No access from LAN to WAN
-
Hi.
Can anyone please help me ? Probably the answer is already somewhere in the forum, but unfortunately I have not found it until now.
Since two days I fight to have access to the internet across a pfSense-firewall from one virtual server and can't find the barrier or the problem-cause. Hope so much that a forum-member can help me. For example i can't ping to google.de.By the way, I'm a bloody beginner, it's my second firewall and my first pfSense…
Many thanks for every help.
:) Ulrich
Here is my configuration...:
+-------------------+
| Client_Win7 |
+--------+---------+
| LAN 10.10.10.10
|
| Ethernet IP
|
+--------+----------+
| Gateway |
+--------+----------+
|
+--------+----------+
| Internet |
+--------+----------+
|
+--------+----------+
| Gateway |
+--------+----------+
| LAN 5.5.5.1
|
| Ethernet IP
|
|
| WAN 5.5.5.5/24
| Static IPv4
| Upstream Gateway 5.5.5.1
| unchecked Block private networks
| unchecked bogon networks
+--------+-----------------------------------------------------------------------------------+
| virtual machine |
| Firewall_pfSense |
| V:2.1.3-RELEASE |
| enabled DNS forwarder |
| Automatic outbound NAT rule generation |
| Rules: LAN.1 Action:Pass Interface:LAN Protocol:any Source:any Dest: any |
| Rules: WAN.1 Action:Pass Interface:WAN Protocol:TCP Source:any Dest: any |
| Rules: WAN.2 Action:Pass Interface:WAN Protocol:ICMP Source:any Dest: 5.5.5.5 |
+--------+-----------------------------------------------------------------------------------+
| LAN 10.0.0.1/24
| Static IPv4
| unchecked Block private networks
| unchecked bogon networks
|
|
| Ethernet IP
|
| LAN 10.0.0.2/24
| Gateway 10.0.0.1
| DNS 10.0.0.1
+--------+------------+
| virtual machine |
| Server_Win2008 |
+----------------------+I can use from Client_Win7 the pfSense-webConfigurator with http://5.5.5.5
I can use from Server_Win2008 the pfSense-webConfigurator with http://10.0.0.1
I can ping from Server_Win2008 to 10.0.0.1
I can ping from Client_Win7 to 5.5.5.5
I can ping from Firewall_pfSense to 10.0.0.2
I can ping from Firewall_pfSense to 173.194.70.94
I can use on Server_Win2008 nslookup google.de and get 173.194.70.94
I can use on Server_Win2008 tracert google.de and get: 1 first hops 10.0.0.1 and after this many "Request timed out"
I can't ping from Server_Win2008 to 173.194.70.94 -
Maybe that's a NAT issue.
Try to add a manual outbound NAT rule. pfSense do this automatically in normal circumstances without displaying the rules. But sometimes this fails.
Go to Firewall > NAT > Outbound. Check "Manual outbound rule generation" and click Save. If pfSense has generated rules automatically they will be displayed now. If not add a rule, enter your LAN network and mask at Source, leave Destination at any and click Save below, then click Apply changes.
I think it should work now, cause all other operations seems to be okay. -
Hi viragomann,
first of all many thanks for your reply.
If I switch from automatic to Manual outbound rule Generation, i see the three standard-rules, including the rule from LAN to WAN with no restrictions. Also after saving this rules, the effect was the same, no ping to Internet-ip possible, only three "request timed out"-answers.
Meantime I have monitored the in- and outgoing ip-packets with tcpdump at the LAN-Interface of pfsense and see the outgoing echo request AND the incoming echo reply, but nonetheless no answer at the Server_Win2008.
It seem to be "only" a forwarding problem from Firewall_pfsense to Server_Win2008, but i can ping from Firewall_pfsense to Server_Win2008 AND from Server_Win2008 to Firewall_pfsense.
Perhaps it's no pfsense-problem but rather one of the Supervisor (parallels bare metal Server) …
Ulrich
-
Meantime I have monitored the in- and outgoing ip-packets with tcpdump at the LAN-Interface of pfsense and see the outgoing echo request AND the incoming echo reply, but nonetheless no answer at the Server_Win2008.
Perhaps it's no pfsense-problem but rather one of the Supervisor (parallels bare metal Server) …
I would assume that also if the ICMP replys are addressed correctly in tcpdump.
-
" Upstream Gateway 5.5.5.1"
You entered that manually in the console during configuration? If so, then try it again without doing that and just press enter.
-
OK.
I have done factory reset and then configuration without gateway. Ping from firewall_pfsense and Server_Win2008 failed, cause there is no available route to the DNS and subsequently to the ping destination. After setting the gateway via webConfigurator, all is again as described in the threat-starting description. Which positive effect do you think can join with no gateway-declaration during the configuration ? I assumed no problem with the gateway, cause of the successful ping from firewall_pfsense to google.de.Anyway, thank you very much for your assistance and your tipp.
:) Ulrich
-
SOLVED.
For your Info: The virtual switch inside of the virtualisation environment has dropped my ip-packets in the context of some security checks. Now, the provider has switched off the checks and my problem is solved. Until now, I never heard about a virtual switch outside of a VLAN …
-
SOLVED.
For your Info: The virtual switch inside of the virtualisation environment has dropped my ip-packets in the context of some security checks. Now, the provider has switched off the checks and my problem is solved. Until now, I never heard about a virtual switch outside of a VLAN …
The provider has switched off the checks? Do you mean ISP? Perhaps you could elaborate a little more. Anything else interesting:)? I'll have to look again to see what VM ware you're using. I don't see it. Are you using Esxi or what?
I guess it must be your setup to because it's much more complex than mine. I'm just using Pfsense as a firewall for one system. That is until I manage to get a wireless access point. Much like any user I still go through many trials and tribulations. There was a quote here that fit me perfectly. I don't remember who it was that wrote it but it was "fix it until it's broken". It just makes me smile lol.
-
The ISP uses bare metal server from parallels, no VMWare. The provider told me, that he has switched off some security checks of the virtual switch. My Problem here was (or is), that I only have access to the agreed count of single virtual machines, not to the server itself. The standard-configuration of the ISP was one private and one public ip-address (with two interfaces) for each virtual machine and my plan is one firewall-machine with a public IP-address and all futher machines have no public ip and goes through the firewall. It seems that this configuration was a exception for my ISP …