Created two new subnets but can't get them access to the internet



  • Consider my home lab diagram:

    Larger version

    DR Site is just pretend - I'm testing some stuff out. All machines in 10.0.0.0/24 can access the internet fine through either WAN gateway. Machines in 10.0.1.0/24 cannot access the internet, but DNS addresses do resolve. So if I do```
    ping grc.com

    
    Machine apple.win.testlab is a Windows Server 2008 R2 Domain controller for the win.testlab domain. Machines in the win.testlab domain use it for local DNS and for AD accounts.
    
    Let's take machine plum.win.testlab. This is Windows Server 2012, if I do ipconfig /all
    
    ![](http://i.imgur.com/nUs9TYq.png)
    
    I'm not really sure where I should be putting my rules for LAB1 and LAB2 (the two new subnets). Should I put them as floating or in their own section? Here are my floating rules:
    
    ![](http://i.imgur.com/cM0BvZg.png)
    
    Look at the second rule. That allows all TCP/UDP from LAB1 to anywhere, so why isn't it able to access the internet via HOME_WAN or OFFICE_WAN? Should they be removed from here and put in LAB1 rules? Confused.


  • I've added a Ubuntu VM to the LAB1 subnet, with IP 10.0.1.10 just for testing purposes. It can resolve grc.com but cannot ping it. It cannot load any web pages from the internet. It cannot ping my external WAN routers. Here are some tests:

    Weird thing is, in the System Logs, there are no blocks. Why's that?

    Here are my LAB1 rules (they've been updated since first post)



  • Fixed it. Followed this article http://www.tomschaefer.org/pfsense-internet-access-on-opt-interface/

    The one thing I hadn't done was go into Firewall->NAT->Outbound and select Automatic outbound NAT rule generation. After I did that it all worked fine.



  • For future readers - in pfSense 2.2 onwards you will be able to have a "hybrid" outbound NAT. That will leave Automatic Outbound NAT to generate the default outbound NAT rules and then you can add 1 or more manual outbound NAT rules to that.
    That means you can have some extra manual outbound NAT rules for special stuff (like for private subnets that are "hidden" behind another internal router), but then if you add another directly-connected LAN interface+subnet to pfSense you do not have to remember to add outbound NAT rules for it. It will "just happen" because automatic outbound NAT rule generation is still in effect.


Log in to reply