[SOLVED]pfSense not routing LAN to WAN



  • Hi guys,

    my problem is i don't get the pfsense to route traffic from LAN to WAN but first i will post my setup here:

    The following setup is working for me since ~3 years without any problems.

    ISP == (HomeRouter) 192.168.1.1/24 ==== 192.1.203/24 (pfsense1) 10.0.0.1/24 ==== 10.0.0.0/24 (my LAN Network)

    I have Internet access from "my LAN Network" and everything is ok.

    But now i setup a small Test LAB and have the following addition:

    ISP == (HomeRouter) 192.168.1.1/24 ==== 192.1.203/24 (pfsense1) 10.0.0.1/24 ==== 10.0.0.47/24 (pfSense2) 172.16.0.254/24 ==== 172.16.0.0/24 (Test LAB)

    The problem is, I dont reach the Internet, or "my LAN Network" from Test LAB.

    I tried the following pings:
    172.16.0.10/24 (Test LAB PC) to 172.16.0.254/24 (pfSense2) OK 172.16.0.10/24 (Test LAB PC) to 10.0.0.47/24 (pfSense2 WAN) OK 172.16.0.10/24 (Test LAB PC) to 10.0.0.1/24 (pfSense1) FAIL

    172.16.0.254/24 (pfSense2) to 172.16.0.10/24 (Test LAB PC) OK
    10.0.0.47 (pfSense2) to 10.0.0.1/24 (pfSense1) OK
    10.0.0.47 (pfSense2) to Internet OK

    So basically i have to following problem:
    From my Test LAB, i can ping the pfSense2 on the LAN interface and on the WAN interface, but i can't pingother WAN adresses.

    From the pfSense2 i can ping all the LAN computers and all the WAN computers and Internet.

    But somehow the traffic coming from LAN is stopping at the WAN port and not going into the WAN subnet.

    I have spent many hours before i post so i hope you can help me with this, thanks :-)


  • Banned

    Need to add route to 172.16.0.0/24 via 10.0.0.47 on pfSense1 box.

    System - Routing - Routes
    Destination network: 172.16.0.0/24
    Gateway: 10.0.0.47



  • Thanks for your reply, but that didn't work (attachment)

    :-\



  • Banned

    Well, sorry but "that didn't work" is not a useful description. Traceroute? Firewall logs? 172.16.0.0/24 allowed on pfSense1 LAN?

    P.S. Make sure you do NOT set any GW on pfSense2 LAN.



  • Ok here are more infos:

    "tracert 10.0.0.1" from Test LAB PC (172.16.0.10)
    First Hop: 172.16.0.254
    and then 29 Hops timeout

    I attached the Firewallsettings from pfSense2 and pfSense1LAN and the Gateway from pfSense2 (only WAN Gateway configured)

    I don't get any Firewall logs on pfSense2 , there are none.

    Thanks for your help!










  • I added the rule on pfSense1 (att.)

    But just for my understanding: Doesnt the pfSense2 NAT the 172.16.0.0/24 network to 10.0.0.47 so the pfSense1 just sees the 10.0.0.47 IP on it's LAN interface and not the 172.16.0.0/24 IPs?

    OPT1 is just another interface wich isn't in use atm.

    The firewall logs on pfSense1 just show broadcasts from the 192.168.1.0/24 network on the WAN interface, nothing on the LAN interface.



  • Banned

    TCP/UDP will NOT enable ping. Did you actually try something else that ping?



  • I also added an ICMP rule now (att.) but do I even need those rules on pfSense1 LAN? The "LAN to any" rule should let everything through from LAN shouldn't it? I also added a picture of the network for a better overview.





  • Banned

    As already noted above, I have no idea what pfSense2 is doing there in the first place. Completely useless as firewall given the WAN rules, so you are just tripple NATing (at best).

    Have you disabled the FW on the LAB PC? Have you tried something else that ping from the LAB PC?



  • The WAN rules on pfSense2 are just open for troubleshooting, i will remove the "WAN to any" rule after everything is working. It is there to seperate the 172.16.0.0/24 Test LAB network from my 10.0.0.0/24 network and to play a little bit with firewall rules later on.

    The WindowsFW on LAB PC is completely disabled. I Also tried http from LAB PC but thats also not working. So with LAB PC i reach pfSense2 WAN Interface (10.0.0.47) and that's it. From pfSense2 itself i reach everything.


  • Banned

    This really does not go anywhere.

    route print and ipconfig /all output from the Windows PC
    netstat -rn from both pfsense boxes.



  • Netsat from pfSense1

    
    $ netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.1.1        UGS         0  5856113    vr0
    10.0.0.0/24        link#2             U           0 206721925    vr1
    10.0.0.1           link#2             UHS         0        0    lo0
    127.0.0.1          link#4             UH          0       78    lo0
    172.16.0.0/24      10.0.0.47          UGS         0        0    vr2
    172.16.0.1         link#3             UHS         0        0    lo0
    192.168.1.0/24     link#1             U           0    10754    vr0
    192.168.1.1        00:0d:b9:26:fc:60  UHS         0   223929    vr0
    192.168.1.203      link#1             UHS         0        0    lo0
    192.168.1.254      link#1             UHS         0        0    lo0 =>
    192.168.1.254/32   link#1             U           0        0    vr0
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    ::1                               ::1                           UH          lo0
    fe80::%vr0/64                     link#1                        U           vr0
    fe80::20d:b9ff:fe26:fc60%vr0      link#1                        UHS         lo0
    fe80::%vr1/64                     link#2                        U           vr1
    fe80::20d:b9ff:fe26:fc61%vr1      link#2                        UHS         lo0
    fe80::%vr2/64                     link#3                        U           vr2
    fe80::20d:b9ff:fe26:fc62%vr2      link#3                        UHS         lo0
    fe80::%lo0/64                     link#4                        U           lo0
    fe80::1%lo0                       link#4                        UHS         lo0
    ff01:1::/32                       fe80::20d:b9ff:fe26:fc60%vr0  U           vr0
    ff01:2::/32                       fe80::20d:b9ff:fe26:fc61%vr1  U           vr1
    ff01:3::/32                       fe80::20d:b9ff:fe26:fc62%vr2  U           vr2
    ff01:4::/32                       ::1                           U           lo0
    ff02::%vr0/32                     fe80::20d:b9ff:fe26:fc60%vr0  U           vr0
    ff02::%vr1/32                     fe80::20d:b9ff:fe26:fc61%vr1  U           vr1
    ff02::%vr2/32                     fe80::20d:b9ff:fe26:fc62%vr2  U           vr2
    ff02::%lo0/32                     ::1                           U           lo0
    
    

    Netstat from pfsense1

    
    $ netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            10.0.0.1           UGS         0      605    de1
    10.0.0.0/24        link#2             U           0     1450    de1
    10.0.0.1           00:15:5d:00:fe:0c  UHS         0     6282    de1
    10.0.0.47          link#2             UHS         0        0    lo0
    127.0.0.1          link#5             UH          0      106    lo0
    172.16.0.0/24      link#1             U           0      199    de0
    172.16.0.254       link#1             UHS         0        0    lo0
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    ::1                               ::1                           UH          lo0
    fe80::%de0/64                     link#1                        U           de0
    fe80::215:5dff:fe00:fe0b%de0      link#1                        UHS         lo0
    fe80::%de1/64                     link#2                        U           de1
    fe80::215:5dff:fe00:fe0c%de1      link#2                        UHS         lo0
    fe80::%lo0/64                     link#5                        U           lo0
    fe80::1%lo0                       link#5                        UHS         lo0
    ff01::%de0/32                     fe80::215:5dff:fe00:fe0b%de0  U           de0
    ff01::%de1/32                     fe80::215:5dff:fe00:fe0c%de1  U           de1
    ff01::%lo0/32                     ::1                           U           lo0
    ff02::%de0/32                     fe80::215:5dff:fe00:fe0b%de0  U           de0
    ff02::%de1/32                     fe80::215:5dff:fe00:fe0c%de1  U           de1
    ff02::%lo0/32                     ::1                           U           lo0
    
    

    route print and ipconfig from LAB PC screenshots attached
    If you need the screenshots in englisch i'll try to get the cmd in english.





  • Banned

    Nothing wrong with the routing, should have told us this is on Hyper-V in the first place since this looks like Hyper-V misconfiguration. Plus, completely unclear where is the Hyper-V server is actually located now in this mess, plus the pfSense2 box is clearly virtualized as well! ::)

    Please, avoid wasting other people's time by omitting absolutely vital information in future!  >:(



  • Sorry for that… the Hyper-V Host is hosting the pfSense2 and the LAB PC. The Hyper-V Host is located in the 10.0.0.0/24 subnet. I didn't want to make it to complicated and didn't think it has something to do with the problem. The Virtual Network on pfSense2 WAN is external and the virt. network on pfsense2 LAN is private, so is the Test LAB network.


  • Banned

    @krick:

    the virt. network on pfsense2 LAN is private, so is the Test LAB network.

    And you wonder why you can't talk to WAN? Private == Provides communications between virtual machines only !!!



  • But the WAN isn't private it's external, so I don't think its wrong?

    The VM pfSense2 has one Interface(LAN) in the private network to talk to the Test LAB private network and one interface (WAN) in the external network to talk to the physical network. And then it should be routing those two. I don't see a reason why the Test LAB network should have access to net Host Network as it should be the job of pfSense2 to route it to the external. Or am I wrong ?

    Edit: I just tried it, it's not possible to have both interfaces from pfSense2 on the external network because then the LAN from pfSense2 must also have a 10.0.0.0/24 IP from the external network. So I think the Hyper-V setup is right.


  • Banned

    Please, read this and  this. What you have setup will never work.



  • I thank you for your help very much :-) but i think in this case you are wrong.

    There are many tutorials on how to setup Hyper-V with pfSense and they are all using a private network for the LAN interface and the external interface for the WAN interface like here:

    http://www.theitcave.com/post/10

    Maybe I'll try to reinstall pfSense and start it from scratch. But at least I am sure that the Hyper-V virtual switches are right. I will post here again when I have reinstalled pfSense. Thanks !!



  • I just wanted to inform you that a fresh ibstallation of pfSense did the trick, WITH Lan as a private network in Hyper-V and WAN as an external network  ;)


Log in to reply