Masquerade for WAN
-
The VLAN that I have won't connect to the internet. I do get an IP from pfsense and when I do a traceroute in diagnostics it works fine. I did create a firewall rule to allow the source subnet for the VLAN.
Something that is weird is if I switch from non-VLAN (192.168.6.0, which works) to the VLAN on my computer if I was suffering a website I will be able to go to new pages (not in cache) so that makes me think it's a firewall issue that the connection with the IP was established so it can continue.
Any ideas?
-
I switched NAT->Out Bound back to Auto and the LAN still works so I'm not sure if this will continue to work or not.
Nothing I try will get the VLANs to connect to the internet. The LAN is setup the same as the VLANs so it should be fine.
What I find very odd is that Diagnostics: Traceroute using the Source Address as the VLAN and I can get a trace to google (but it should start at 192.168.110.1 ??? so maybe this feature is broken?)
1 192.168.1.1 (192.168.1.1) 18.913 ms 3.273 ms 21.242 ms 2 .... 8 209.85.248.180 (209.85.248.180) 21.400 ms 209.85.248.178 (209.85.248.178) 19.699 ms * 9 209.85.252.242 (209.85.252.242) 17.503 ms
, ping works too.
PING google.com (173.194.74.139) from 192.168.110.1: 56 data bytes 64 bytes from 173.194.74.139: icmp_seq=0 ttl=46 time=31.310 ms 64 bytes from 173.194.74.139: icmp_seq=1 ttl=46 time=33.401 ms 64 bytes from 173.194.74.139: icmp_seq=2 ttl=46 time=30.263 ms
If I select the Source Address as WAN and host 192.168.110.1 then I just get ****, so this doesn't seem right but using Diagnostics: Ping with the same setup I get a ping```
PING 192.168.110.1 (192.168.110.1) from 192.168.1.135: 56 data bytes
64 bytes from 192.168.110.1: icmp_seq=0 ttl=64 time=0.049 ms, weird. Edit: Right now I'm using the VLAN (had the LAN up a few minutes ago and was using this site). I can't go to new sites tho, only previous ones.
-
Under System-Routing-Gateways I add one for the LAN (192.168.6.0/24) with an IP of 192.168.6.1 which is the static IP of that interface. I also applied that to the interfaces->LAN.
Initially this was your problem.
The only time you should ever have a gateway defined on an internal interface is if you have further downstream routers that have other local subnets behind them pfSense needs to know about.
In any normal firewall scenario you should only have gateways defined on WAN interfaces.To resolve this remove any gateways from the internal interfaces, then remove any gateways (except WAN) from System: Routing: Gateway:, check that the WAN gateway is set as default.
Steve
-
I did realize that during my testing (stupid mistake) and removed all the gateways except for the ones for the WAN but it still won't connect to the internet. Do you have VLANs working with pfsense 2.1?
Edit
Searching here I found an old post about not being able to have a LAN and VLANs on the same interface so maybe that is the issue. -
It shouldn't be an issue. If you read one of my posts I'm afraid I'm guilty of spreading misinformation on that. :-[
See: http://forum.pfsense.org/index.php/topic,63195.msg342088.html#msg342088Steve
-
I'll look over all my settings tonight. I'm probably doing something bone headed that is blocking it.
It seems like a firewall rule but the rules I have allow everything just to get this first step done then I'll start blocking. I also think it's the WAN firewall because of being able to view sites that I was using on the LAN when I switch to the VLAN. That would also make me think that the rule allows subnet LAN but blocks VLANs so this would be a WAN rule because a LAN should associate it with the subnet.. I'll make individual allows rules at the WAN for the subnet destinations.
-
The WAN firewall rule blocks everything incoming by default, but that doesn't stop anything from opening outgoing connections. You should not need to put in any new WAN rules unless you have servers on your LAN that need public access.
This sounds more to me like a DNS problem. Sites you have already opened have their DNS entries cached on the local machine so they can access them directly by IP. New sites require a functioning DNS lookup to find the IP.Steve
-
Thanks, I'll take a look at that.
I think I tried to ping 8.8.8.8 and 208.67.222.222 from a VLAN and it was a no go. I could be wrong tho. I'll try it again.
-
Could you post up screenshots of your outbound NAT rules, firewall rules for the LAN interfaces, and your interface configurations?
-
So I had the protocol as TCP and when I change it to any it works.
Maybe this message under selecting the protocol:
Choose which IP protocol this rule should match.
Hint: in most cases, you should specify TCP here.should be changed.
Thanks for the comments.
-
There you go.
Ping uses icmp and dns uses udp.
Glad you found it.Steve