Can't get Internet access working on Opt1

chubby

I need to setup a firewall to use two DSL connections - both running in router mode with the routers handling the PPoE authentication.  In my test-lab environment I only have one internet connection, so I can't test connectivity on both connections at once.

I have interfaces configured as follows:
LAN:  172.16.1.1/24
WAN:  static assigned - 192.168.2.2/24 (Gateway 192.168.2.1) [nothing connected to this interface because, as indicated above, in  my test lab I have only one internet connection]
Opt1:  static assigned - 192.168.0.2/24 (Gateway 192.168.0.1 - note, this is the address on the one and only router in my test lab)
Opt2:  static assigned - 192.168.51.2/24 (Gateway 192.168.51.1) [this interface is for a WAN connection within our organisation.  It has nothing connected to it at this stage]

Now, I've read and followed numerous tutorials I've found on the web, however a number of them seem to indicate that once you've set up your address and gateway on the the Opt1 interface it's just a matter verifying that you now have web access on that link.  I don't have web access on the Opt1 link at that stage - and to be honest I wouldn't expect to, as I assume that the default gateway is always the WAN link, so policy based routing needs to be set up to direct web traffic to the Opt1 gateway.

I therefore setup up rules for outgoing HTTP, DNS & ICMP traffic to use the Opt1 gateway.  But, I can't even ping the gateway address (192.168.0.1) let alone access anything externally.

At this point, I swaped the static assignments on the WAN & Opt1 links and changed the ethernet cable from the Opt1 port to the WAN port (and diabled the above metioned policy based routing rules), to give the WAN interface access to my internet connection rather than the Opt1 interface.  And sure enough, I had complete web access.  This verified that my internet connection is working, and pfsense is routing.

After swapping everything back again, I figured maybe I need to set up NAT on the Opt1 interface.  I therefore set up an outgoing NAT rule as follows:

Opt 1 172.16.1.0/24 * * * * *

But still to no avail.

The tutorials seem to make it all so simple, but I must be doing something wrong.

Any advice will be greatly appreciated.

cmb

@chubby:

I therefore setup up rules for outgoing HTTP, DNS & ICMP traffic to use the Opt1 gateway.  But, I can't even ping the gateway address (192.168.0.1) let alone access anything externally.

Can you ping the gateway address from pfSense itself? Can you post a screenshot of your LAN rules?

chubby

No, I can't ping the router from pfsense itself.  It responds with 'No route to host'

I don't think I have any software installed which will allow me to caputure my screen shot & convert it to an image file (as opposed to an image inside a Word file).  The complete list of rules for the LAN are (they are all 'pass' rules):

ICMP * * * * 192.168.0.1
TCP * * * 80 (HTTP) 192.168.0.1
TCP/UDP * * * 53 (DNS) 192.168.0.1

cmb

@chubby:

No, I can't ping the router from pfsense itself.  It responds with 'No route to host'

Sounds like the subnet mask on the OPT interface is incorrect. Check that it's set to /24.

Perry

I don't think I have any software installed which will allow me to caputure my screen shot & convert it to an image file (as opposed to an image inside a Word file).

press print screen button -> paste it into paint -> mark the relevant area and copy -> files -> new -> paste it and save it as jpeg

chubby

I worked out where the problem was, but don't know why it occurred.

I noticed at the pfsense console it indicated that the IP address on on the Opt 1 and Opt 2 interfaces were both 'NONE'.  An 'ifconfig' at the shell also indiated that these two interfaces had no IP address configured.  The browser interface definately shows both these interfaces with IP address & gateways configured.  Does anyone have any explanation of why the configuration has not taken hold?

I manully assigned the IP address with an 'ifconfig' command at the shell, and sure enough it's now working :)

What I can't workout however, is how I make the IP address change permanent.  There does not seem to be a etc/sysconfig directory or a etc/rc.conf file.  How can I set the IP addresses on these interfaces permanantly?

cmb

@chubby:

I noticed at the pfsense console it indicated that the IP address on on the Opt 1 and Opt 2 interfaces were both 'NONE'.  An 'ifconfig' at the shell also indiated that these two interfaces had no IP address configured.  The browser interface definately shows both these interfaces with IP address & gateways configured.  Does anyone have any explanation of why the configuration has not taken hold?

You can't make it stick without a proper configuration. Can you private message me a copy of your configuration or email to cmb at pfsense.org? I haven't heard of a system not applying addresses, want to make sure that's not a bug.

cmb

@cmb:

I haven't heard of a system not applying addresses, want to make sure that's not a bug.

I also assumed the interfaces were enabled.  :)  From the config chubby emailed me, that was the issue. If you don't enable OPT interfaces they don't get addresses assigned (for obvious reasons).