Routing issues between WAN and LAN
-
I've setup a new PFSense 2.1 installation on a Jetway JBC373F38W-525 four ethernet motherboard. I have the first port configured as WAN and plugged into my cable modem and is set for DHCP. The second is configured as LAN and has a static IP of 192.168.1.1 with the DHCP server enabled. The WAN port is receiving it's DHCP information fine from the modem and if I use the ping tool under diagnostics I can ping www.google.com from the WAN interface. I can not ping it from LAN and can not access any outside webpages (the pfsense web front end is accessible). I can however do an nslookup on google from one of my linux systems behind the firewall. At first I thought this may be rule related so for trouble shooting purposes I temporarily added a WAN and LAN rule to pass all traffic and this did not resolve the issue. I can only conclude it's a routing issue but I'm at a loss on how to resolve it. I tried searching google and this forum but didn't any useful resolutions. I'm hoping some of the bright folks here may be able to point me in the right direction. Thanks in advance for any help.
-
Post your routing table and LAN firewall rule. You shouldn't of had to enter any WAN firewall rules. Also, what are you using for outbound NAT? Manual or automatic?
When you say "I can not ping it from LAN", what error are you getting? What is google.com resolving to from your LAN?
Can you ping 8.8.8.8?
What DHCP scope options are you pushing out?
-
And is the front-end WAN between pfSense and cable modem also giving out 192.168.1.0/24 subnet addresses?
Although that usually messes things up even more than you describe. -
Sorry for the late replies. I've been sick the last couple of day's but appreciate the responces.
Marvosa:
I only created a WAN rule for testing purposes and have since deleted it. The two default "Block Private Networks" and "Block bogon networks" are the only rules currently on the WAN.
My LAN has the two default "Anti-Lockout Rule", "Default allow LAN to any rule", and "Default allow LAN IPv6 to any rule". I had created a rule to allow any protocole from any source on any port to any destination on any port on all gateways for testing. I have since deleted that rule as well.
My routing table only has two entries. For clarity re0 is my WAN and re1 is my LAN.
Destination Gateway Flags Netif
default 173.81.164.1 UGS re0
127.0.0.1 Link#8 UH lo0
173.81.164.0/22 Link#2 U re0
173.81.164.25 Link#2 UHS lo0
192.168.1.0/24 Link#3 U re1
192.168.1.1 173.81.164.1 UGHS re0
208.18.42.88 00:30:18:a7:9c:72 UHS re0
208.18.42.100 00:30:18:a7:9c:72 UHS re0If I'm pinging from a system behind the LAN interface ping just sets there until it times out. If I'm pinging from the pfsense tool I get the following:
PING www.google.com (173.194.115.81) from 192.168.1.1: 56 data bytes–- www.google.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossNo I can't ping 8.8.8.8 or any other external internet address I've tried.
I'm leasing addresses 192.168.1.100 to 192.168.1.150 with a subnet mask of 255.255.255.0 and a subnet of 192.168.1.0. LAN clients are reciving DHCP address approprietly.
Phil.davis:
If you mean the DHCP from the modem no It's handing out a dynamic IP from my cable company in the 173.... subnet.
-
My LAN has the two default "Anti-Lockout Rule", "Default allow LAN to any rule", and "Default allow LAN IPv6 to any rule".
Just for clarity, your "Default allow LAN to any rule" shows this right?:
IPv4 | LAN net | * | * | * | * |*Routing table looks normal, except for the host route in bold… that looks strange... shouldn't be needed... but who knows... someone chime in and give us an idea if that's normal.
Destination Gateway Flags Netif
default 173.81.164.1 UGS re0
127.0.0.1 Link#8 UH lo0
173.81.164.0/22 Link#2 U re0
173.81.164.25 Link#2 UHS lo0
192.168.1.0/24 Link#3 U re1
192.168.1.1 173.81.164.1 UGHS re0
208.18.42.88 00:30:18:a7:9c:72 UHS re0
208.18.42.100 00:30:18:a7:9c:72 UHS re0I didn't see an answer for the outbound NAT question…. are you using Manual or Automatic?
I didn't see an answer for the DNS question... what does google.com resolve to from a PC on your LAN? i.e. share the results of "nslookup google.com"
If I'm pinging from a system behind the LAN interface ping just sets there until it times out.
Are you getting "Request timed out." or "Destination host unreachable."?
The fact that you can not ping 8.8.8.8 from your LAN tells me you either have a routing issue or firewall issue.
If we look closer, in your OP you meantioned "if I use the ping tool under diagnostics I can ping www.google.com from the WAN interface.", but your last post shows this:
If I'm pinging from the pfsense tool I get the following:
PING www.google.com (173.194.115.81) from 192.168.1.1: 56 data bytes–- www.google.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossNotice the last part of the bottom line, "100.0% packet loss"…. which means your PFsense does NOT have internet! There's your main issue. If you just moved to PFsense from another router, you may have to bounce your modem. Assuming you're WAN is DHCP, if power cycling your modem doesn't work, you will have to call your ISP.
I'm leasing addresses 192.168.1.100 to 192.168.1.150 with a subnet mask of 255.255.255.0 and a subnet of 192.168.1.0. LAN clients are reciving DHCP address approprietly.
Your address pool doesn't tell us much. Need to know what default gateway and DNS servers you are handing out.
-
Just for clarity, your "Default allow LAN to any rule" shows this right?:
IPv4 | LAN net | * | * | * | * |*Yes
Routing table looks normal, except for the host route in bold… that looks strange... shouldn't be needed... but who knows... someone chime in and give us an idea if that's normal.
The route in question was created automatically when I attached the WAN interface to the cable modem if that helps.
I didn't see an answer for the outbound NAT question…. are you using Manual or Automatic?
Wops, I'm using Automatic.
I didn't see an answer for the DNS question… what does google.com resolve to from a PC on your LAN? i.e. share the results of "nslookup google.com"
The fact that you can not ping 8.8.8.8 from your LAN tells me you either have a routing issue or firewall issue.
www.google.com returns 173.194.115.80-173.194.115.84 from an nslookup
If we look closer, in your OP you meantioned "if I use the ping tool under diagnostics I can ping www.google.com from the WAN interface.", but your last post shows this:
If I'm pinging from the pfsense tool I get the following:
PING www.google.com (173.194.115.81) from 192.168.1.1: 56 data bytes–- www.google.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossNotice the last part of the bottom line, "100.0% packet loss"…. which means your PFsense does NOT have internet! There's your main issue. If you just moved to PFsense from another router, you may have to bounce your modem. Assuming you're WAN is DHCP, if power cycling your modem doesn't work, you will have to call your ISP.
I should have been more clear. If I use the pfsense ping tool and choose the WAN interface as origin I can ping www.google.com just fine. If I choose the LAN interface I get the results returned above.
Your address pool doesn't tell us much. Need to know what default gateway and DNS servers you are handing out.
I have the default DNS and gateway set to 192.168.1.1 and PFSense is configured to use the DNS provided by the cable modem. I can do an nslookup successfully from a client on the LAN side of my firewall so I don't think DNS is the issue.
-
Let me know if any of this is incorrect…. but this is my understanding of your network:
Cable Modem -> (DHCP) PFsense (192.168.1.1) -> Switch -> LAN
Your LAN DHCP clients are getting:
IP - 192.168.1.100 - 192.168.1.150
Netmask - 255.255.255.0
Default Gateway - 192.168.1.1
DNS - 192.168.1.1 (assuming the DNS Forwarder is enabled on PFsense)This is all pretty standard stuff that should be working out of the box. One thing I assumed, but never asked, what version of PFsense are you running?
First thing I would do is go through your logs and look for things that would indicate an issue:
-
check (Status: System logs: Firewall) and verify there are no blocks sourced from your LAN (192.168.1.0/24).
-
check (System logs: General) and verify there are no reoccurring messages indicating a problem
-
check (Status: System logs: Gateways) for apinger alarms, etc
-
check (Diagnostics: States) After testing different rules, have you tried resetting your states? Since traffic never worked to begin with I doubt this is the problem, but might as well try it
-
This seems so trivial, but has cleared weird issues for me in the past…. have you tried rebooting?
Hopefully the logs will point you in the right directions, but After that, we just start troubleshooting from the ground up:
-
Check all layer 1 connections (check for broken tips, loose connections and exposed wires)
-
Check layer 2 (link light) status on both ends
-
Check the arp table on your clients (arp -a)… make sure the MAC address for 192.168.1.1 matches the MAC for your PFsense LAN interface
-
Check layer 3, which we've done, routing table on PFsense looks ok, clients appear to be getting the right settings… assuming the dhcp settings referenced above are accurate
-
Try rebooting. Shouldn't have to, but you never know
-
Try changing interfaces… move LAN to port 3 or 4... also try your WAN on port 3 or 4
-
Blow away your current install, Try a fresh install and vanilla config (no custom config, routes, rules, etc)… if it works, you have a config issue... if not, your issue is most likely hardware related. Power cycle all your switches. Replace custom cables with pre-manufactered cables also replace any cable that looks suspect
-
Throw a 2nd NIC into a separate, known working machine and try fresh install with vanilla config… if everything works, you know the issue is with your old setup.
-
I'll just throw this out there as a hail mary…but if you're using the 64 bit version of PFsense... maybe it's a 64 bit driver issue with your NIC's... try the 32 bit version.
-
-
Routing table looks normal, except for the host route in bold… that looks strange... shouldn't be needed... but who knows... someone chime in and give us an idea if that's normal.
Not at all normal, that's a publicly routable network to a privately routable network and should not be in there.
-
I thought it looked strange too, but he said it was automatically added when he plugged in his modem… so idk... I don't know why it would add a host route like that... doesn't look standard... I checked a couple other routing tables from routers that were connected to cable modems via dhcp and none of them had a route like that. I'm betting there's something to it... but he says it was added automatically, so I gave him the benefit of the doubt.
-
I'd actually be willing to bet that's his problem. If stuff is headed to his gateway with that static route there, it's going to try to push it to that IP which makes absolutely no sense.
OP, please try the following command in your CLI: route del 192.168.1.1 173.81.164.1
After that, try it again and let us know the results. That route should not be there. -
Since it's a fresh install and I didn't have much time put into it yet I did a reset to factory defaults. It is now functioning fine. I checked my current routing table and the aberrant route being discussed is not present. I don't know how it was created but it very well may have been the problem. Thank you all for your help.
-
Hi,
I do have exactly same problem, i tried restoring Pfsense to default settings it didn't help at all…
I can ping 8.8.8.8 from pfsense but not from any computer on my lan. Please help!!
Does some one have any suggestions? Here my route:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 70.168.57.34 UGS 0 20224 em0
10.4.1.0 link#10 U 0 0 em2_vl
10.4.1.1 link#10 UHS 0 0 lo0
10.5.1.0 link#2 U 0 11485 em1
70.168.57.34/31 link#1 U 0 2482 em0
70.168.57.35 link#1 UHS 0 0 lo0
localhost link#8 UH 0 544 lo0 -
You likely don't have the same exact problem. What is the output of "netstat -rn" on the computer you're trying to ping from? What is the LAN address of your pfSense box?
-
You likely don't have the same exact problem. What is the output of "netstat -rn" on the computer you're trying to ping from? What is the LAN address of your pfSense box?
yes it is
PFSense BOX has WAN 70.168.57.35 routed IP
and gateway 70.168.57.34I also got IP block with 4 IP's and it's own gateway where should this go??
LAN: 10.5.1.1/24
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.5.1.1 UGSc 129 16 en4
10.5.1/24 link#7 UCS 2 0 en4
10.5.1.1 0:0:24:d0:6b:59 UHLWIir 144 618 en4 1158
10.5.1.10 127.0.0.1 UHS 0 0 lo0
10.5.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 6 en4
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 2 39766 lo0
127.94.0.1 127.94.0.1 UH 0 21 lo0
127.94.0.2 127.94.0.2 UH 0 161 lo0
169.254 link#7 UCS 0 0 en4 -
anogmus, unless you're double natting, you have a config issue. (I guess that could be another BSD client, but looks like PFsense to me)
we're happy to help, but…Start a new thread, post a network map, post the IP schema for your network and include that routing table.
-
yes it is
Oh, my mistake then.
In the case of this thread, the fix was a factory default. I'd recommend you try that. Good luck! -
You might want to read this to know how to fix it https://forum.pfsense.org/index.php?topic=75495.0
-
Your issue has absolutely no relation to the OP's issue.