No internet access from LAN side

trex13

Hello,

I have installed pfsense in one PC with 2 NICs, running virtualbox but don't have internet access from LAN side whatever i try.
Here is detailed diagram, i should really need to have this running, but don't know how to troubleshoot this and how to proceed.

johnpoz

What do you mean they can't get on internet?

What are you lan rules in pfsense, Do a traceroute on your wifi box - can your wifi box in your drawing ping his gateway?

So for example – when you do a traceroute, see attached.

So hop 1 is my pfsense lan, in yours from your wifi it should be 192.168.3.4 address of pfsense lan.

Hop 2 in mine is my ISP gateway (internet)  In yours it should be your router at 192.168.1.1

then in your 3 hop you should see internet address.

So what does yours look like, can clients ping 192.168.1.1 ?  Can they query for dns from pfsense which you show is there dns server.

So from command line can they resolve save google when they try and ping

C:>ping www.google.com

Pinging www.google.com [74.125.225.115] with 32 bytes of data:
Reply from 74.125.225.115: bytes=32 time=13ms TTL=55         
Reply from 74.125.225.115: bytes=32 time=12ms TTL=55

See how www.google.com turns in ito IP.. does you wifi client get this?

trex13

@johnpoz:

What do you mean they can't get on internet?

Clients on LAN side of pfsense don't have internet connection.

What are you lan rules in pfsense, Do a traceroute on your wifi box - can your wifi box in your drawing ping his gateway?

No, there is DHCP server on LAN interface on pfsense and wifi router is there only for wifi AP. Gateway of wifi router is LAN interface of pfsense and in my knowledge that is all good as client(laptop on diagram) gets pfsens's IP(192.168.3.4) as gateway address via DHCP as it should.

So for example – when you do a traceroute, see attached.

So hop 1 is my pfsense lan, in yours from your wifi it should be 192.168.3.4 address of pfsense lan.

Hop 2 in mine is my ISP gateway (internet)  In yours it should be your router at 192.168.1.1

then in your 3 hop you should see internet address.

So what does yours look like, can clients ping 192.168.1.1 ?  Can they query for dns from pfsense which you show is there dns server.

No, clients can't get past pfsense box LAN side(192.168.3.4). Clients can't ping main router 192.168.1.1 but from pfsense web interface i can ping main router 192.168.1.1.
Tried to ping google directly from client on LAN side using google's IP and it doesn't work. So it's not DNS problem.

You think that i should be able to ping my main router 192.168.1.1 from LAN side client???
If i could do that what would be use of pfsense?
As i understand it, pfsense is firewall and for clients on LAN side, gateway should be pfsense's LAN IP and that's all. The point is to keep subnets separated and clients on LAN side doesn't need to know anything about WAN side of pfsense box?
Am i wrong?

So from command line can they resolve save google when they try and ping

C:>ping www.google.com                                       
                                                             
Pinging www.google.com [74.125.225.115] with 32 bytes of data:
Reply from 74.125.225.115: bytes=32 time=13ms TTL=55         
Reply from 74.125.225.115: bytes=32 time=12ms TTL=55

See how www.google.com turns in ito IP.. does you wifi client get this?

my client gets "destination unreachable".
I will try to do "tracert" when i get to site and post results here.

Thank you

phil.davis

No, there is DHCP server on LAN interface on pfsense and wifi router is there only for wifi AP. Gateway of wifi router is LAN interface of pfsense and in my knowledge that is all good as client(laptop on diagram) gets pfsens's IP(192.168.3.4) as gateway address via DHCP as it should.

Yep, that is good - the AP is really just being a dumb AP and the client is being "serviced" from pfSense.

You think that i should be able to ping my main router 192.168.1.1 from LAN side client???
If i could do that what would be use of pfsense?

In many (most) installs, clients on LAN are allowed to initiate connections to anywhere (e.g. all the various web sites people want to browse…), and "anywhere" happens to include the pfSense WAN subnet (which might be in private or public address space). Typically the firewall is preventing connections being initiated from WAN side.

clients on LAN side doesn't need to know anything about WAN side of pfsense box?

True, LAN clients do not have to know anything about the WAN side. But if they happen to know some WAN-side IP addresses then they can try to access them.

I expect your trouble must be something like:
a) Firewall rules on LAN are not allowing general traffic; or
b) NAT is not happening from LAN to WAN (is Automatic Outbound NAT on - it is the default and should be on); or
c) Some other odd config change  :)

Because pfSense default install should happily allow, NAT and route from LAN to WAN.

johnpoz

"As i understand it, pfsense is firewall and for clients on LAN side, gateway should be pfsense's LAN IP and that's all."

What??  Do you want pfsense to be a PROXY.. how are you suppose to get to the internet, if you can not talk past pfsense??

Pfsense is a ROUTER/Firewall – for clients to get to the internet they are routed and natted in a normal pfsense configuration.  Yes you can create firewall rules on the lan side that say only client with IP 1.2.3.4 can talk to 4.5.6.7 on port 21, or port 80, etc.

But generally speaking as phil already pointed out - lan clients can create whatever traffic they want going out.  Its unsolicited traffic coming in the wan where the firewall is mostly used.

Or like I do between my lan segments you can do something like this

Notice the !LAN last rule, this allows anything on my 192.168.2.0/24 segment to go anywhere they want, except my lan.. So they can talk to the internet.. Say google, but they can not talk to my lan..  So

BusyBox v1.22.0 (2014-01-10 06:12:31 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@dd-wrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=47 time=25.537 ms
64 bytes from 8.8.8.8: seq=1 ttl=47 time=25.632 ms
64 bytes from 8.8.8.8: seq=2 ttl=47 time=25.969 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 25.537/25.712/25.969 ms
root@dd-wrt:~# ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100): 56 data bytes
^C
--- 192.168.1.100 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

So again lets ask this really simple question "What are you lan rules in pfsense"

trex13

Here are the screenshots:
i've done factory reset of pfsense before that but it didn't help.

ptt

You don't need/want a GW on LAN, please remove it ;)

phil.davis

Somehow people are feeling the urge to specify a gateway on LAN. pfSense understands gateways to be the way out to the rest of the internet (or at least some other networks), and a gateway set on an interface is assumed to be a general way out to "everywhere". One of the gateways has to be the default gateway, and if you specify a gateway on LAN and it is the default gateway then packets are going to spin around somewhere inside LAN and never get out.
After removing that LAN gateway, make sure that you have a WAN gateway that points to a real upstream router that gets to the internet, and set that as the default gateway.
I wonder if the words describing this in the initial setup scripts can be enhanced in some way so that people do not feel the urge to put a gateway on LAN?

johnpoz

yeah it is becoming a very recurring issue – maybe we need to create BIG FLASHING RED letters that say do not put a GW on this LAN interface unless you fully understand what that means.  And then rethink it and then don't do it!! ;)

Can we just remove the option all together, if you you classify it as LAN interface there is NO option to put a GW on it at all.. ;)  Is this connection used as WAN/INTERNET sort of check mark, and if not checked no GW option is even available?  I am almost positive that the wizard of setup clearly skips over asking the question even - doesn't it??

trex13

@ptt:

You don't need/want a GW on LAN, please remove it ;)

There is none selected under LAN interface "gateway" but in "status" there are 2 gateways shown(see screenshots).
Did pfsense restart and nothing changed.




ptt

Please Remove/Delete the "GW_LAN" you Don't Need It !

The ONLY GW that a "pfSense default install" (with 2 interfaces, WAN & LAN) Need to work "OK" is the WAN GW

johnpoz

3 levels of nats?  Your 3rd hop in your trace is 172.29 which is private as well..

trex13

@ptt:

Please Remove/Delete the "GW_LAN" you Don't Need It !

The ONLY GW that a "pfSense default install" (with 2 interfaces, WAN & LAN) Need to work "OK" is the WAN GW

Finally it works! Problem was that i didn't know how to delete LAN gateway because it's under "System>routing" and i tried to remove it under "interfaces>LAN(gateway)". Once i saw your SS i start opening all sub menus under "system" and found "gateways" menu.

Thank you and thank you johnpoz, too.

trex13

@johnpoz:

3 levels of nats?  Your 3rd hop in your trace is 172.29 which is private as well..

I don't know what address is that and to whom it belongs to. I think it belongs to ISP. Can it be? My router's private LAN address is 192.168.1.1 which is first hop.

johnpoz

172.29 doesn't really belong to anyone its private address space - just like your 192.168, it rfc1918 address space and clearly needed for you to have multiple boxes behind an actual public.  That is what your adsl gateway should be doing.. But your showing 2 hops past that still private??

I would think you have a hard time doing any sort of unsolicited inbound traffic? Port Forwards.  Shoot I would guess your clients behind pfsense are 4 nats deep, unless your ISP just routing the privates then your only 3 ;)  isp to public, your adsl to pfsense and then pfsense to your lan clients behind pfsense ;)

trex13

@johnpoz:

I would think you have a hard time doing any sort of unsolicited inbound traffic? Port Forwards.  Shoot I would guess your clients behind pfsense are 4 nats deep, unless your ISP just routing the privates then your only 3 ;)  isp to public, your adsl to pfsense and then pfsense to your lan clients behind pfsense ;)

I don't have any need for unsolicited inbound traffic on LAN interface of pfsense. I run pfsense only to have hotspot(tickets/captive portal - that's next step) for web surfing. On WAN side (192.168.1.x - 5-6 clients) I have few open ports on main router(192.168.1.1) and all unsolicited inbound traffic passes through main router fine.

unexpectedly

@johnpoz:

yeah it is becoming a very recurring issue – maybe we need to create BIG FLASHING RED letters that say do not put a GW on this LAN interface unless you fully understand what that means.  And then rethink it and then don't do it!! ;)

Can we just remove the option all together, if you you classify it as LAN interface there is NO option to put a GW on it at all.. ;)  Is this connection used as WAN/INTERNET sort of check mark, and if not checked no GW option is even available?  I am almost positive that the wizard of setup clearly skips over asking the question even - doesn't it??

THIS.

Argh. I've been working on getting VLANs to work and part of that was moving DHCP off the pfsense box so I could configure the subnetting correctly. I didn't notice this put a gateway on pfsense's LAN side. And until this thread, didn't realize that was why the internet just turned off. :(

Thanks though! I hate having my business behind store bought wifi routers.
Chris