Unable to route any non-ICMP traffic from OPT1 -> LAN or WANs



  • Hi all,

    I can't get my pfSense to route any traffic except ICMP from OPT1 to LAN or to my two WAN interfaces. Since I'm using a Celeron J1900 mainboard I can't use the latest stable release to verify if this is a pfSense 2.2 issue or just a configuration issue. I'm running the latest "2.2-ALPHA (amd64) built on Wed Jul 16 09:13:49 CDT 2014" build.

    I've configured OPT1 with an static IP (10.0.1.1), enabled DHCP for it and enabled the DNS Forwarder - I've attached an screenshot of the interface definition. Than I used the System Log -> Firewall to create several 'Easy Rules' based on requests I did with an client on the OPT1 network - I basically did three things:

    • Allow ICMP ping and DNS to the OPT1 10.0.1.1 gateway

    • Allow ICMP ping and HTTP to the IP of www.google.de (173.194.112.56)

    • Allow ICMP ping and SSH to the 10.0.0.11 host on the LAN network

    I've attached another screenshot showing the rules I've created via blocked traffic listed in the Firewall log. My problem is that I can ping all three allowed addresses without problems: the gateway, the IP of www.google.de as well as the host on the LAN network. But DNS requests to the gateway, HTTP to www.google.de or SSH to the LAN host doesn't get trough the firewall. As soon as I've added those rules all further requests aren't listed in the Firewall Logs any more - it's just looks like they're properly routed. On this other hand works the LAN network like a charm: I can use both my WAN gateways without a problem and all uplink DNS servers do reply via the DNS forwarder to incoming requests.

    Does anyone have an idea where to start to track this problem down? My attempts to do so have failed so far. OPT1 uses an DLink USB Ehternet adapter connected to ue0. But I'm pretty sure that this isn't hardware related since I'm using an identical adapter for one of my WAN interfaces - also swapping them with each other didn't made a difference.

    I'm kinda having the feeling that I do miss something very stupid here.. Any help is highly appreciated ;)

    Greetings,
    Markus
    ![1 OPT1 Interface.png](/public/imported_attachments/1/1 OPT1 Interface.png)
    ![1 OPT1 Interface.png_thumb](/public/imported_attachments/1/1 OPT1 Interface.png_thumb)
    ![2 OPT1 DHCP.png](/public/imported_attachments/1/2 OPT1 DHCP.png)
    ![2 OPT1 DHCP.png_thumb](/public/imported_attachments/1/2 OPT1 DHCP.png_thumb)
    ![3 OPT1 Firewall Rules.png](/public/imported_attachments/1/3 OPT1 Firewall Rules.png)
    ![3 OPT1 Firewall Rules.png_thumb](/public/imported_attachments/1/3 OPT1 Firewall Rules.png_thumb)



  • maybe you should just add an  'ALLOW,PROTO:ANY, SRC: ANY, DEST:ANY' rule and remove all the others.

    see if that works, you can start restricting afterwards. (pfsense will block EVERYTHING, by default)



  • I've tried that in the first run with duplicating the 'allow everything on LAN' rule to OPT1 but the problem is still the same: I can ICMP ping IPs on LAN and WANs but DNS to the gateway or any other non-ICMP traffic is still blocked somewhere.



  • Problem solved - I had to switch NAT Outbound from Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) to Automatic outbound NAT rule generation (IPsec passthrough included)



  • I'm using the 'Automatic outbound NAT rule generation' mode on my pfSense installation as shown in the attached screenshot. Also is the OPT1 10.0.1.0/24 interface listed there with rules for both of my WAN interfaces.

    ![4 Outbound NAT.png](/public/imported_attachments/1/4 Outbound NAT.png)
    ![4 Outbound NAT.png_thumb](/public/imported_attachments/1/4 Outbound NAT.png_thumb)



  • I was able to solve my issue:

    The D-Link DUB-E100 Ethernet USB adapters I've used seems to be not fully supported in the C1 hardware version. The fact that I did use two of those adapters and both of them work properly with an PPPoE DSL modem mislead me to search in the firewalls configuration.

    So with the current 2.2-ALPHA ICMP, PPPoE and assumable other layer 3 traffic works with the DUB-E100 C1 adapter but any layer 4 traffic like TCP, UDP is lost somewhere. I'm now using a Delock 61969 USB Ethernet adapter for my OPT1 network which works like a charm..