  • I'll try to keep this short..  Tonight I tried upgrading my pf hardware.  Currently I use a Dell optiplex 320, I have a Broadcom two headed gigabit nic and an intel single gigabit nic.

    I installed the latest pfsense on a Lenovo thinkcenter 71, but it would not recognize my dual Broadcom nic.. At all.  I rebooted numerous times, swapped PCI-e slots but to no avail, so I reverted back to my old hardware.  I do not know what happened but I could not get the wan nic to pull dhcp.  (I have charter BTW)

    So after about two hours of rebooting, swapping interfaces and lots of bad words  I am now sitting with a wan ip, a LAN ip and I am in the pf web interface.  In fact I just downloaded and installed the latest version of pf on the pf box via the Dashboard update status.

    However my Windows 8.1 box cannot surf at all, at first I thought it was dns but I cannot ping google, yahoo, my companies web page either by UNC or IP.  Nothing at all..

    I tested the cable modem by pulling my test netbook directly into the modems Ethernet jack and got out just fine.  So pfsense can surf itself, but no clients can.

    I installed squid3, and squid guard for version 3 and both are enabled as they should be.

    Internet explorer, chrome both cannot pull up any URl I try that's external to my network.  Its late and I'm running on fumes can anyone toss me some help?


  • UPDATE: this morning I confirmed.. my iphone, ipad, and the other desktops in my house cannot pull any web page, they cannot ping any external host, nothing.

    My pf is setup as a DHCP server, I have it handing out IP's in that same subnet as it's own LAN interface, I have it using Google DNS and it's LAN interface is the default GW.  I setup my original PF box about 2 years ago and it's been churning along this whole time.  I've used Untangle, and Astaro before too so it's not my first rodeo but I'll be d@mned if I can figure out what my problem is now.

    Any help out there?

  • If there is something I'm leaving out, making me appear to be a nooblet who doesn't know how to post then someone please tell me.  I am not familiar enough with pf to know what logs might be relevant and *bsd OS's are like greek.  When i setup the original box it just worked, so I did not have to tweak or troubleshoot anything.

    here's a quick diagram:

    Internet -> Pfsense WAN=bce0 LAN=em0 -> Netgear gigabit switch -> Belkin 802.11n -> Win8.1
                                                                                                                                            -> ipad/roku/laptop/two desktops

    DHCPD range - 200
    All subnet Masks are

    Cannot ping name/ip from Win8.1/laptop/ipad
    Can ping from Pfsense

    FW rules are not blocking outbound traffic at all

    I can bypass PF and directly uplink to Cable modem, netbook pulled an IP and worked flawlessly.

  • resolved.

    set default gateway on LAN interface to none.

  • LAYER 8 Global Moderator

    This seems to be a very common issue, user setting gateway on the LAN interface..  What I really don't understand is how this happens..  Nowhere in the setup process does it ask for this.  Now sure if you manually go into the console to edit the interface it asks for it.. But it gives you this warning even

    Enter the new OPT2 IPv4 address.  Press <enter>for none:

    Subnet masks are entered as bit counts (as in CIDR notation) in pfSense.
    e.g. = 24  = 16    = 8

    Enter the new OPT2 IPv4 subnet bit count:


    For a WAN, enter the new OPT2 IPv4 upstream gateway address.
    For a LAN, press <enter>for none:</enter>

    In the gui its clearly stated
    If this interface is an Internet connection, select an existing Gateway from the list or add a new one using the link above.
    On local LANs the upstream gateway should be "none".

    Maybe they should change this text to be HUGE FONT, RED and Blinking? ;)

    Why would anyone with even basic understanding of networking put a gateway on a "LAN" interface on their router? ;)  What would you even put?  But don't feel all that bad - its really common to find users putting on the lan interfaces so your not alone.  What I don't get is why - what was the thought process?</enter>

  • Netgate Administrator

    I can absolutely understand how people come to have a gateway on LAN. Many people are coming from previous experience with SOHO routers and networks of windows boxes where failing to fill out a box labelled gateway results in nothing working.
    The more interesting question to me is what happened somewhere around 2.0.2 that made this common error suddenly a lot more common? Nothing appeared to obviously change in the code but around that time there were many posts with errors resulting from this.  :-\ Phil and I discussed it a while back but never came to any conclusion.


  • Is there ever a scenario where you'd need to specify a GW on the LAN interface?  I'm not coming from a SOHO background though.. zipping through the setup I guess I didn't give it enough thought.  And in the console is exactly where I applied it too, I did not have Web configurator access at that time.

  • Netgate Administrator

    The only time you would ever have a gateway on LAN is if you had routed subnets via some other device on that network that pfSense needed to access. Even then you might not do that because adding a gateway to the interface makes pfSense treat it as a WAN and start NATing traffic to it.

    Thanks for the feedback on this. I think we made some suggestions for changing the text but I can't find the thread now. From a personal view point it's hard to understand how this error happens but that's often the case. When you're used to doing something the correct way it becomes hard to see how it could be done any other way.  ::)

    Edit: Here:


  • If you work with it alot then yeah, it would be difficult to understand.  I hit that bump often myself.  Even just a little confirmation dialog would probably help alot.

