Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internet access from lan

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 6 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elessargr
      last edited by

      Hello to all,

      Im trying to fix this problem on my pfsense server.
      pfsense server ver 2.2.6
      2 interfaces (wan-lan)

      So Im trying to have internet access from my lan network.
      ( INTERNET(Gateway 192.168.2.1/24) –--->pfsense [ Interface_wan(192.168.2.2/24) –-----> Interface_lan(10.10.10.2) ] –---> LAN(10.10.10.0/24) )

      I have set statics IPs on INTwan (192.168.2.2/24 GW 192.168.2.1) and INTlan (10.10.10.2/24 GW none)
      Default GW 192.168.2.1
      Firewall NAT outbound automatically
      Firewall rules LAN TCP any any allow

      If I do ping from the Diagnostics->ping->wan->8.8.8.8 its working.
      If I do ping from the Diagnostics->ping->lan->8.8.8.8 its not working.

      Any ideas?

      Thank you

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Hello,

        check your outbound NAT or post the rules here.

        1 Reply Last reply Reply Quote 0
        • E
          elessargr
          last edited by

          @viragomann:

          Hello,

          check your outbound NAT or post the rules here.

          here you go

          Capture.PNG
          Capture.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            This should be okay. So ping source should be translated to WAN address if LAN is used.
            To verify if it works, take a packet capture with protocol filter ICMP while you are pinging for LAN.

            1 Reply Last reply Reply Quote 0
            • E
              elessargr
              last edited by

              @viragomann:

              This should be okay. So ping source should be translated to WAN address if LAN is used.
              To verify if it works, take a packet capture with protocol filter ICMP while you are pinging for LAN.

              13:48:34.912579 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 49921, length 60
              13:48:34.913944 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 49921, length 60
              13:48:35.935062 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50177, length 60
              13:48:35.936703 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50177, length 60
              13:48:36.992121 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50433, length 60
              13:48:36.993017 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50433, length 60
              13:48:38.052138 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50689, length 60
              13:48:38.055948 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50689, length 60
              13:48:39.114375 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50945, length 60
              13:48:39.115294 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50945, length 60
              13:48:40.177561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51201, length 60
              13:48:40.178457 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51201, length 60
              13:48:41.215191 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51457, length 60
              13:48:41.216096 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51457, length 60
              13:48:41.346544 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 415, length 40
              13:48:42.278561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51713, length 60
              13:48:42.279470 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51713, length 60
              13:48:43.341562 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51969, length 60
              13:48:43.342523 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51969, length 60
              13:48:44.404561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52225, length 60
              13:48:44.405459 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52225, length 60
              13:48:45.467562 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52481, length 60
              13:48:45.468454 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52481, length 60
              13:48:45.877585 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 416, length 40
              13:48:46.523322 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52737, length 60
              13:48:46.524231 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52737, length 60
              13:48:47.576626 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52993, length 60
              13:48:47.577528 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52993, length 60
              13:48:48.639563 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 53249, length 60
              13:48:48.640479 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 53249, length 60
              13:48:49.701185 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 53505, length 60
              13:48:49.702080 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 53505, length 60
              13:48:50.708374 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 53761, length 60
              13:48:50.710622 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 53761, length 60
              13:48:50.877602 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 417, length 40
              13:48:51.770437 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54017, length 60
              13:48:51.771326 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54017, length 60
              13:48:52.833561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54273, length 60
              13:48:52.834473 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54273, length 60
              13:48:53.896560 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54529, length 60
              13:48:53.897462 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54529, length 60
              13:48:54.919157 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54785, length 60
              13:48:54.926307 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54785, length 60
              13:48:55.877606 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 418, length 40
              13:48:55.940001 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55041, length 60
              13:48:55.940902 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55041, length 60
              13:48:57.002561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55297, length 60
              13:48:57.003454 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55297, length 60
              13:48:58.065562 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55553, length 60
              13:48:58.067188 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55553, length 60
              13:48:59.082700 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55809, length 60
              13:48:59.083588 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55809, length 60

              1 Reply Last reply Reply Quote 0
              • M
                mer
                last edited by

                Client on the LAN side, do you have it's default GW set to be 10.10.10.2?

                1 Reply Last reply Reply Quote 0
                • M
                  muswellhillbilly
                  last edited by

                  Your NAT rules look ok, but check your Firewall rules as well. Remember rules apply from the top down, so the first rule that wins will be the topmost one. You don't have any block rules in place which might be stopping your ICMP traffic?

                  Might be worth posting your Firewall rules as well, just in case.

                  1 Reply Last reply Reply Quote 0
                  • E
                    elessargr
                    last edited by

                    @mer:

                    Client on the LAN side, do you have it's default GW set to be 10.10.10.2?

                    Yes. On my lan pc I have set it IP 10.10.10.7/24 GW 10.10.10.2 DNS 10.10.10.2

                    @muswellhillbilly:

                    Your NAT rules look ok, but check your Firewall rules as well. Remember rules apply from the top down, so the first rule that wins will be the topmost one. You don't have any block rules in place which might be stopping your ICMP traffic?

                    Might be worth posting your Firewall rules as well, just in case.

                    On Wan and Lan I have the same rule
                    IPv4 *  *  *  *  *  *  none

                    and on Lan there is one extra line

                        • LAN Address 80 * *
                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.

                      Your packet capture shows
                      13:48:41.346544 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 415, length 40
                      Whose IP is 10.10.10.7?

                      Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
                      Go to outbound NAT and try click Save button and reboot pfSense and see if it helped.

                      1 Reply Last reply Reply Quote 0
                      • E
                        elessargr
                        last edited by

                        @viragomann:

                        If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.

                        what do you mean with that? sould it work or not?

                        @viragomann:

                        Your packet capture shows
                        13:48:41.346544 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 415, length 40
                        Whose IP is 10.10.10.7?

                        Its a pc on the lan, behind the pfsense

                        @viragomann:

                        Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
                        Go to outbound NAT and try click Save button and reboot pfSense and see if it helped.

                        This may happen, if you change your LAN subnet. ?????
                        save without do any new changes?

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          @elessargr:

                          @viragomann:

                          If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.

                          what do you mean with that? sould it work or not?

                          Yes this should work anyway.

                          @elessargr:

                          @viragomann:

                          Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
                          Go to outbound NAT and try click Save button and reboot pfSense and see if it helped.

                          This may happen, if you change your LAN subnet. ?????
                          save without do any new changes?

                          In former versions there were no changes necessary to reset NAT rules. But you may also switch to hyprid rule generation and save it to ensure it is saved.

                          1 Reply Last reply Reply Quote 0
                          • E
                            elessargr
                            last edited by

                            @viragomann:

                            @elessargr:

                            @viragomann:

                            If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.

                            what do you mean with that? sould it work or not?

                            Yes this should work anyway.

                            @elessargr:

                            @viragomann:

                            Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
                            Go to outbound NAT and try click Save button and reboot pfSense and see if it helped.

                            This may happen, if you change your LAN subnet. ?????
                            save without do any new changes?

                            In former versions there were no changes necessary to reset NAT rules. But you may also switch to hyprid rule generation and save it to ensure it is saved.

                            on the ping nothing from the lan interface

                            I have also change the NAT outbound to Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)

                            1 Reply Last reply Reply Quote 0
                            • V
                              viragomann
                              last edited by

                              look for pings to the destination address (8.8.8.8 ). In the packet capture tab you can enter this address at host for filtering.
                              The packet capture must be taken from WAN interface. Have you done this above?
                              The pings there should come from your WAN address regardless, what's the real source, cause of NAT.

                              1 Reply Last reply Reply Quote 0
                              • E
                                elessargr
                                last edited by

                                @viragomann:

                                look for pings to the destination address (8.8.8.8 ). In the packet capture tab you can enter this address at host for filtering.
                                The packet capture must be taken from WAN interface. Have you done this above?
                                The pings there should come from your WAN address regardless, what's the real source, cause of NAT.

                                10:03:41.159463 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1342, length 40
                                10:03:45.804347 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1343, length 40
                                10:03:50.804364 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1344, length 40
                                10:03:55.804314 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1345, length 40

                                1 Reply Last reply Reply Quote 0
                                • V
                                  viragomann
                                  last edited by

                                  If this capture is taken from WAN your outbound NAT isn't working. On LAN it should look like this, apart from missing responses.

                                  Have you disabled firewall and NAT in pfSense? System > Advanced > Firewall / NAT > Disable Firewall.

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    elessargr
                                    last edited by

                                    @viragomann:

                                    If this capture is taken from WAN your outbound NAT isn't working. On LAN it should look like this, apart from missing responses.

                                    Have you disabled firewall and NAT in pfSense? System > Advanced > Firewall / NAT > Disable Firewall.

                                    ok so before this was checked. now its working because I have uncheck it. so now its on or off the firewall? I dont get it.

                                    Capture.PNG
                                    Capture.PNG_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      You don't get "DISABLE all packet filtering" ??

                                      States turns pfsenes into ROUTER only!!
                                      States also turns off NAT

                                      That clearly is not checked out of the box… So you must of on purpose checked that... But you don't understand what it says?

                                      What is it exactly that confuses you about that box and its wording??  And that is says DISABLE FIREWALL???

                                      English is not your native language maybe?  And your putting that into say google translate and its coming out confusing in your language to if that turns on or off the firewall??

                                      I don't get it is right ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • V
                                        viragomann
                                        last edited by

                                        If this is unchecked firewall and NAT is turned off. Hence your outbound NAT didn't work.

                                        It's unchecked by default, as johnpoz wrote. You may have checked it to prevent double NAT, cause your route also do NAT. If it's possible it's better to turn off NAT at the router. However, double NAT should also work.

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          elessargr
                                          last edited by

                                          @johnpoz:

                                          You don't get "DISABLE all packet filtering" ??

                                          States turns pfsenes into ROUTER only!!
                                          States also turns off NAT

                                          That clearly is not checked out of the box… So you must of on purpose checked that... But you don't understand what it says?

                                          What is it exactly that confuses you about that box and its wording??  And that is says DISABLE FIREWALL???

                                          English is not your native language maybe?  And your putting that into say google translate and its coming out confusing in your language to if that turns on or off the firewall??

                                          I don't get it is right ;)

                                          I dont remember check in it; so I think its check out of the box.
                                          now Im confuse because its says "disable firewall  [checkbox]" that means if I check it the firewall is OFF (check=yes, uncheck=no correct?) and viragomann says otherwise.

                                          @viragomann:

                                          If this is unchecked firewall and NAT is turned off. Hence your outbound NAT didn't work.

                                          It's unchecked by default, as johnpoz wrote. You may have checked it to prevent double NAT, cause your route also do NAT. If it's possible it's better to turn off NAT at the router. However, double NAT should also work.

                                          Are you sure? because now its working fine. Im going to firewall->rules-> and I put ICMP allow and its passing. I set it off and its blocking. Before no matter what it was always off; no ping was passing through the lan.

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            phil.davis
                                            last edited by

                                            If this is unchecked firewall and NAT is turned off. Hence your outbound NAT didn't work.

                                            That sentence is the wrong way around, it should say:

                                            If this is checked firewall and NAT is turned off. Hence your outbound NAT didn't work.

                                            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.