Masquerade for WAN

  • I just got pfsense setup and my LAN won't connect to the internet.  I followed this guide:

    I know this should work by default so I don't understand what I'm missing.  My WAN does reside on because I'm testing behind my current router so I did uncheck under interfaces-WAN "Block private networks".

    Under Firewall: NAT: Outbound I have "Automatic outbound NAT rule generation" selected.

    I didn't change LAN firewall rules.  I did notice no rules under WAN so I added as a test a rule to allow all but that did't help.

    Edit - Gateways removed for LANs (stupid mistake)

    What the hell am I missing?  Thanks


    I did a trace route and my WAN is connecting to the internet but the LAN isn't so at least I know it's pfsense.

  • To get it to work I had to manually create a NAT rule under Firewall: NAT: Outbound.  Check "Manual Outbound NAT rule generation" and create a rule.  Select WAN for interface and Source any.

    I don't understand why the Automatic didn't work but I'm assuming it's something with how I have my Gataways configured.  Under Diagnostics: Routing tables the links to link#6 which is and links to link#2 which is so it's a loop.  I think if was linked to WAN link#1 then it would work.

  • The VLAN that I have won't connect to the internet.  I do get an IP from pfsense and when I do a traceroute in diagnostics it works fine.  I did create a firewall rule to allow the source subnet for the VLAN.

    Something that is weird is if I switch from non-VLAN (, which works) to the VLAN on my computer if I was suffering a website I will be able to go to new pages (not in cache) so that makes me think it's a firewall issue that the connection with the IP was established so it can continue.

    Any ideas?

  • I switched NAT->Out Bound back to Auto and the LAN still works so I'm not sure if this will continue to work or not.

    Nothing I try will get the VLANs to connect to the internet.  The LAN is setup the same as the VLANs so it should be fine.

    What I find very odd is that Diagnostics: Traceroute using the Source Address as the VLAN and I can get a trace to google (but it should start at  ??? so maybe this feature is broken?)

     1 (  18.913 ms  3.273 ms  21.242 ms
     2 ....
     8 (  21.400 ms (  19.699 ms *
     9 (  17.503 ms

    , ping works too.

    PING ( from 56 data bytes
    64 bytes from icmp_seq=0 ttl=46 time=31.310 ms
    64 bytes from icmp_seq=1 ttl=46 time=33.401 ms
    64 bytes from icmp_seq=2 ttl=46 time=30.263 ms

    If I select the Source Address as WAN and host then I just get ****, so this doesn't seem right but using Diagnostics: Ping with the same setup I get a ping```
    PING ( from 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=0.049 ms

    , weird.
    Right now I'm using the VLAN (had the LAN up a few minutes ago and was using this site).  I can't go to new sites  tho, only previous ones.

  • Netgate Administrator


    Under System-Routing-Gateways I add one for the LAN ( with an IP of which is the static IP of that interface.  I also applied that to the interfaces->LAN.

    Initially this was your problem.
    The only time you should ever have a gateway defined on an internal interface is if you have further downstream routers that have other local subnets behind them pfSense needs to know about.
    In any normal firewall scenario you should only have gateways defined on WAN interfaces.

    To resolve this remove any gateways from the internal interfaces, then remove any gateways (except WAN) from System: Routing: Gateway:, check that the WAN gateway is set as default.


  • I did realize that during my testing (stupid mistake) and removed all the gateways except for the ones for the WAN but it still won't connect to the internet.  Do you have VLANs working with pfsense 2.1?

    Searching here I found an old post about not being able to have a LAN and VLANs on the same interface so maybe that is the issue.

  • Netgate Administrator

    It shouldn't be an issue. If you read one of my posts I'm afraid I'm guilty of spreading misinformation on that.  :-[


  • I'll look over all my settings tonight.  I'm probably doing something bone headed that is blocking it.

    It seems like a firewall rule but the rules I have allow everything just to get this first step done then I'll start blocking.  I also think it's the WAN firewall because of being able to view sites that I was using on the LAN when I switch to the VLAN.  That would also make me think that the rule allows subnet LAN but blocks VLANs so this would be a WAN rule because a LAN should associate it with the subnet..  I'll make individual allows rules at the WAN for the subnet destinations.

  • Netgate Administrator

    The WAN firewall rule blocks everything incoming by default, but that doesn't stop anything from opening outgoing connections. You should not need to put in any new WAN rules unless you have servers on your LAN that need public access.
    This sounds more to me like a DNS problem. Sites you have already opened have their DNS entries cached on the local machine so they can access them directly by IP. New sites require a functioning DNS lookup to find the IP.


  • Thanks, I'll take a look at that.

    I think I tried to ping and from a VLAN and it was a no go.  I could be wrong tho.  I'll try it again.

  • Could you post up screenshots of your outbound NAT rules, firewall rules for the LAN interfaces, and your interface configurations?

  • So I had the protocol as TCP  and when I change it to any it works.

    Maybe this message under selecting the protocol:

    Choose which IP protocol this rule should match.
    Hint: in most cases, you should specify TCP  here.

    should be changed.

    Thanks for the comments.

  • Netgate Administrator

    There you go.
    Ping uses icmp and dns uses udp.
    Glad you found it.


Log in to reply