Another "cannot access WAN from LAN" thread

  • Hi Everybody,

    I'm having problems with a really simple pfSense setup: 1 LAN, 1 WAN (PPPoE). The new system will replace existing equipment (consumer grade router with built in modem) which is running fine but lacks some features I need.

    I can access the box form the LAN and pfSense shows WAN as up.

    However I cannot access the Internet neither form the LAN not from the pfSense box itself. :(

    My setup in more detail:

    • Setup from the serial console: vr1_vlan7 and vr0_vlan2. WAN is assigned to vr1_vlan7, LAN is assigned to vr0_vlan2. I assigned to LAN, set the Standard Gateway to, and enabled DHCP.

    • Setup wizard: Apart from a change of the timezone I only configured WAN as PPPoE, configured the PPPoE username and password, enabled Dial on Demand and set the timeout to 0. No other changes.

    WAN / Internet
                : PPPoE-Provider (Deutsche Telekom, ADSL 16.000, Internet has VLAN 7)
          |  Modem  |  D-Link DSL 321B
            WAN | IP
          |  pfSense  |  Alix 2d13 (FW 0.99m)
            LAN |
          | LAN-Switch |
        ...-----+------... several clients in the LAN

    My observations:

    • The modem is operational: I could access the Internet using the modem without the pfSense box and PPPoE on my client computer connected directly into the modem.

    • WAN is up: I see an external IP. There are also a Gateway address as well as Nameservers (which are the same btw. when I connect to the Internet using my current equipment).

    • The Firewall log contains quite a few entries of blocked access attempts from the WAN side.

    • The WAN-Gateway is down: pfSense reports 100% loss.

    • I cannot access Web pages from a Browser also my E-Mail-Client cannot access the Internet.

    • I pinged from the shell on a LAN machine, got timeouts.

    • Internet access is not only blocked from LAN: The pfSense box cannot access the Internet either. I checked the available packages in the general setup and there was an error telling me the access was not possible.

    • Interestingly DNS seems to work from the pfSense box. While investigating firewall log entries the resolution of addresses was possible in several cases.

    Because this is a very simple setup I'm probably missing something very basic. Any ideas?

    Thank you!


  • uess would be that you set a default gateway for LAN. The only thing to set that to is none. Is the IP are are getting on the WAN a private address or a public ip address? HAve you modified any rules in the firewall? When you setup your PC to test, did you have to assign the NIC into VLAN7? There should not need to be a valn set on LAN unless it is fully configured. Are you using only 1 swtich for both sides (LAN and WAN)? CAn you access pfsense gui from a LAN machine?

  • Thank you podilarius! Actually there was a default gateway on the LAN interface, I removed that. Also I can check whether I really need the VLAN7 on the WAN side.

    Unfortunately at the moment I'm having trouble to get my modem to connect to my ISP. When this works again I will see whether this helped.

    When I had a connection yesterday I had a public IP on the interface (modem is configured to work as a bridge). Firewall rules were not modified. I removed the VLAN on the LAN side now however this should not have been the problem. I could connect to the pfSense GUI fine from the LAN.

    I don't understand your question about only one switch for LAN and WAN: There is no switch between pfSense and the modem at all, only on the LAN side.


  • Netgate Administrator

    If you had a gateway on LAN and have now removed it check in System: Routing: Gateways: Remove it from there also and make sure the WAN gateway is set as default.

    What is It's not pingable from here.

    Try running some pings at the pfSense console. Try pinging, say,, to check DNS and


  • This works now.

    As suggested the problem must have been an unneeded gateway on the LAN interface.


  • Please don't set a gateway on LAN or OPT interface unless you want them to act as a WAN. It will just fail. This goes for any LAN type interface.