Vanilla install PFSense Business Test – no internet



  • INTERNET–---MODEM----WAN-PFSENSE-LAN----SWITCH-------LAN PC
    I’m running version 2.1.5-Release default. LAN IP 192.168.1.1 with DHCP working users PC’s pick up IP no problem. I can ping LAN interface on PFSense & the WAN interface, but cannot resolve to anything external. I’m a newbie to PFSense testing for business use. I presumed (I know always dangerous) default PFSense default of the box was ready to roll. FYI if I remove the PFSense machine and put my ASA in place all works fine so I know I have no internal issues. Do I need to setup NAT on PFSense? Was my presumption about vanilla PFSense correct?



  • Check Firewall log to see blocking rules.
    Are you running automatic outbound nat or manual in pfsense? How modem connect internet?

    We need more detailed info to make a trouble shooting.



  • Modem in bridge mode (FYI seems to work find hands over IP to PFSense WAN int no problem)

    See attachment for nat.jpg for FW rules
    Outbound NAT set to "Automatic outbound NAT rule generation"
    Let me know what other details you need




  • Go to interfaces > wan
    Look for "block private IP"
    un-check it.

    Save.

    Then try.


  • Netgate Administrator

    You assume correctly that the default config should be ready to roll giving internet access to LAN side clients.

    Since it appears you have access to the webgui you can check if the pfSense box has internet access. On the dashboard is it reporting 'you are on the latest version' or 'unable to check for updates?
    When you try to connect to an external host from the lan what is the error given? What if you try to ping by url or ip?

    Just for information the 'block private networks' rule on WAN will not stop lan clients getting a connection even if your WAN has a private IP. It blocks incomming connections only just like any other rule. You should disable it if your wan subnet is private because it will cause issues later if you need to run port forwards etc.

    Steve

    Edit: typo



  • @kejianshi:

    Go to interfaces > wan
    Look for "block private IP"
    un-check it.

    Don't. No relation.

    Check what Steve said.



  • Not necessarily true genius unless you can KNOW for sure that he didn't accidentally pass a private IP to the WAN.

    People are forever thinking they bridged a modem/router but didn't get it right accidentally.  I'd say 9/10s of the time that the case in a situation like this where a vanilla install of pfsense doesn't work and some other cheapo router does.  Its just a thing to check.

    If the bridge was done incorrectly or not at all, which is often the case, allowing a private IP on the WAN would show that quickly.

    Then, if that is the problem, he could fix it.

    So, CMB, its at best, POSSIBLE that what I suggested will make no diff.  Depends on if the OP got the bridge right.
    Its one freakin button click.  If it changes nothing, its one button click to change it back.

    Another possibility is that the ISP is disallowing his MAC, in which case cloning the MAC of the working router, presumably the one that was there before pfsense, should clear things up.

    I've seen both cases many times.


  • Netgate Administrator

    I'm not arguing that you shouldn't disable 'block private networks', indeed if the WAN is in a private subnet you should for the reasons I gave. In fact I'm not trying to argue at all.  ;)
    It's just purely for information because I see this suggested a lot by many people as a cause of 'no internet on LAN'. When diagnosing this type of issue you need to be aware that the 'block private networks' rule cannot prevent clients on LAN from accessing the internet.

    Now getting a private IP on WAN when you thought the modem was bridged in some way, that's a definitely a clue that something is amiss.  :)

    Steve



  • Its not so much you steve.  Your advice is in fact reasonable and valid.

    But CMB was out of line, and possibly wrong (its a coin toss - depends on the proficiency of the OP)

    There is just no good reason to show up saying don't try something unless you are 100% sure it will have zero effect.

    When I posted the original suggestion it was with full knowledge that it might not help anything.

    In which case I'd suggest checking the MAC.

    In fact there is a laundry list of simple checks that need be done if that fails.

    Could be any simple thing - but its definitely something simple.

    BTW - I presumed things on the LAN are working fine. 
    OP states "cannot resolve to anything external". 
    With that language, could be DNS I guess.  I'm doubting it though if he really is using a default install.



  • I presumed (a) default PFSense default of the box was ready to roll.

    Usually is.  :)

    OP= Try imputing one of these IP's and see if it makes it…  they should all take you to Google.

    173.194.33.167
    173.194.33.174
    173.194.33.160
    173.194.33.163
    173.194.33.166
    173.194.33.168
    173.194.33.161
    173.194.33.165
    173.194.33.164
    173.194.33.169
    173.194.33.162

    If it works-  how is your WAN setup?    DHCP,  Static,…  ??



  • @kejianshi:

    Not necessarily true genius unless you can KNOW for sure that he didn't accidentally pass a private IP to the WAN.

    Wrong. That affects only traffic sourced on WAN.

    @kejianshi:

    There is just no good reason to show up saying don't try something unless you are 100% sure it will have zero effect.

    I only state things in such a fashion where I am 100% sure it cannot affect that scenario. It can't.



  • @cmb:

    @kejianshi:

    Not necessarily true genius unless you can KNOW for sure that he didn't accidentally pass a private IP to the WAN.

    Wrong. That affects only traffic sourced on WAN.

    I only state things in such a fashion where I am 100% sure it cannot affect that scenario. It can't.

    Yep-

    I have a client that has a 10.x.x.x ip on their WAN as they are on a wireless internet provider and actually in this case on a local router across the highway on their own wireless bridge (over a VLAN) plugged directly into fiber.  2.5ms to a major fiber backbone, very cool!

    The only reason I had to uncheck the "Block Private Networks" box was to allow the ISP (whom I work with and trust) to be able to log into the pfSense box from the WAN side.  We were online just fine before that.



  • I've had to uncheck that box for every double NATed pfsense I ever connected.  (Private IP on the WAN)

    Must be just me (-;



  • The only scenario where you have to disable that is if you need to pass in traffic on WAN initiated from a private network. That's almost never the case in double NAT scenarios along these lines. Most only time that's necessary to disable is where the system is an internal router/firewall, or other circumstance where its WAN is connected to one of your LANs.



  • So just to test again I went into my pfsense VM that is running locally and checked "block private IP" on the WAN because it does have a private IP.

    And nothing happened…  I expected it to fail.

    Which was quite weird for me because in the past on my Verizon FIOS and on comcast I've always had to un-click that button.

    So I was wrong.

    So still has me wondering whats up with this guy's machine?

    DNS?  MAC for wan interface?  Other?



  • Thanks for all suggestions - Results as below
    Ive also attached some screen shots which I hope may help

    ACTIONS based on suggestions in this thread:
    Go to interfaces > wan ->Look for "block private IP"- >un-check it.->Save.=no change
    On the dashboard is it reporting 'you are on the latest version' or 'unable to check for updates?= “Unable to check for updates”
    When you try to connect to an external host from the lan what is the error given?= through browser no internet access
    Ping google.com_= Ping request could not find google.com. Please check the name and try again._
    Ping by IP = Request timed out.
    Pinging LAN devices = no issues all devices respond
    STRANGE THING- when I cloned the MAC address and ping I got a outside result (see capture.png)
    I thought i had cracked it! then next ping nothing. I dont understand that at all?? Pinging anything after this result failed (by name or IP) nothing.
    VERY strange & frustrating.
    Truely any advice would be grateful

    Once I











    ![interface status.PNG](/public/imported_attachments/1/interface status.PNG)
    ![interface status.PNG_thumb](/public/imported_attachments/1/interface status.PNG_thumb)



  • Can you put the screenshot of Outbound NAT rules.



  • Outbound NAT




  • There is no rule…..so no lan traffic will be outbound NATd.

    Try to add one manually as follow:

    not NAT = [] (unchecked)
    Interface = [ WAN▼]
    Protocol = [ Any ▼]
    Source = Type: [ Network ▼]
                  Address: [ YOUR_LAN_IP_SUBNET ] / [ 24 ▼] (should be 192.168.1.0 from your screenshots)
                  Source port: [
    ____] (empty/blank)
    Destination: Type = [ Any ▼]
    Translation: Address = [ Interface Address ]
    Description = [ LAN -> WAN ]



  • Maybe you had two simple things wrong…

    Cloned MAC and Something Else...



  • When outbound NAT is set to automatic, no rules are listed.  That should be fine.

    However, I noticed that DNS is not a default configuration.  So its not vanilla.

    What else did you change?



  • @kejianshi:

    When outbound NAT is set to automatic, no rules are listed.  That should be fine.

    My ignorance since I only use manual outbound.



  • Me too - I stopped using automatic a while ago.

    But I think for 1 wan, one lan, just testing basic features automatic might be best.


  • Netgate Administrator

    @Wolf666:

    My ignorance since I only use manual outbound.

    Confusingly if you switch to manual and then back to automatic the the rules remain.  ;) But, yes, showing no rules when set to automatic is the expected behaviour. I would always recommend using automatic unless you really need to use manual. In 2.2 there is a hybrid mode which is much better.

    You have an IPv6 gateway on WAN and it's not working, probably because your ISP doesn't support IPv6. If that is set as default then this could be at least part of your problem. It would explain why the pfSense box cannot check for updates.
    What does your System: Routing: Gateways: screen show? Which is default?

    You can probably just set the IPv4 gateway as default there and it will work. However unless you're using IPv6 you should go to the WAN setup and set the IPv6 config type to 'none', then remove the gateway from the System: Routing:

    Steve



  • OK kejianshi to clean up i chose Option 4 "Reset to factory defaults" went through the start up process chose no VLANs added nfe0 as WAN & nfe1 as LAN then through start up wizard through GUI or left as default. Everything sweet? LAN machines picked up DHCP address WAN has IP. Also removed IPv6 as suggested. still NOTHING!!
    so frustrating…
    The modem i have is a netgear DG632 set up in "bridge" mode or RFC1483 modem does nothing but pass traffic. Plugged into my ASA as previously mentioned doing the same, it works fine no issues.

    If you are suggesting vanilla config works out of the box this doesnt seem to be the case for me. new setup pics attached



  • I would like you to do a couple of things.

    1.  go to diagnostics > ping

    2. enter 8.8.8.8 as host

    3.  select source address LAN

    click ping

    If it works, let me know.

    if not, select source address WAN

    Try again.  Click ping.

    Let me know what happens

    (Checking to see what pfsense can see without any client firewall complications)

    If your install is truly a default install, and your pfsense can't ping out, I'd be wanting to check for bad cables or incapability between modem NIC and pfsense NIC (hardware).

    I might consider using an old intel NIC as WAN for test.  Just so you know, your experiences are way in the minority.


  • Netgate Administrator

    Yes test from the pfSense box to determine where the problem is.
    Is it still reporting 'unable to check for updates'?
    I noticed that in your earlier screen shots you have a the results of some pings from what I assume is a LAN side Windows box. There you are able to ping 173.194.33.167 (google) but not 8.8.8.8 (also a google address). Try that address from the pfSense diagnostic screen too. Also try to ping by URL from the pfSense box to check if you have DNS. Try your WAN gateway address.

    Having some sort of partial connectivity is a very different scenario to having no connectivity at all.

    One thing that occasionally comes up when using DHCP WAN is that FreeBSD, and hence pfSense, sticks firmly to rules laid out in the protocol specs. Many other OSes do not. For example when using DHCP the supplied gateway must be in the same subnet as the supplied IP address. Unfortuantely there are many ISPs who seem to ignore the specs and supply a gateway outside the subnet. pfSense will correctly report 'cannot add gateway - no route' in it's logs and you'll have no connectivity. A Windows or Linux box in this same setup will ignore this invalid configuration and allow the traffic. Thus we often see reports of 'it works just fine with my other router'. I don't think this exact scenario is your problem (I can't be sure because you've redacted the IP) because your WAN gateway is shown as UP so it's pingable. Something similar may be happening.

    Even though you've removed the IPv6 settings you might want to try this:
    https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_Preference
    That can prevent the box checking for updates but doesn't usually stop general connectivity from LAN.

    Check the system logs.

    Steve



  • Something that may have  already been tried, but I did not see listed in the notes, a reboot of the modem ?



  • This is a straight DSL with DHCP? No PPPoE username/pw required?
    Can you check the ASA config and verify how the outside interface is configured? If you plug a laptop directly into the DSL modem, do you get a public IP and can you browse out?



  • Thank you ALL for your assistance. I managed to get things working by swapping out the Netgear DG632 that was in bridge mode. I had lying around a Cisco 827 i put this into RFC 1483 as according to Cisco site with PFSense handling username/pass and away things went. Im not sure why the Netgear didnt work as it did handle fine for ASA in place. Eitherway, I'm up & running and keen to understand the benefits of PFSense. Again thanks for help & suggestions. :)



  • Enjoy (-;