LAN to WAN forward does not work
-
Hi,
I have installed the latest version of pfSense and configured it as shown:
The WAN IP address is configured by the providers DHCP server - it's always the same /32 IP and gateway. I also receive the MTU size of 64000, promisc mode and DHCP option 121. vtnet1 is the WAN NIC and vtnet0 the LAN NIC.
My problem is right now just, that I am not able to reach anything else than inside the LAN. I can reach my hosts in the LAN, but from my LAN NIC I can't reach the WAN NIC / IP or any other IP/Host in the WAN. I'm not sure, but I think there is a firewall rule missing, which forwards my LAN requests to the WAN interface. I couldn't found this setting anywhere and the routing table looks fine for me.
The other problem is, that I'm sometimes not able to reach anything from any NIC, although I haven't changed anything on the system… :o
A ping reports, that the operation is not permitted... ???
If I reboot the system, all works fine for a while. Just the LAN is still not able to reach anything else than the LAN net. The interesting information is, that I am able to connect via IPsec and OpenVPN to this host, while pfSense can't reach anything in the WAN... ::)
Hope, someone can help me.
-
Eh, WTF?
Why's your WAN set to None/None? If the IP is provided by DHCP server, then set it to DHCP and not None! :o :o :o
This works out of the box! Undo all the nonsense you have done and fix your WAN configuration. Done.
-
I don't know. My provider tested pfSense and told me, that I have to set it to none, instead of DHCP. With DHCP pfSense would not work fine, because the DHCP option 121 is not fully supported by the provider.
I also had to change some configuration files of pfSense, that it works with my provider. Those settings are suggested by my provider:
pkg install isc-dhcp43-client
@viconfig:
- Now after configuration is opened we need to locate our wan interface:
<wan><enable><if>vtnet0</if>
<ipaddr>dhcp</ipaddr></enable></wan>- Change the ipaddr field from dhcp to none but do not close the text editor:
<ipaddr>none</ipaddr>
- Locate end of system section and add following on top of it. Your config.xml file should look like this:
<enablesshd>enabled</enablesshd>
<shellcmd>/usr/local/sbin/dhclient -q vtnet0</shellcmd>Finally I had to adjust this file too: /usr/local/etc/dhclient.conf
script "/usr/local/sbin/dhclient-script"; option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; request subnet-mask, broadcast-address, time-offset, routers, host-name, interface-mtu, rfc3442-classless-static-routes, ntp-servers;
If I set the WAN NIC to "DHCP", pfSense is always missing the default routing entry… :'(
-
I would recommend to change your ISP.
-
This is not possible or can you tell me a hoster for VPS/VMs, where I can create a virtual datacenter with virtual machines? Our current hoster also has a API for it's DC to automate the process to create a new VM.
I've changed "None" to "DHCP" and the network configuration seems to be fine now, but now I'm not able to visit the webinterface anymore. (I'm still not able to reach it via IP, if I disable the firewall with pfctl -d.) :o
-
After doing such changes, I'd suggest to reboot.
(Regarding your original configuration hacks - sorry, that has no chance of ever working properly. When you set the interface to "None", pfSense has no knowledge of any of those manual shell hacks you used to configure IPs/GWs etc. via shell. Definitely a no go.)
-
Ah, nice. I had to reboot pfSense twice. Now is the LAN to WAN forward working as it should. Thx!
But apt-get update is for example very slow and hangs. Do I need to set a firewall rule for it or tick some options in pfSense?
... 100% [Waiting for headers] ... 100% [Connecting to de.archive.ubuntu.com (141.30.13.10)]
I'm able to reach everything without problems - via IP and FQDN/DNS. But this still hangs a bit… Sometimes it's fast a few repos and sometimes it's just hanging... :(
-
Unless you get something blocked in firewall logs, no… (Try a different mirror, perhaps.)
-
Unless you get something blocked in firewall logs, no… (Try a different mirror, perhaps.)
Tried different repositories from different hoster and countries, but it does not work:
root@ubuntu:~# aptitude install samba The following NEW packages will be installed: attr{a} libaio1{a} libavahi-client3{a} libavahi-common-data{a} libavahi-common3{a} libcups2{a} libfile-copy-recursive-perl{a} libgmp10{a} libhdb9-heimdal{a} libkdc2-heimdal{a} libldb1{a} libntdb1{a} libtalloc2{a} libtdb1{a} libtevent0{a} libwbclient0{a} python-crypto{a} python-dnspython{a} python-ldb{a} python-ntdb{a} python-samba{a} python-talloc{a} python-tdb{a} samba samba-common{a} samba-common-bin{a} samba-dsdb-modules{a} samba-libs{a} samba-vfs-modules{a} tdb-tools{a} update-inetd{a} 0 packages upgraded, 31 newly installed, 0 to remove and 0 not upgraded. Need to get 8,246 kB of archives. After unpacking 46.6 MB will be used. Do you want to continue? [Y/n/?] Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libaio1 amd64 0.3.109-4 Could not connect to ubuntu.mirror.lrz.de:80 (129.187.10.100), connection timed out Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libavahi-common-data amd64 0.6.31-4ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libavahi-common3 amd64 0.6.31-4ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libavahi-client3 amd64 0.6.31-4ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libcups2 amd64 1.7.2-0ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libgmp10 amd64 2:5.1.3+dfsg-1ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libhdb9-heimdal amd64 1.6~git20131207+dfsg-1ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libtalloc2 amd64 2.1.0-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libtdb1 amd64 1.2.12-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libtevent0 amd64 0.9.19-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libldb1 amd64 1:1.1.16-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libntdb1 amd64 1.0-2ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libwbclient0 amd64 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main python-ldb amd64 1:1.1.16-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main python-talloc amd64 2.1.0-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main python-dnspython all 1.11.1-1build1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main python-ntdb amd64 1.0-2ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main python-tdb amd64 1.2.12-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main python-crypto amd64 2.6.1-4build1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main samba-libs amd64 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main python-samba amd64 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main samba-common all 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main samba-common-bin amd64 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main samba-dsdb-modules amd64 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main tdb-tools amd64 1.2.12-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libfile-copy-recursive-perl all 0.38-1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main update-inetd all 4.43 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main libkdc2-heimdal amd64 1.6~git20131207+dfsg-1ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main samba amd64 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main attr amd64 1:2.4.47-1ubuntu1 Unable to connect to ubuntu.mirror.lrz.de:http: Err http://ubuntu.mirror.lrz.de/ubuntu/ trusty/main samba-vfs-modules amd64 2:4.1.6+dfsg-1ubuntu2 Unable to connect to ubuntu.mirror.lrz.de:http: 0% [Working]E: Failed to fetch http://ubuntu.mirror.lrz.de/ubuntu/pool/main/liba/libaio/libaio1_0.3.109-4_amd64.deb: Could not connect to ubuntu.mirror.lrz.de:80 (129.187.10.100), connection timed out root@ubuntu:~#
I really don't know, what the issue could be. I've also disabled all options to block bogon networks for example as well as Snort, because I thought, this is may the issue. :(
Currently it's working fine. Let me check for how long…
-
Nope, the error still exists.
-
I would revert to factory settings, then configure your WAN to the correct IPv4 Type to DHCP and get rid of your MTU settings. There is nothing magical you have to do here. It just works unless something is interfering or you have misconfigured it.