Having trouble getting Lan to talk to internet



  • I have installed 2.1 configured the box to look like this

    Modem/Router–-------Wan_pfSense_Lan---------Switch---------Computer

    Wan Interface: (Static) IP    192.168.1.27
                                      Sub  255.255.255.0
                                      Gat  192.168.1.1

    Lan Interface:  (Static) IP    10.10.10.1
                                      Sub  255.0.0.0
                                      Gat    NONE

    Computer: (Static)      IP      10.10.10.5
                                      Sub  255.0.0.0
                                      Gat    None

    After configuring it this way, I could log into the pfSense box, but could not get out on the internet on either interface, I read through some post and found one, solved by johnpoz I believe, that said to look at the dns servers because on the other post the only DNS server it had listed was itsel(127.0.0.0).  So I looked at that and mine was that way too, so I corrected this and what I put in there in addition to that 192.168.1.1, plus the two DNs servers the Modem/router was using.  I thought awesome that should fix it, but it did only half way.

    My Wan interface can talk to the outside just fine I can look at packages and says latest release so it is defiantly getting out on the internet, no issues whatsoever once I made that change.  My Lan side however no go.

    So I got a little ancy,  I disabled the firewall and NATing completely, to see if that was an issue, and that didn't solve anything.  I don't want to DHCP on the pfSense box.  That's the reason for the static assignment on the computer, but its hitting the box so I know the issue is something I must not have done.

    The Firewall and Nat are disabled still, I think Nat has to def. be turned off as the Modem/Router has this turned on, the firewall I wouldn't think would be blocking anything as I never set anything up in the first place.  I must share my ultimate goal is to set this up solely to test as a squid proxy and what that is not transparent.

    So, what are your thoughts, what have I done to make this not work, in regards to Lan of not getting out, when I trace route it hits box then nothing and times out.

    Also IPv6 is disabled



  • there is a checkbox for blocking private networks on the settings for your WAN interface, uncheck that box since you're using an internal IP address for your WAN



  • Computer: (Static)       IP      10.10.10.5
                                      Sub   255.0.0.0
                                      Gat     None
    

    Computer can talk to the pfSense LAN IP (webGUI, ping it…) because that is in the same subnet (the whole of 10.0.0.0/8 that you have used here). To talk to anything outside the local subnet it has to have a gateway (the way out of the subnet).
    Set Computer gateway to pfSense LAN IP.



  • I have unchecked the boxes suggested as well as put the gateway in on the client machine but to no avail, still no internet, I also listed the pfsense as the DNS for the client machine, any thoughts dont know why it isn't working



  • The Firewall and Nat are disabled still, I think Nat has to def. be turned off as the Modem/Router has this turned on, the firewall I wouldn't think would be blocking anything as I never set anything up in the first place.

    Actually you will want NAT from LAN to WAN. The front-end modem/router will not know that the route back to 10.0.0.0/8 is through the pfSense at 192.168.1.27. But if you NAT out from LAN to WAN then the modem/router will see all the traffic coming from 192.168.1.27 and so have no trouble talking to it.
    The other alternative is to add a static route on the modem/router to tell it that 10.0.0.0/8 is reached through 192.168.1.27.
    And make sure that the default LAN allow all rule is still there.



  • Per the advice above I have enabled the firewall and Nat, still no internet,  spidy senses tingling saying maybe I need to configure a rule, but isnt this defaulted to pass traffic or am i down the wrong path.



  • Firewall->Rules LAN tab should already have a rule allowing all traffic originating from LAN. If there are no rules on LAN, then yes, you do have to add a rule to pass the traffic you want (for starters, pass all and get it working)



  • the rule is there as you said I did not have to create anything, any other ideas.



  • This route DIagnostic should that look that way




  • There is Rule that passes all Lan activity on Lan interface but should there be something on the WAN






  • That all looks good. This standard config just works out of the box, so I am really struggling to see what has gone wrong without being on the system to click around for 1 minute.
    I can only suspect NAT. Make sure you have set Firewall->Rules, Outbound NAT to Automatic Outbound NAT.
    pfSense will make good NAT rules for this configuration.
    and make sure there is NO gateway defined on LAN.



  • Phil,

    Im no pro at PFsesne, I actually like what ive read about it, and want to start getting a full understanding of it.  I have no problem with you logging in as like i said its just for learning, Im Central time so if you were serious about that I have no problem probably going to crash here in a few.  I came across one thing on the forums where one guy stated dont use the installer to set the interfaces.  I myself did set those when installing, Could this be an issue or is that other guys experience isolated.

    I will check those other Nat settings in the morning, maybe when I had originally disabled the firewall and the NAT it took out those automatic setups

    My thinking was that if i disabled those things it would work then keep working with the firewall to add things and test with because I knew that it worked before a specific setting.  But Ill check out that Nat Rules to see whats there, also honestly I am confused.  If I need to re-install too no biggy, trying to learn and I appreciate the help you have been providing



  • Goto System -> Setup Wizard

    And just go through all the steps again.


  • Netgate Administrator

    @ccottrell1:

    Computer: (Static)      IP      10.10.10.5
                                      Sub  255.0.0.0
                                      Gat    None

    If your LAN sides clients do not have gateway configured they won't be able to talk to anything outside their own subnet, which is what you're experiencing. If they are using DHCP then the default settings should have sent them the pfSense LAN address as a gateway. If they're using static IPs then add it manually.

    Steve

    Edit: I see Phil already pointed that out!  ::)
    What gateway address did you give them though?



  • I looked and there are default rules for Nat outbound Lan to Wan, localhost to Wan, and isakmp lan to wan,  as for gateway i set as the pfsense box of 10.10.10.1.


  • Netgate Administrator

    Hmm.
    So if you try and ping, say, google.com from a client machine what is the response? Is DNS working? Can it see a route?
    Is there any particular reason you're using static addressing?

    Steve



  • It times out on client when trying to ping google.com

    I statically set the client static to test it out as if I had another DHCP server already giving out IPs,  is my thinking wrong there was just trying to set as if it had been in real life scenario with microsoft.  Microsoft having DNS and DHCP internally but having clients shotting out through the web though a proxy.

    So I set it static to try and poorly emulate that, but have not got it to work,

    My main goal is to test proxy with squid, never had used one so i heard some things about pfsense,  looked it up and seen all the neat stuff that it could do figured it would be an awesome learning tool

    Hope I didnt confuse anyone with those extra details.  Main thing is still cant get out on client.  Maybe I should try to allow it to DHCP and see if I get out, to be honest I dont know why that would work , but dont know why its not working statically either.

    What do you think I should do?


  • Netgate Administrator

    It should work just fine with static IPs it's just easier to overlook something or mis-configure it. It won't hurt to try dhcp though.
    The fact that it timeout trying to ping implies it's finding the IP via DNS and has a route to that IP it's just not receiving a reply.
    If pfSense was blocking that traffic I would expect to see something in the firewall logs which I'm assuming you're not seeing. So why is it not routing the traffic? Like Phil suggested it looks like it's not NATing correctly but, as he also said, your NAT rules look good.  ???

    Is it possible you have something else using 192.168.1.1 on your network? A switch or AP perhaps? Check the pfSense ARP table.

    Steve



  • Diagnostics -> Ping -> 8.8.8.8, source address: LAN. What happens?



  • Big Update!

    I read in another post of a guy who stated don't use the initial install to set up the pfsense box only set interface and dont mess with ip settings use only the gui.

    So I re installed pfsense, but this time I only set the interface up and kept the Wan unplugged.  i logged into the pfsense box through its initial config of the 192.168.1.1,  i used the wizard to change ips to what I had previously stated, when I was done doing that the last page asked to push reload so I did, I waited another 5 minutes and then reloaded through the server directly once i did this it came back up and I can search internet no issues.

    So is that a bug or is this common knowledge



  • uh oh, spoke to soon now I can get to interent from lan but wan is having some trouble



  • What you're saying is making no sense. You can access the internet from LAN machines but WAN (which is your internet access side) is having trouble?

    You had/have a misconfiguration somewhere. If this were a bug, this issue would be reported often.



  • blowing me mind, have no clue how lan is working



  • Again, you're making no sense. Please be descriptive on what exactly is working (can you ping out to the internet, like 8.8.8.8, from a machine on your LAN? Can you ping out to the internet, like 8.8.8.8, from your WAN interface within pfSense?) and what isn't. When you say that LAN is working, WAN isn't, but you can get out to the internet, it leads me to believe you're not sure yourself what is actually working.



  • so I see what I did different. I set the client to have its only DNS entry to 192.168.1.1 this is the ip of the router/modem combo.  previously i set the DNS on the client as 10.10.10.1 which is the lan ip of the pfsense box.  Still though settings for wan are no diffent than they were before so i am confused again

    When I ping from pfsense box on wan or lan interface i get complete loss of packets to google.com

    pinging the 8.8.8.8 i get all those packets.

    However if you read through all posts, Wan interface was working, just not lan interface going out to internet.  Reinstalled same same setting just applied in a different way now Wan interface doesnt appeaar to be gettting out, but Lsn interface appears to be passing traffic.

    However i did set DNS on client to go to 192.168.1.1 which is the ip of the modem router, i think i really want that to be set to the 10.10.10.1 though as that is the pfsense lan interface



  • I changed the Wan static to DHCP to pull from the modem router, and both side work now, dont know why that made a difference but it works



  • However i did set DNS on client to go to 192.168.1.1 which is the ip of the modem router, i think i really want that to be set to the 10.10.10.1 though as that is the pfsense lan interface

    Yes, you want the LAN clients to ask pfSense for DNS queries.

    I changed the Wan static to DHCP to pull from the modem router, and both side work now, dont know why that made a difference but it works

    I imagine that the modem/router DHCP server handed pfSense WAN a gateway and a DNS server address that work.
    When setting a static WAN IP you have to manually set the WAN gateway IP (modem/routers "LAN-side" address), and in System->General Setup put a DNS server IP (so that pfSense knows somewhere to go to on the WAN side to get DNS service).



  • Ok, set to DNS on client to the 10.10.10.1 and still works,

    thanks for the help guys, ill continue on if I run into more trouble ill post in appropriate forum


  • Netgate Administrator

    Interesting. So did you conclude that changing the LAN address from the console was causing problems? If so that might well explain a number of other users reported issues.

    Steve



  • yes,  I would say that by changing that info not through the GUI I had issues, so what seemed to correct any issues I had seen cam from setting up only the interfaces, then logging into the box at its default IP and changing the rest of the settings there fixed my issues


  • LAYER 8 Global Moderator

    You had issues because you don't know what your doing, there is no no issues with changing IPs via the cli other than when you do so it asks for a gateway.. Which seems to confuse the shit out of users..

    Matter of fact I just changed my dmz interface via the cli, bing bang zoom working just fine.


Log in to reply