No internet on clients behind static route

Access4IT

Hello,

Last weekend I had te change our current High Availability (GTA 820) setup to PFSense.
I setup everything as we had on our GTA's, but no machine in every VLAN can ping or do anything on the WAN.
All inbound NAT is working to all VLANS. Am i missing something?

Any idea why? See picture for layer3 info

![Infrastructuur design v1 0.png](/public/imported_attachments/1/Infrastructuur design v1 0.png)
![Infrastructuur design v1 0.png_thumb](/public/imported_attachments/1/Infrastructuur design v1 0.png_thumb)

muswellhillbilly

Try running a traceroute from one of your internal VLANs out to an external host (eg: 8.8.8.8 ) See where the drop occurs and check the point of failure. Also check your DNS settings on your internal clients to make sure they can resolve external addresses correctly.

Access4IT

The configuration is down for now, but i will try this as soon as possible. The old GTA's are running now…
Even a ping to 8.8.8.8 isn't replying while all incomming traffic runs smooth. I can for example RDP into every VLAN.
Do i need also make a outbound NAT for 10.100.0.0/16. That's the range where all client VLANS reside?

Let you know the results when i can test again...It's our live infrastructure.

muswellhillbilly

I don't know how you've set up the pfSense firewalls - assumedly you've just set them to run with the default firewall/NAT rules with your external gateway address set as the default route out (Cisco Provider). The router on the internal switches should, in turn, have their default gateways set to the internal NIC of the pfSense firewall - this should be the floating address as you've got the pfSense machines running in HA mode. Your clients ought to be using the 'routers on switch A/B' addresses as their default gateway out - assumedly the switches have been set to run in the various VLANs you have running internally. Your switches should have an internal address set for each internal VLAN.

Again, your best bet is to run a traceroute from a client in any one of your VLANs out to the internet, make note of the point of failure and investigate that.

Access4IT

I don't know how you've set up the pfSense firewalls - assumedly you've just set them to run with the default firewall/NAT rules with your external gateway address set as the default route out (Cisco Provider). <–-I Did

The router on the internal switches should, in turn, have their default gateways set to the internal NIC of the pfSense firewall <-- It is!

this should be the floating address as you've got the pfSense machines running in HA mode. <-- ???? floating?

Your clients ought to be using the 'routers on switch A/B' addresses as their default gateway out <----Yes...they use the VRRP address

assumedly the switches have been set to run in the various VLANs you have running internally. Your switches should have an internal address set for each internal VLAN. <-- Configured and working properly

Again, your best bet is to run a traceroute from a client in any one of your VLANs out to the internet, make note of the point of failure and investigate that.<--- Gonna test ASAP!

muswellhillbilly

'Floating' = 'CARP'.

Access4IT

When i do a tracert to 8.8.8.8 every hop timed out.
When i do a tracert to the (VIP) LAN of the PFsense i get a result.

The tracert is done from a machine in a VLAN with ip range 10.100.105.0/24
Also i can ping the 192.168.100.0 network from any machine in every Vlan.

Any idea…?

Access4IT

Problem solved….

I had to make a LAN firewall rule for 10.100.0.0/16 to the outside and also outbound NAT rules for the VLANS.

Those made everything is working!