Masquerade for WAN
I just got pfsense setup and my LAN won't connect to the internet. I followed this guide:
I know this should work by default so I don't understand what I'm missing. My WAN does reside on 192.168.1.0/24 because I'm testing behind my current router so I did uncheck under interfaces-WAN "Block private networks".
Under Firewall: NAT: Outbound I have "Automatic outbound NAT rule generation" selected.
I didn't change LAN firewall rules. I did notice no rules under WAN so I added as a test a rule to allow all but that did't help.
Edit - Gateways removed for LANs (stupid mistake)
What the hell am I missing? Thanks
I did a trace route and my WAN is connecting to the internet but the LAN isn't so at least I know it's pfsense.
To get it to work I had to manually create a NAT rule under Firewall: NAT: Outbound. Check "Manual Outbound NAT rule generation" and create a rule. Select WAN for interface and Source any.
I don't understand why the Automatic didn't work but I'm assuming it's something with how I have my Gataways configured. Under Diagnostics: Routing tables the 127.0.0.1 links to link#6 which is 192.168.6.0/24 and 192.168.6.1 links to link#2 which is 127.0.0.1 so it's a loop. I think if 127.0.0.1 was linked to WAN link#1 then it would work.
The VLAN that I have won't connect to the internet. I do get an IP from pfsense and when I do a traceroute in diagnostics it works fine. I did create a firewall rule to allow the source subnet for the VLAN.
Something that is weird is if I switch from non-VLAN (192.168.6.0, which works) to the VLAN on my computer if I was suffering a website I will be able to go to new pages (not in cache) so that makes me think it's a firewall issue that the connection with the IP was established so it can continue.
I switched NAT->Out Bound back to Auto and the LAN still works so I'm not sure if this will continue to work or not.
Nothing I try will get the VLANs to connect to the internet. The LAN is setup the same as the VLANs so it should be fine.
What I find very odd is that Diagnostics: Traceroute using the Source Address as the VLAN and I can get a trace to google (but it should start at 192.168.110.1 ??? so maybe this feature is broken?)
1 192.168.1.1 (192.168.1.1) 18.913 ms 3.273 ms 21.242 ms 2 .... 8 220.127.116.11 (18.104.22.168) 21.400 ms 22.214.171.124 (126.96.36.199) 19.699 ms * 9 188.8.131.52 (184.108.40.206) 17.503 ms
, ping works too.
PING google.com (220.127.116.11) from 192.168.110.1: 56 data bytes 64 bytes from 18.104.22.168: icmp_seq=0 ttl=46 time=31.310 ms 64 bytes from 22.214.171.124: icmp_seq=1 ttl=46 time=33.401 ms 64 bytes from 126.96.36.199: icmp_seq=2 ttl=46 time=30.263 ms
If I select the Source Address as WAN and host 192.168.110.1 then I just get ****, so this doesn't seem right but using Diagnostics: Ping with the same setup I get a ping```
PING 192.168.110.1 (192.168.110.1) from 192.168.1.135: 56 data bytes
64 bytes from 192.168.110.1: icmp_seq=0 ttl=64 time=0.049 ms
, weird. Edit: Right now I'm using the VLAN (had the LAN up a few minutes ago and was using this site). I can't go to new sites tho, only previous ones.
Under System-Routing-Gateways I add one for the LAN (192.168.6.0/24) with an IP of 192.168.6.1 which is the static IP of that interface. I also applied that to the interfaces->LAN.
Initially this was your problem.
The only time you should ever have a gateway defined on an internal interface is if you have further downstream routers that have other local subnets behind them pfSense needs to know about.
In any normal firewall scenario you should only have gateways defined on WAN interfaces.
To resolve this remove any gateways from the internal interfaces, then remove any gateways (except WAN) from System: Routing: Gateway:, check that the WAN gateway is set as default.
I did realize that during my testing (stupid mistake) and removed all the gateways except for the ones for the WAN but it still won't connect to the internet. Do you have VLANs working with pfsense 2.1?
Searching here I found an old post about not being able to have a LAN and VLANs on the same interface so maybe that is the issue.
It shouldn't be an issue. If you read one of my posts I'm afraid I'm guilty of spreading misinformation on that. :-[
I'll look over all my settings tonight. I'm probably doing something bone headed that is blocking it.
It seems like a firewall rule but the rules I have allow everything just to get this first step done then I'll start blocking. I also think it's the WAN firewall because of being able to view sites that I was using on the LAN when I switch to the VLAN. That would also make me think that the rule allows subnet LAN but blocks VLANs so this would be a WAN rule because a LAN should associate it with the subnet.. I'll make individual allows rules at the WAN for the subnet destinations.
The WAN firewall rule blocks everything incoming by default, but that doesn't stop anything from opening outgoing connections. You should not need to put in any new WAN rules unless you have servers on your LAN that need public access.
This sounds more to me like a DNS problem. Sites you have already opened have their DNS entries cached on the local machine so they can access them directly by IP. New sites require a functioning DNS lookup to find the IP.
Thanks, I'll take a look at that.
I think I tried to ping 188.8.131.52 and 184.108.40.206 from a VLAN and it was a no go. I could be wrong tho. I'll try it again.
timthetortoise last edited by
Could you post up screenshots of your outbound NAT rules, firewall rules for the LAN interfaces, and your interface configurations?
So I had the protocol as TCP and when I change it to any it works.
Maybe this message under selecting the protocol:
Choose which IP protocol this rule should match.
Hint: in most cases, you should specify TCP here.
should be changed.
Thanks for the comments.
There you go.
Ping uses icmp and dns uses udp.
Glad you found it.