New firewall not routing traffic

  • I'm trying to setup a pfsense firewall for the first time. I have created rules, and turned logging on and I can see that the traffic is not being blocked, (as I have an any any rule in place) but traffic is not being routed.

    my setup is as follows
    WAN Interface /24
    LAN Interface /24

    WAN test Server /24 with default gateway of (WAN interface on FW)
    LAN test Server

    I am trying to do an nslookup or ping from to my dns server of and nothing is coming back. Do I need to create static routes?

    Any help would be magic,



  • This is a pretty non-standard configuration, as it looks like you're using the WAN interface as a LAN interface. Make sure you have a pass rule (TCP/UDP 53 at the least) on your WAN interface, and that you have "block private networks" and "block bogon networks" unchecked in your WAN interface configuration.

  • Hi Tim, those boxes are unchecked. And I do have a rule in place for DNS, and I can see from the system log, that nothing is being blocked. :
    Apr 22 15:39:56 WAN UDP

    we are using the firewall as a middle tier firewall, hence the strange config.

  • What does the routing table on your LAN test server look like (netstat -rn)? If this pfSense box isn't your default gateway for that machine, you'll need to either create a static route on it, or on its default gateway so that it knows how to talk to the range.

  • I've attached a screen shot of the output from a netstat -rn. This is the same as my default gateway, which is the pfsense WAN interface, so I assume I don't need any static routes?

  • I can also ping the address but not the LAN side of the pfSense

  • I'm a bit confused at your routing table. Do you have an interface on both subnets? In any case, your next hop for the subnet is, which is not your stated LAN or WAN interface address. I'd try adding a static route for and to You have a really strange routing table there, and that is going to cause some complication. I'd lab this out on a completely different set of subnets first, personally.

  • The routing table is okay, but your overall setup is very strange as said already.

    The computer ( from which the screenshot is is attached to your WAN interface of pfSense and you have configured the WAN IP ( as gateway for its interface.
    And your LAN net is /24.

    Okay, so WAN and LAN are different networks and you cannot ping a LAN computer from WAN side unless you set appropriate NAT rules. You have to set up NAT port forwarding rules and firewall rules for that. You can forward ICMP to a LAN computer or to LAN address.
    Then the ping should work, however the ping destination you have to enter is still a WAN address.

  • That's incorrect, his configuration will work without any NAT whatsoever. The routing table is not correct, anything destined for from the network needs to have as its next hop - not as is reflected in that routing table.

  • Thanks for all the input guys, I've added a static route, does this look better? as it still doesn't work :(

    Interface List
    13 …02 bf c0 a8 01 5d ...... Intel(R) PRO/1000 MT Network Connection #2
    10 ...00 50 56 83 5f 58 ...... Intel(R) PRO/1000 MT Network Connection
      1 ........................... Software Loopback Interface 1
    12 ...00 00 00 00 00 00 00 e0
    11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
    14 ...00 00 00 00 00 00 00 e0  isatap.{6832356F-FDB4-45A8-8ED9-4AF0F07FE655}

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
          On-link    306
          On-link    306        On-link    306
      3        On-link    257        On-link    257        On-link    258        On-link    258        On-link    258
          On-link    306
          On-link    257
          On-link    258        On-link    306        On-link    257        On-link    258

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
      1    306 ff00::/8                On-link

    Persistent Routes:

  • I'm just trying to troubleshoot this problem, using the web gui of the firewall, should I be able to ping from the WAN to The firewall rules are there to allow this, but no routing is setup on the frewall.

  • If you have a address set up, yes, you should be able to ping from the firewall's WAN interface. Shouldn't need any static routes on the firewall.

    I've replicated your exact address configuration (aside from your routing table weirdness), and it works right out of the box. Are you able to ping from

  • hmm, that is very strange,

    I am unable to ping from, but would I need a route added to this machine for it to work?

    the is the ip of the LAN interface on the firewall, and I cannot ping this from the WAN via the firewall gui.

  • Post the routing table of your LAN device, and post your current LAN and WAN firewall rules.

Log in to reply