Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No internet access from LAN side

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 5 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      trex13
      last edited by

      Hello,

      I have installed pfsense in one PC with 2 NICs, running virtualbox but don't have internet access from LAN side whatever i try.
      Here is detailed diagram, i should really need to have this running, but don't know how to troubleshoot this and how to proceed.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        What do you mean they can't get on internet?

        What are you lan rules in pfsense, Do a traceroute on your wifi box - can your wifi box in your drawing ping his gateway?

        So for example – when you do a traceroute, see attached.

        So hop 1 is my pfsense lan, in yours from your wifi it should be 192.168.3.4 address of pfsense lan.

        Hop 2 in mine is my ISP gateway (internet)  In yours it should be your router at 192.168.1.1

        then in your 3 hop you should see internet address.

        So what does yours look like, can clients ping 192.168.1.1 ?  Can they query for dns from pfsense which you show is there dns server.

        So from command line can they resolve save google when they try and ping

        C:>ping www.google.com

        Pinging www.google.com [74.125.225.115] with 32 bytes of data:
        Reply from 74.125.225.115: bytes=32 time=13ms TTL=55         
        Reply from 74.125.225.115: bytes=32 time=12ms TTL=55

        See how www.google.com turns in ito IP.. does you wifi client get this?

        traceroute.png
        traceroute.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T Offline
          trex13
          last edited by

          @johnpoz:

          What do you mean they can't get on internet?

          Clients on LAN side of pfsense don't have internet connection.

          What are you lan rules in pfsense, Do a traceroute on your wifi box - can your wifi box in your drawing ping his gateway?

          No, there is DHCP server on LAN interface on pfsense and wifi router is there only for wifi AP. Gateway of wifi router is LAN interface of pfsense and in my knowledge that is all good as client(laptop on diagram) gets pfsens's IP(192.168.3.4) as gateway address via DHCP as it should.

          So for example – when you do a traceroute, see attached.

          So hop 1 is my pfsense lan, in yours from your wifi it should be 192.168.3.4 address of pfsense lan.

          Hop 2 in mine is my ISP gateway (internet)  In yours it should be your router at 192.168.1.1

          then in your 3 hop you should see internet address.

          So what does yours look like, can clients ping 192.168.1.1 ?  Can they query for dns from pfsense which you show is there dns server.

          No, clients can't get past pfsense box LAN side(192.168.3.4). Clients can't ping main router 192.168.1.1 but from pfsense web interface i can ping main router 192.168.1.1.
          Tried to ping google directly from client on LAN side using google's IP and it doesn't work. So it's not DNS problem.

          You think that i should be able to ping my main router 192.168.1.1 from LAN side client???
          If i could do that what would be use of pfsense?
          As i understand it, pfsense is firewall and for clients on LAN side, gateway should be pfsense's LAN IP and that's all. The point is to keep subnets separated and clients on LAN side doesn't need to know anything about WAN side of pfsense box?
          Am i wrong?

          So from command line can they resolve save google when they try and ping

          C:>ping www.google.com                                       
                                                                       
          Pinging www.google.com [74.125.225.115] with 32 bytes of data:
          Reply from 74.125.225.115: bytes=32 time=13ms TTL=55         
          Reply from 74.125.225.115: bytes=32 time=12ms TTL=55

          See how www.google.com turns in ito IP.. does you wifi client get this?

          my client gets "destination unreachable".
          I will try to do "tracert" when i get to site and post results here.

          Thank you

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            No, there is DHCP server on LAN interface on pfsense and wifi router is there only for wifi AP. Gateway of wifi router is LAN interface of pfsense and in my knowledge that is all good as client(laptop on diagram) gets pfsens's IP(192.168.3.4) as gateway address via DHCP as it should.

            Yep, that is good - the AP is really just being a dumb AP and the client is being "serviced" from pfSense.

            You think that i should be able to ping my main router 192.168.1.1 from LAN side client???
            If i could do that what would be use of pfsense?

            In many (most) installs, clients on LAN are allowed to initiate connections to anywhere (e.g. all the various web sites people want to browse…), and "anywhere" happens to include the pfSense WAN subnet (which might be in private or public address space). Typically the firewall is preventing connections being initiated from WAN side.

            clients on LAN side doesn't need to know anything about WAN side of pfsense box?

            True, LAN clients do not have to know anything about the WAN side. But if they happen to know some WAN-side IP addresses then they can try to access them.

            I expect your trouble must be something like:
            a) Firewall rules on LAN are not allowing general traffic; or
            b) NAT is not happening from LAN to WAN (is Automatic Outbound NAT on - it is the default and should be on); or
            c) Some other odd config change  :)

            Because pfSense default install should happily allow, NAT and route from LAN to WAN.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              "As i understand it, pfsense is firewall and for clients on LAN side, gateway should be pfsense's LAN IP and that's all."

              What??  Do you want pfsense to be a PROXY.. how are you suppose to get to the internet, if you can not talk past pfsense??

              Pfsense is a ROUTER/Firewall – for clients to get to the internet they are routed and natted in a normal pfsense configuration.  Yes you can create firewall rules on the lan side that say only client with IP 1.2.3.4 can talk to 4.5.6.7 on port 21, or port 80, etc.

              But generally speaking as phil already pointed out - lan clients can create whatever traffic they want going out.  Its unsolicited traffic coming in the wan where the firewall is mostly used.

              Or like I do between my lan segments you can do something like this

              Notice the !LAN last rule, this allows anything on my 192.168.2.0/24 segment to go anywhere they want, except my lan.. So they can talk to the internet.. Say google, but they can not talk to my lan..  So

              BusyBox v1.22.0 (2014-01-10 06:12:31 CET) built-in shell (ash)
              Enter 'help' for a list of built-in commands.

              root@dd-wrt:~# ping 8.8.8.8
              PING 8.8.8.8 (8.8.8.8): 56 data bytes
              64 bytes from 8.8.8.8: seq=0 ttl=47 time=25.537 ms
              64 bytes from 8.8.8.8: seq=1 ttl=47 time=25.632 ms
              64 bytes from 8.8.8.8: seq=2 ttl=47 time=25.969 ms
              ^C
              --- 8.8.8.8 ping statistics ---
              3 packets transmitted, 3 packets received, 0% packet loss
              round-trip min/avg/max = 25.537/25.712/25.969 ms
              root@dd-wrt:~# ping 192.168.1.100
              PING 192.168.1.100 (192.168.1.100): 56 data bytes
              ^C
              --- 192.168.1.100 ping statistics ---
              5 packets transmitted, 0 packets received, 100% packet loss

              So again lets ask this really simple question "What are you lan rules in pfsense"

              wlanrulestolan.png
              wlanrulestolan.png_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • T Offline
                trex13
                last edited by

                Here are the screenshots:
                i've done factory reset of pfsense before that but it didn't help.

                lanrules.JPG
                lanrules.JPG_thumb
                gws.JPG
                gws.JPG_thumb
                intfs.JPG
                intfs.JPG_thumb
                dnslookup.JPG
                dnslookup.JPG_thumb
                routes.JPG
                routes.JPG_thumb
                nat.JPG
                nat.JPG_thumb

                1 Reply Last reply Reply Quote 0
                • pttP Offline
                  ptt Rebel Alliance
                  last edited by

                  You don't need/want a GW on LAN, please remove it ;)

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    phil.davis
                    last edited by

                    Somehow people are feeling the urge to specify a gateway on LAN. pfSense understands gateways to be the way out to the rest of the internet (or at least some other networks), and a gateway set on an interface is assumed to be a general way out to "everywhere". One of the gateways has to be the default gateway, and if you specify a gateway on LAN and it is the default gateway then packets are going to spin around somewhere inside LAN and never get out.
                    After removing that LAN gateway, make sure that you have a WAN gateway that points to a real upstream router that gets to the internet, and set that as the default gateway.
                    I wonder if the words describing this in the initial setup scripts can be enhanced in some way so that people do not feel the urge to put a gateway on LAN?

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      yeah it is becoming a very recurring issue – maybe we need to create BIG FLASHING RED letters that say do not put a GW on this LAN interface unless you fully understand what that means.  And then rethink it and then don't do it!! ;)

                      Can we just remove the option all together, if you you classify it as LAN interface there is NO option to put a GW on it at all.. ;)  Is this connection used as WAN/INTERNET sort of check mark, and if not checked no GW option is even available?  I am almost positive that the wizard of setup clearly skips over asking the question even - doesn't it??

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        trex13
                        last edited by

                        @ptt:

                        You don't need/want a GW on LAN, please remove it ;)

                        There is none selected under LAN interface "gateway" but in "status" there are 2 gateways shown(see screenshots).
                        Did pfsense restart and nothing changed.

                        ![GW status.jpg](/public/imported_attachments/1/GW status.jpg)
                        ![GW status.jpg_thumb](/public/imported_attachments/1/GW status.jpg_thumb)
                        LAN_GW.jpg
                        LAN_GW.jpg_thumb
                        ![trcrt LAN.jpg](/public/imported_attachments/1/trcrt LAN.jpg)
                        ![trcrt LAN.jpg_thumb](/public/imported_attachments/1/trcrt LAN.jpg_thumb)
                        ![trcrt wan.jpg](/public/imported_attachments/1/trcrt wan.jpg)
                        ![trcrt wan.jpg_thumb](/public/imported_attachments/1/trcrt wan.jpg_thumb)

                        1 Reply Last reply Reply Quote 0
                        • pttP Offline
                          ptt Rebel Alliance
                          last edited by

                          Please Remove/Delete the "GW_LAN" you Don't Need It !

                          The ONLY GW that a "pfSense default install" (with 2 interfaces, WAN & LAN) Need to work "OK" is the WAN GW

                          pf_WAN_GW.png
                          pf_WAN_GW.png_thumb

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            3 levels of nats?  Your 3rd hop in your trace is 172.29 which is private as well..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • T Offline
                              trex13
                              last edited by

                              @ptt:

                              Please Remove/Delete the "GW_LAN" you Don't Need It !

                              The ONLY GW that a "pfSense default install" (with 2 interfaces, WAN & LAN) Need to work "OK" is the WAN GW

                              Finally it works! Problem was that i didn't know how to delete LAN gateway because it's under "System>routing" and i tried to remove it under "interfaces>LAN(gateway)". Once i saw your SS i start opening all sub menus under "system" and found "gateways" menu.

                              Thank you and thank you johnpoz, too.

                              1 Reply Last reply Reply Quote 0
                              • T Offline
                                trex13
                                last edited by

                                @johnpoz:

                                3 levels of nats?  Your 3rd hop in your trace is 172.29 which is private as well..

                                I don't know what address is that and to whom it belongs to. I think it belongs to ISP. Can it be? My router's private LAN address is 192.168.1.1 which is first hop.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  172.29 doesn't really belong to anyone its private address space - just like your 192.168, it rfc1918 address space and clearly needed for you to have multiple boxes behind an actual public.  That is what your adsl gateway should be doing.. But your showing 2 hops past that still private??

                                  I would think you have a hard time doing any sort of unsolicited inbound traffic? Port Forwards.  Shoot I would guess your clients behind pfsense are 4 nats deep, unless your ISP just routing the privates then your only 3 ;)  isp to public, your adsl to pfsense and then pfsense to your lan clients behind pfsense ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • T Offline
                                    trex13
                                    last edited by

                                    @johnpoz:

                                    I would think you have a hard time doing any sort of unsolicited inbound traffic? Port Forwards.  Shoot I would guess your clients behind pfsense are 4 nats deep, unless your ISP just routing the privates then your only 3 ;)  isp to public, your adsl to pfsense and then pfsense to your lan clients behind pfsense ;)

                                    I don't have any need for unsolicited inbound traffic on LAN interface of pfsense. I run pfsense only to have hotspot(tickets/captive portal - that's next step) for web surfing. On WAN side (192.168.1.x - 5-6 clients) I have few open ports on main router(192.168.1.1) and all unsolicited inbound traffic passes through main router fine.

                                    1 Reply Last reply Reply Quote 0
                                    • U Offline
                                      unexpectedly
                                      last edited by

                                      @johnpoz:

                                      yeah it is becoming a very recurring issue – maybe we need to create BIG FLASHING RED letters that say do not put a GW on this LAN interface unless you fully understand what that means.  And then rethink it and then don't do it!! ;)

                                      Can we just remove the option all together, if you you classify it as LAN interface there is NO option to put a GW on it at all.. ;)  Is this connection used as WAN/INTERNET sort of check mark, and if not checked no GW option is even available?  I am almost positive that the wizard of setup clearly skips over asking the question even - doesn't it??

                                      THIS.

                                      Argh. I've been working on getting VLANs to work and part of that was moving DHCP off the pfsense box so I could configure the subnetting correctly. I didn't notice this put a gateway on pfsense's LAN side. And until this thread, didn't realize that was why the internet just turned off. :(

                                      Thanks though! I hate having my business behind store bought wifi routers.
                                      Chris

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.