Adding new WAN Connection - Ping Yes, Use No

padapa

I am adding a second WAN port (Verizon connection) to an existing PFSense installation.

The Network looks like this:

173.xxx.xxx.133
                  _____________
173.xxx.xxx.134  |            |
–-- Comcast ---- | em0        |                    ____________________
                  |            |                    |                    |
                  | pfsense  em1|-------- LAN -------| PC @ 192.168.1.135 |
                  |            | 192.168.1.1        |____________________|
---- Verizon ---- | ue0        |
10.1.1.1          |_____________|
                  10.1.1.10

1. I have my interface and gateway added and routes to allow traffic. The gateway monitor for the new interface is set to 8.8.4.4 and shows green on Status –> Gateways page.

2. I can ping from the LAN side all the way to the GW 10.1.1.1 address, but I can't get webGUI of the gateway router connected there.

3. If I move my PC to the 10.1.1.x network I can log into the webGUI.

What am I missing in my config?  What would you look at/for?

Thanks,

a very frustrated padapa

heper

are you missing NAT on the new wan?

padapa

I would think if NAT wasn't working, I wouldn't be able to ping the 10.1.1.1 gateway address???

Applied to the LAN interface I have a new rule that looks like this:
https://www.dropbox.com/s/b1f260jxswvlzbm/Firewall%20-%20Rule%20-%20LAN%202015-11-06%20at%2012.55.56%20PM.png?dl=0

and in the outbound NAT setting I have this:

https://www.dropbox.com/s/ld5j8a757oscfqv/Nat%20-%20Outbound%202015-11-06%20at%2012.53.59%20PM.png?dl=0

I am preparing to send all 166.0.0.0 traffic out the new port, once it's working.

Heper, what else can I show you so you can help me see the issue?

padapa

padapa

@heper:

are you missing NAT on the new wan?

So where do I check that?

BTW… I can ping out to the next IP interface on the front of the Verizon path (10.10.1.1), but can't see it's webgui either??? >:(

If I do a traceroute to a public address like 166.xxx.xxx.125 it fails to see beyond the path to 10.1.1.1 and 10.10.1.1... like this:

traceroute 166.xxx.xxx.125
traceroute to 166.xxx.xxx.125 (166.xxx.xxx.125), 64 hops max, 52 byte packets
1  10.1.1.1 (10.1.1.1)  3.967 ms  3.045 ms  3.038 ms
2  10.10.1.1 (10.10.1.1)  9.783 ms  4.958 ms  4.836 ms
3  * * *
4  * * *
5  * * *

If I traceroute on the Verizon interface, I see the following:  (So I know the outbound path is working correctly.)

traceroute 166.xxx.xxx.125
traceroute to 166.xxx.xxx.125 (166.xxx.xxx.125), 64 hops max, 52 byte packets
1  my.jetpack (10.10.1.1)  144.029 ms *  3.016 ms
2  241.sub-66-174-12.myvzw.com (66.174.12.241)  47.605 ms  40.756 ms  39.191 ms
3  244.sub-69-83-28.myvzw.com (69.83.28.244)  35.273 ms  44.141 ms  36.294 ms
4  17.sub-69-83-28.myvzw.com (69.83.28.17)  41.110 ms  37.837 ms  46.419 ms
5  170.sub-69-83-28.myvzw.com (69.83.28.170)  33.923 ms  37.562 ms  30.134 ms

Any more ideas?

padapa

padapa

I was checkin the system logs and found this:  kernel: arpresolve: can't allocate llinfo for 10.1.1.1 on ue0

ue0 is my new wireless WAN connection.  It is a USB to Ethernet adapter…

I can ping all the way out to public addresses, but I still can't use port 80/443 for webGUI access to anything?

Any Ideas??? Anyone!

David_W

You need an additional outbound NAT rule to get traffic for the gateway router UI originating from the correct subnet.

| Interface: | USB_VZN_WWAN |
| Protocol: | any |
| Source: | any |
| Destination: | Network: 10.1.1.1/32, Port:<leave blank=""></leave> |
| Translation: | Address: Interface address, Port: <leave blank="">, Static port:</leave> |

You might have to make this rule higher priority (i.e. above) the automatically created rule to get everything working correctly.