Routing issue to internet on LAN
-
Hello,
I have faced a problem and been trying to solve it with no luck….
My ISP gave me block of 4 ip addresses:
Router IP: 70.168.57.35
Gateway: 70.168.57.34So I assigned WAN interface to em0 with IP 70.168.57.35 and 70.168.57.34 as gateway
Lan interface has static: 10.5.1.1/24 with DHCP enabled, the range is 10.5.1.10 - 10.5.10.254
From shell and GUI pings i can ping 8.8.8.8 just fine on both wan and lan interfaces:
PING 8.8.8.8 (8.8.8.8) from 10.5.1.1: 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=47 time=40.231 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=47 time=40.126 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=47 time=40.113 msMy PC on lan got IP address 10.5.1.10
I can't ping outside world from any machine on lan.....Here is route on PFsense box:
Destination Gateway Flags Refs Use Netif Expire
default 70.168.57.34 UGS 0 3292 em0
10.5.1.0/24 link#2 U 0 2447 em1
10.5.1.1 link#2 UHS 0 0 lo0
70.168.57.34/31 link#1 U 0 1208 em0
70.168.57.35 link#1 UHS 0 0 lo0
127.0.0.1 link#8 UH 0 248 lo0Here is route on my computer:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.5.1.1 UGSc 129 16 en4
10.5.1/24 link#7 UCS 2 0 en4
10.5.1.1 0:0:24:d0:6b:59 UHLWIir 144 618 en4 1158
10.5.1.10 127.0.0.1 UHS 0 0 lo0
10.5.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 6 en4
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 2 39766 lo0
127.94.0.1 127.94.0.1 UH 0 21 lo0
127.94.0.2 127.94.0.2 UH 0 161 lo0
169.254 link#7 UCS 0 0 en4 -
I'll assume the DHCP range is a typo and you meant 10.5.1.10 - 10.5.1.254.
I'm a bit curious about the 169.254 route at the bottom of your PC's routing table. That's not really something that needs to be there, which leads me to believe you have something else touching your routing tables - but probably isn't the cause of your issues.
Firstly, are you able to ping 10.5.1.1 from your PC? If not, you have A) a switching issue, B) an addressing issue, or C) a firewall rules issue. My money is on A or C, as people tend to try to get too complex with VLANs and firewall rules than is necessary.
If you're able to ping your local gateway, are you then able to ping 70.168.57.35? If not, you have a firewall rules issue. Not really much else that it could be at this point if the routing tables you posted are accurate.
If you're able to ping your WAN address, are you then able to ping 70.168.57.34? If not, you have A) a firewall rules issue, B) a routing issue. At this point if you're able to touch your WAN IP, you should be able to touch your WAN gateway. If you're not able to, the next step should be performing a traceroute to it and making sure it takes the path you expect (assuming you don't have much else in your topology, should be PC -> LAN IP -> Gateway). If it doesn't hit the LAN IP, you've got a default gateway issue. If it doesn't hit the gateway, you probably have a firewall issue. -
Correct I had type it is 10.5.1.10 - 10.5.1.254
I connected my pc directly to LAN without switch at this point. no luck
I'm not able to bing routing IP 70.168.57.35
If I do traceroute it's not able to get out of lan.I restored to default settings still no luck…
What can I do in firewall to make it work?
Any other thoughts? -
Ah. If you're not using a switch, you have to use a crossover cable to connect the two machines directly (assuming that both are not gigabit NICs).
-
Ah. If you're not using a switch, you have to use a crossover cable to connect the two machines directly (assuming that both are not gigabit NICs).
It's soekris net6501 device.
And I use switch too same bad results -
Okay, so are you able to ping 10.5.1.1?
-
-
So make sure there's a rule in your LAN section to pass any protocol, any source, any destination. If there is already, then it's down to a routing issue.
-
So make sure there's a rule in your LAN section to pass any protocol, any source, any destination. If there is already, then it's down to a routing issue.
I added such rule, no luck :(
What in routing can cause it?
-
So likely I am 27 years old who has been using linux ever since been 12.
So after log digging and routing tests I have fixed the problem and this happened to be a bug in pfsense that is runing on some hardware such as soekris net6501 in my case.Here is the problem:
When you first install pfsense than configure WAN and Lan, assuming you don't do any changes to LAN it will allow you to go out and ping outside from LAN.1. But soon as 2-3 minutes later LAN can't ping internet.
2. Lan stops accessign internet soon as you do change to LAN address.Problem cause:
The internal gateway route have been removed from DCHP! Also firewall rule removed also! by pfsense software!! Ridicules!FIX:
Create following rules:
In my case my LAN is 10.5.1.1
Firewall > Rules
Select tab LAN
Create RuleProtocol: Any
Source: Any
Destination: Any
Port: Any
Gateway: Wan gateway hereThan once this done:
Services > DHCP server
in field Gateway enter your LAN's gateway, in my case it is 10.5.1.1Volya! Now LAN got access to internet!
Let me know if you have any question!
-
There's no bug, you simply did something wrong. I am posting this from a fresh install in which I tested what you're claiming happened. My guess is that you didn't update your DHCP scope. When I change my interface address and adjust the DHCP scope for it, then release/renew my IP, it works as expected.
-
Gotta eat my words on this, it looks like you did indeed discover a bug in the DHCP code. I'm able to reproduce this on 2.1.2, and I'm assuming it applies to 2.1.1 as well.
In my case, my DHCP client was never assigned a gateway in general, and this is reflected by there not being an "option routers" directive in the dhcpd.conf file. I am investigating where this is happening.Documented here with a temporary fix: https://forum.pfsense.org/index.php?topic=75766