Multiple Lans not accessing the internet



  • Hey all,

    New here and trying to learn pfsense and its ability. I and registered in a network admin course where we just finished working with routing, routing tables according to the "microsoft way".

    I now would like to revamp my home network with what I have learned and have different lans separated yet still accessible to eachother and the internet. So seeing this project is quite large, I am going to start with the imediate issue I am encountering.

    My lan segment connected with interface lan is working fine where clients can access the internet.
    I would like to create a wifi hotspot so that My televisions, media Centers, PS3s can go freely on the net inhibited for now. I followed the numerous tutorials and find that I am able to get an ip for my wireless connections but, not able to access the internet. I then went and created a new LAN interface and called it VOIP as I would like to put my elastix server to it and keep it segmented in its own brodcast environment. However anything connected to this interface cannot access the internet either.  Would someone be able to help me with this please?

    Setup
    Modem (dhcp) connected to Wan interface

    Lan Interface on segment 192.168.1.1  (all clients connected to my switch and dlink router are able to access the net. this is a windows environment so I have dhcp, dns, pxe boots and so forth setup and configured on segment.

    Voip interface on segment 192.168.2.1 (Voip server will be connected and isolated to this interface) clients connected on this interface cannot access the internet nor can I communicate from segment LAN to and from it. I would like to isolate it so any traffice incoming or outgoing is strictly for Voip

    Wifi Interface on segment 192.168.3.1 is gong to be for my televisions, media centers and ps3. I would like to have these devices alone connect here and be unrestricted from accessing the internet. If anything i can remove the wifi interface and connect another lan type interface and have a TP Link router connected to it so that if I need to use physical cabling for my gadgets, they can access it and the internet.

    now no matter how i go about setting up an additional lan interface other than the default one created during install. I cannot get access to the internet nor have another segment communicate with them. for example a voip phone on LAn segment not being able to communicate with the voip server on Voip interface segment.

    thanks in advance



  • Post your firewall rules and more detail about your current configuration (DHCP? Static? What's your default gateway on your devices? Etc.). Details about what you're using everything for aren't nearly as important as your actual configuration.



  • You might not have created the rules necessary to pass the traffic. If you at some point switched to manual outbound NAT, then you are going to need to add rules to that also.



  • I am very interested in this answer, My scenario is almost exactly the same.



  • You might not have created the rules necessary to pass the traffic.

    Quite likely, as you have not mentioned anything about rules. pfSense is a firewall. The default settings are to allow nothing, except that it is a little bit nice to new users and allows:
    a) Access to webGUI on LAN ("anti-lockout" ruile) so you have some chance to get in and start configuring it  ;)
    b) Pass all on LAN to the "rest of the world" - so that for ordinary home users it "just works" out of the box.

    When you add extra LAN interfaces, you have to put some pass rule/s on them - the default is block all.


  • Rebel Alliance Global Moderator

    ^ exactly

    I run multiple segments on my pfsense - and you have to create the rules on them, unlike the default first lan that is created where pfsense allows all outbound by default.  Any other interfaces add to pfsense will be default to block, no rules at all and you have to add them.

    Example - see attached.

    I allow my wlan segment (192.168.2.0/24) to talk to my ntp server on 192.168.1.40, I allow my ipad IP to talk  to lan, internet, dmz, etc.  No rules its just open like default lan rules.

    But the rest of the wireless clients can only talk to ! (not) LAN network - so they can not create traffic into 192.168.1.0/24 – but they can talk to the internet, they can talk to pfsense wlan interface for dns, etc.  They can talk to dmz segement, openvpn connected clients - etc.. They just can not talk to 192.168.1.0.24 (lan net)




  • Hey everyone,

    again appreciate the help. I did more investigating and yes you all are right it is a FIREWALL formost…so I looked and saw the rules and right there it plainly told me that the default setting for my lan was to allow everything from my lan net to have unrestricted access outward.
    I tried to replicate the same scenario with my 2nd lan (Voip) which I was able to connect to but no internet access. Just to note the network card I am using for my lans is a 4 port giga card so I am using the onboard lan card as my wan connection and will use the 4 ports for my internal networks.

    replicating the lan rules  I did the same for the voip segment and I did the same for the wifi where I introduced a usb wifi card. For the Wifi I believe I should be using a pci card variant as the usb one is ...finicky. when I connected with it... the wifi radio on my laptop showed I was connected and that internet access should be available. However I am just not able to access the internet.

    For the Voip segment I introduced a wifi router where I could access the segment with my laptop and see if I could access the internet. The voip interface is connected to my router not via the wan port but lan port so pfsense could handle the IP adressing. Yet again I am not able to access the internet.

    Since I removed the additional segments and started over. I am now looking to introduce a dns server on each segment to see if this is all I need to get the internet access working. gateway wise, I am not sure what to put in other than the IP of the adapter for that specific network. In class we learned the limitations of windows and routing and saw that after 3 linear subnets that we need to manually modify the routing table. With linux and a "star" routing concept (1 box to route to many networks and internet) I am not sure how to proceed. So based on basics....  a dns on each segment and the gateway set to the specific segments lan adapter IP on the PFSense box.

    posting my pics for everyone..

    thanks






  • Hi Gemineyez76,

    I noticed that your rule for traffic on the VOIP interface is only allowing the TCP protocol. It should probably be set to "any", as you won't get very far on the internet with just TCP (DNS primarily uses UDP).



  • UPDATE:
    thanks to vindenesen, tcp was the limiting factor as to why i was not able to surf the net from the voip segment. Once I changed it to "any" the internet started functioning right away.

    Just to note for others, my main lan segment  is a windows domain environment that has an AD DC, dhcp server and PXE boot server. I have a router that is also connected to this segment.  So when I got the voip segment working with the internet, when connected via a wifi connection, my connection states it is connected "unauthenticated". After investigating it seems to be doing this because I am connected to another wifi hotspot that is listed as public and my laptop is a domain joined laptop. Now I also have Kaspersky which has features that allow me to modify how my detected connections are to be treated. I went in its options and changed the network from public to trusted and the "unauthenticated" was removed.

    Summary:
    Default lan has allow rules that enables the lan to access the internet. When creating an additional segment to access the internet, one needs to then create a firewall rule that allows the specific segment access with the following options:

    Firewall Rules
    Action: Pass
    Interface: choose the interface for the rule to apply to
    protocol: I chose "any", but you can choose the specific protocol that u want to communicate with the internet here
    Source: choose what network segment your working with
    Destination: I chose "any"

    For clients accessing the segment
    I enabled dhcp for the voip segment. in there i only put the ip or the voip interface card as the dns server.
    My voip server has received a valid ip as well as my laptop via wifi on the segment.

    If anyone is interested in my project stay tuned, i will look at posting my version of a howto with pics detailing my steps and the troubleshooting techniques I pick up from here.

    My next step is to get a pfsense DNS that can replicate with my windows dns. I'm hoping to get the PFSense DNS as a Secondary dns that will manage each segment of my LAN.



  • Glad to hear it worked out :)

    Just a small remark, and you may be aware of this, but for anyone who's not; when you set destination: "any", and no other deny rules exist on the interface, all traffic from VOIP to the LAN subnet is allowed. If you do not want this, you could change the destination part of the rule like this:
    Enable the "Not" option, and change the destionation address to "LAN subnet". This will allow all outgoing traffic to the internet, but not to the LAN subnet. If you need to allow some traffic towards the LAN subnet, create rules that specifies exactly what traffic you need, and place it before the other rule.

    Edit:
    Just remembered, the order of the rules, generally has nothing to say when you don't have rules that rejects/blocks traffic.



  • Hey, great point! I did not set mine because I am working from allow everything to restricting to what the segments need.


  • Rebel Alliance Global Moderator

    "In class we learned the limitations of windows and routing and saw that after 3 linear subnets that we need to manually modify the routing table. "

    I am curious on this statement of yours – What exactly is that suppose to mean?  Why would you need to create a manual route?