Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Created two new subnets but can't get them access to the internet

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mewsense
      last edited by

      Consider my home lab diagram:

      Larger version

      DR Site is just pretend - I'm testing some stuff out. All machines in 10.0.0.0/24 can access the internet fine through either WAN gateway. Machines in 10.0.1.0/24 cannot access the internet, but DNS addresses do resolve. So if I do```
      ping grc.com

      
Machine apple.win.testlab is a Windows Server 2008 R2 Domain controller for the win.testlab domain. Machines in the win.testlab domain use it for local DNS and for AD accounts.

Let's take machine plum.win.testlab. This is Windows Server 2012, if I do ipconfig /all

![](http://i.imgur.com/nUs9TYq.png)

I'm not really sure where I should be putting my rules for LAB1 and LAB2 (the two new subnets). Should I put them as floating or in their own section? Here are my floating rules:

![](http://i.imgur.com/cM0BvZg.png)

Look at the second rule. That allows all TCP/UDP from LAB1 to anywhere, so why isn't it able to access the internet via HOME_WAN or OFFICE_WAN? Should they be removed from here and put in LAB1 rules? Confused.
      1 Reply Last reply Reply Quote 0
      • M
        mewsense
        last edited by

        I've added a Ubuntu VM to the LAB1 subnet, with IP 10.0.1.10 just for testing purposes. It can resolve grc.com but cannot ping it. It cannot load any web pages from the internet. It cannot ping my external WAN routers. Here are some tests:

        Weird thing is, in the System Logs, there are no blocks. Why's that?

        Here are my LAB1 rules (they've been updated since first post)

        1 Reply Last reply Reply Quote 0
        • M
          mewsense
          last edited by

          Fixed it. Followed this article http://www.tomschaefer.org/pfsense-internet-access-on-opt-interface/

          The one thing I hadn't done was go into Firewall->NAT->Outbound and select Automatic outbound NAT rule generation. After I did that it all worked fine.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            For future readers - in pfSense 2.2 onwards you will be able to have a "hybrid" outbound NAT. That will leave Automatic Outbound NAT to generate the default outbound NAT rules and then you can add 1 or more manual outbound NAT rules to that.
            That means you can have some extra manual outbound NAT rules for special stuff (like for private subnets that are "hidden" behind another internal router), but then if you add another directly-connected LAN interface+subnet to pfSense you do not have to remember to add outbound NAT rules for it. It will "just happen" because automatic outbound NAT rule generation is still in effect.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.