OPT1 no internet access, ping between OK



  • OK, I'm a new user on pfSense and I got a slight problem.
    I got a pfSense server with one WAN (xx.xxx.110.52/26), one LAN (xx.xxx.117.48/28) and one OPT1(192.168.10.1/24).
    I got internet on LAN, but not on OPT1.
    I got ping from a client on OPT1 through 192.168.10.1, trough LAN xx.xxx.117.48, trought WAN xx.xxx.110.52, DHCP Server and DNS are  working.
    I've created a rule for OPT1: Action>Pass, Interface>OPT1, TCP/IP Version>IPv4, Protocol>any, Source>OPT1 net, Destination>any, and  Automatic outbound NAT rule generation.

    I've read about another similar problems on the forum and changed the settings again and again, but still no internet for OPT1 clients.

    Thanks for taking the time to help…
    ![macumba.office - Firewall Rules Edit.png](/public/imported_attachments/1/macumba.office - Firewall Rules Edit.png)
    ![macumba.office - Firewall Rules Edit.png_thumb](/public/imported_attachments/1/macumba.office - Firewall Rules Edit.png_thumb)
    ![macumba.office - Status Interfaces.png](/public/imported_attachments/1/macumba.office - Status Interfaces.png)
    ![macumba.office - Status Interfaces.png_thumb](/public/imported_attachments/1/macumba.office - Status Interfaces.png_thumb)


  • Netgate Administrator

    You seem to have bridged LAN ans OPT1. Any reason why you've done that?

    Steve



  • it's the same with or without the bridged settings.  i followed a topic here that said that, but now i disable the bridged setting and still no internet on OPT1

    ![ping tracert.jpg](/public/imported_attachments/1/ping tracert.jpg)
    ![ping tracert.jpg_thumb](/public/imported_attachments/1/ping tracert.jpg_thumb)


  • Rebel Alliance Global Moderator

    So your lan segment is public as well?  Did you turn off natting?  Are you manually natting then for your opt1 network?



  • Automatic NAT and one manual

    ![macumba.office - Firewall NAT Outbound.png](/public/imported_attachments/1/macumba.office - Firewall NAT Outbound.png)
    ![macumba.office - Firewall NAT Outbound.png_thumb](/public/imported_attachments/1/macumba.office - Firewall NAT Outbound.png_thumb)


  • Rebel Alliance Global Moderator

    Unless they have changed something in the latest 1.2 1.3 builds - manual is not used if automatic is set..

    Maybe one of the dev's can validate that - but my understanding from before was if your automatic does not matter what is listed there.  Only if your manual are those put into play.

    So on your lan network that looks like a public IP.. Why is there no nat in automatic - did you put a gateway on that interface so it thinks it wan?


  • Netgate Administrator

    No mention of it in the docs and that type is hybrid NAT setup is slated for 2.2, so I doubt it has changed. Usually when you change to manual from auto it fills into the table all the rules created by auto-NAT. I would expect to see more than that. When you change back to auto though the displayed rules remain unchanged even though auto-NAT has added back rules as I understand it.

    An extra gateway on one of those interfaces would be my guess also.

    Steve


  • Rebel Alliance Global Moderator

    Yup that is my understanding as well.. If you switch to manual it takes all the rules that it auto created and puts them into manual and displays them - if you switch back to auto they are still displayed but not in use.  So thanks stephenw10 for the clarification that I did understand it.. So this is slated to change in 2.2 is news will have to pay attention when make the switch over.

    Since he doesn't show any rules when he was in manual for that lan interface which seems to be public from his mask of the first 2 octets its difficult to be sure, bu assume that from the mask and smaller netmask on it.

    Curious how that is working to be honest, if you placed that on lan by default it would be natted, etc.  I would question if that is working how it you think its working - is possible you have a layer 1 path that connects that to your wan?  From the masks given its not a subnet of the /26  So that is routed to your wan IP that you have a /26 on?

    Can you validate the ip space you have on lan interface - is it public, if so how do you have that routed to pfsense?  Did you place a gateway on that lan interface that points where?



  • Thanks guys. It was the Automatic NAT setting. When this is chosen, manual settings do not engage.
    On my lan I have public IPs /28


  • Netgate Administrator

    So it's all working as you wish now?

    As I mentioned above when 2.2 is released, or you try a 2.2 pre-release snapshot, there will be a new outbound NAT mode that will function as you expected it to.

    @https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes:

    Hybrid outbound NAT style that allows the user to keep the existing automatic behavior but layer manual rules on top of it.

    Steve