[SOLVED]pfSense not routing LAN to WAN
my problem is i don't get the pfsense to route traffic from LAN to WAN but first i will post my setup here:
The following setup is working for me since ~3 years without any problems.
ISP == (HomeRouter) 192.168.1.1/24 ==== 192.1.203/24 (pfsense1) 10.0.0.1/24 ==== 10.0.0.0/24 (my LAN Network)
I have Internet access from "my LAN Network" and everything is ok.
But now i setup a small Test LAB and have the following addition:
ISP == (HomeRouter) 192.168.1.1/24 ==== 192.1.203/24 (pfsense1) 10.0.0.1/24 ==== 10.0.0.47/24 (pfSense2) 172.16.0.254/24 ==== 172.16.0.0/24 (Test LAB)
The problem is, I dont reach the Internet, or "my LAN Network" from Test LAB.
I tried the following pings:
172.16.0.10/24 (Test LAB PC) to 172.16.0.254/24 (pfSense2) OK 172.16.0.10/24 (Test LAB PC) to 10.0.0.47/24 (pfSense2 WAN) OK 172.16.0.10/24 (Test LAB PC) to 10.0.0.1/24 (pfSense1) FAIL
172.16.0.254/24 (pfSense2) to 172.16.0.10/24 (Test LAB PC) OK
10.0.0.47 (pfSense2) to 10.0.0.1/24 (pfSense1) OK
10.0.0.47 (pfSense2) to Internet OK
So basically i have to following problem:
From my Test LAB, i can ping the pfSense2 on the LAN interface and on the WAN interface, but i can't pingother WAN adresses.
From the pfSense2 i can ping all the LAN computers and all the WAN computers and Internet.
But somehow the traffic coming from LAN is stopping at the WAN port and not going into the WAN subnet.
I have spent many hours before i post so i hope you can help me with this, thanks :-)
Need to add route to 172.16.0.0/24 via 10.0.0.47 on pfSense1 box.
System - Routing - Routes
Destination network: 172.16.0.0/24
Thanks for your reply, but that didn't work (attachment)
Well, sorry but "that didn't work" is not a useful description. Traceroute? Firewall logs? 172.16.0.0/24 allowed on pfSense1 LAN?
P.S. Make sure you do NOT set any GW on pfSense2 LAN.
Ok here are more infos:
"tracert 10.0.0.1" from Test LAB PC (172.16.0.10)
First Hop: 172.16.0.254
and then 29 Hops timeout
I attached the Firewallsettings from pfSense2 and pfSense1LAN and the Gateway from pfSense2 (only WAN Gateway configured)
I don't get any Firewall logs on pfSense2 , there are none.
Thanks for your help!
I added the rule on pfSense1 (att.)
But just for my understanding: Doesnt the pfSense2 NAT the 172.16.0.0/24 network to 10.0.0.47 so the pfSense1 just sees the 10.0.0.47 IP on it's LAN interface and not the 172.16.0.0/24 IPs?
OPT1 is just another interface wich isn't in use atm.
The firewall logs on pfSense1 just show broadcasts from the 192.168.1.0/24 network on the WAN interface, nothing on the LAN interface.
TCP/UDP will NOT enable ping. Did you actually try something else that ping?
I also added an ICMP rule now (att.) but do I even need those rules on pfSense1 LAN? The "LAN to any" rule should let everything through from LAN shouldn't it? I also added a picture of the network for a better overview.
As already noted above, I have no idea what pfSense2 is doing there in the first place. Completely useless as firewall given the WAN rules, so you are just tripple NATing (at best).
Have you disabled the FW on the LAB PC? Have you tried something else that ping from the LAB PC?
The WAN rules on pfSense2 are just open for troubleshooting, i will remove the "WAN to any" rule after everything is working. It is there to seperate the 172.16.0.0/24 Test LAB network from my 10.0.0.0/24 network and to play a little bit with firewall rules later on.
The WindowsFW on LAB PC is completely disabled. I Also tried http from LAB PC but thats also not working. So with LAB PC i reach pfSense2 WAN Interface (10.0.0.47) and that's it. From pfSense2 itself i reach everything.
This really does not go anywhere.
route print and ipconfig /all output from the Windows PC
netstat -rn from both pfsense boxes.
Netsat from pfSense1
$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGS 0 5856113 vr0 10.0.0.0/24 link#2 U 0 206721925 vr1 10.0.0.1 link#2 UHS 0 0 lo0 127.0.0.1 link#4 UH 0 78 lo0 172.16.0.0/24 10.0.0.47 UGS 0 0 vr2 172.16.0.1 link#3 UHS 0 0 lo0 192.168.1.0/24 link#1 U 0 10754 vr0 192.168.1.1 00:0d:b9:26:fc:60 UHS 0 223929 vr0 192.168.1.203 link#1 UHS 0 0 lo0 192.168.1.254 link#1 UHS 0 0 lo0 => 192.168.1.254/32 link#1 U 0 0 vr0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%vr0/64 link#1 U vr0 fe80::20d:b9ff:fe26:fc60%vr0 link#1 UHS lo0 fe80::%vr1/64 link#2 U vr1 fe80::20d:b9ff:fe26:fc61%vr1 link#2 UHS lo0 fe80::%vr2/64 link#3 U vr2 fe80::20d:b9ff:fe26:fc62%vr2 link#3 UHS lo0 fe80::%lo0/64 link#4 U lo0 fe80::1%lo0 link#4 UHS lo0 ff01:1::/32 fe80::20d:b9ff:fe26:fc60%vr0 U vr0 ff01:2::/32 fe80::20d:b9ff:fe26:fc61%vr1 U vr1 ff01:3::/32 fe80::20d:b9ff:fe26:fc62%vr2 U vr2 ff01:4::/32 ::1 U lo0 ff02::%vr0/32 fe80::20d:b9ff:fe26:fc60%vr0 U vr0 ff02::%vr1/32 fe80::20d:b9ff:fe26:fc61%vr1 U vr1 ff02::%vr2/32 fe80::20d:b9ff:fe26:fc62%vr2 U vr2 ff02::%lo0/32 ::1 U lo0
Netstat from pfsense1
$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.0.0.1 UGS 0 605 de1 10.0.0.0/24 link#2 U 0 1450 de1 10.0.0.1 00:15:5d:00:fe:0c UHS 0 6282 de1 10.0.0.47 link#2 UHS 0 0 lo0 127.0.0.1 link#5 UH 0 106 lo0 172.16.0.0/24 link#1 U 0 199 de0 172.16.0.254 link#1 UHS 0 0 lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%de0/64 link#1 U de0 fe80::215:5dff:fe00:fe0b%de0 link#1 UHS lo0 fe80::%de1/64 link#2 U de1 fe80::215:5dff:fe00:fe0c%de1 link#2 UHS lo0 fe80::%lo0/64 link#5 U lo0 fe80::1%lo0 link#5 UHS lo0 ff01::%de0/32 fe80::215:5dff:fe00:fe0b%de0 U de0 ff01::%de1/32 fe80::215:5dff:fe00:fe0c%de1 U de1 ff01::%lo0/32 ::1 U lo0 ff02::%de0/32 fe80::215:5dff:fe00:fe0b%de0 U de0 ff02::%de1/32 fe80::215:5dff:fe00:fe0c%de1 U de1 ff02::%lo0/32 ::1 U lo0
route print and ipconfig from LAB PC screenshots attached
If you need the screenshots in englisch i'll try to get the cmd in english.
Nothing wrong with the routing, should have told us this is on Hyper-V in the first place since this looks like Hyper-V misconfiguration. Plus, completely unclear where is the Hyper-V server is actually located now in this mess, plus the pfSense2 box is clearly virtualized as well! ::)
Please, avoid wasting other people's time by omitting absolutely vital information in future! >:(
Sorry for that… the Hyper-V Host is hosting the pfSense2 and the LAB PC. The Hyper-V Host is located in the 10.0.0.0/24 subnet. I didn't want to make it to complicated and didn't think it has something to do with the problem. The Virtual Network on pfSense2 WAN is external and the virt. network on pfsense2 LAN is private, so is the Test LAB network.
the virt. network on pfsense2 LAN is private, so is the Test LAB network.
And you wonder why you can't talk to WAN? Private == Provides communications between virtual machines only !!!
But the WAN isn't private it's external, so I don't think its wrong?
The VM pfSense2 has one Interface(LAN) in the private network to talk to the Test LAB private network and one interface (WAN) in the external network to talk to the physical network. And then it should be routing those two. I don't see a reason why the Test LAB network should have access to net Host Network as it should be the job of pfSense2 to route it to the external. Or am I wrong ?
Edit: I just tried it, it's not possible to have both interfaces from pfSense2 on the external network because then the LAN from pfSense2 must also have a 10.0.0.0/24 IP from the external network. So I think the Hyper-V setup is right.
I thank you for your help very much :-) but i think in this case you are wrong.
There are many tutorials on how to setup Hyper-V with pfSense and they are all using a private network for the LAN interface and the external interface for the WAN interface like here:
Maybe I'll try to reinstall pfSense and start it from scratch. But at least I am sure that the Hyper-V virtual switches are right. I will post here again when I have reinstalled pfSense. Thanks !!
I just wanted to inform you that a fresh ibstallation of pfSense did the trick, WITH Lan as a private network in Hyper-V and WAN as an external network ;)