not related to the original one (from 2013 !! ).

    For your firewall wall rule error : See https://forum.pfsense.org/index.php?topic=147333.0

    Btw : new to pfSennse and installing right away surricata, squid and OpenVPN ….  :o
    What about step-by-step approach ?  ;)


  • Netgate Administrator

    Locking this thread. Waaaaay too old!  ;)


Locked