Internet access from lan
-
Hello to all,
Im trying to fix this problem on my pfsense server.
pfsense server ver 2.2.6
2 interfaces (wan-lan)So Im trying to have internet access from my lan network.
( INTERNET(Gateway 192.168.2.1/24) –--->pfsense [ Interface_wan(192.168.2.2/24) –-----> Interface_lan(10.10.10.2) ] –---> LAN(10.10.10.0/24) )I have set statics IPs on INTwan (192.168.2.2/24 GW 192.168.2.1) and INTlan (10.10.10.2/24 GW none)
Default GW 192.168.2.1
Firewall NAT outbound automatically
Firewall rules LAN TCP any any allowIf I do ping from the Diagnostics->ping->wan->8.8.8.8 its working.
If I do ping from the Diagnostics->ping->lan->8.8.8.8 its not working.Any ideas?
Thank you
-
Hello,
check your outbound NAT or post the rules here.
-
-
This should be okay. So ping source should be translated to WAN address if LAN is used.
To verify if it works, take a packet capture with protocol filter ICMP while you are pinging for LAN. -
This should be okay. So ping source should be translated to WAN address if LAN is used.
To verify if it works, take a packet capture with protocol filter ICMP while you are pinging for LAN.13:48:34.912579 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 49921, length 60
13:48:34.913944 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 49921, length 60
13:48:35.935062 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50177, length 60
13:48:35.936703 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50177, length 60
13:48:36.992121 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50433, length 60
13:48:36.993017 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50433, length 60
13:48:38.052138 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50689, length 60
13:48:38.055948 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50689, length 60
13:48:39.114375 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 50945, length 60
13:48:39.115294 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 50945, length 60
13:48:40.177561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51201, length 60
13:48:40.178457 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51201, length 60
13:48:41.215191 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51457, length 60
13:48:41.216096 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51457, length 60
13:48:41.346544 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 415, length 40
13:48:42.278561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51713, length 60
13:48:42.279470 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51713, length 60
13:48:43.341562 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 51969, length 60
13:48:43.342523 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 51969, length 60
13:48:44.404561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52225, length 60
13:48:44.405459 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52225, length 60
13:48:45.467562 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52481, length 60
13:48:45.468454 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52481, length 60
13:48:45.877585 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 416, length 40
13:48:46.523322 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52737, length 60
13:48:46.524231 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52737, length 60
13:48:47.576626 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 52993, length 60
13:48:47.577528 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 52993, length 60
13:48:48.639563 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 53249, length 60
13:48:48.640479 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 53249, length 60
13:48:49.701185 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 53505, length 60
13:48:49.702080 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 53505, length 60
13:48:50.708374 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 53761, length 60
13:48:50.710622 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 53761, length 60
13:48:50.877602 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 417, length 40
13:48:51.770437 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54017, length 60
13:48:51.771326 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54017, length 60
13:48:52.833561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54273, length 60
13:48:52.834473 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54273, length 60
13:48:53.896560 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54529, length 60
13:48:53.897462 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54529, length 60
13:48:54.919157 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 54785, length 60
13:48:54.926307 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 54785, length 60
13:48:55.877606 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 418, length 40
13:48:55.940001 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55041, length 60
13:48:55.940902 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55041, length 60
13:48:57.002561 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55297, length 60
13:48:57.003454 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55297, length 60
13:48:58.065562 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55553, length 60
13:48:58.067188 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55553, length 60
13:48:59.082700 IP 192.168.2.2 > 192.168.2.1: ICMP echo request, id 29734, seq 55809, length 60
13:48:59.083588 IP 192.168.2.1 > 192.168.2.2: ICMP echo reply, id 29734, seq 55809, length 60 -
Client on the LAN side, do you have it's default GW set to be 10.10.10.2?
-
Your NAT rules look ok, but check your Firewall rules as well. Remember rules apply from the top down, so the first rule that wins will be the topmost one. You don't have any block rules in place which might be stopping your ICMP traffic?
Might be worth posting your Firewall rules as well, just in case.
-
@mer:
Client on the LAN side, do you have it's default GW set to be 10.10.10.2?
Yes. On my lan pc I have set it IP 10.10.10.7/24 GW 10.10.10.2 DNS 10.10.10.2
Your NAT rules look ok, but check your Firewall rules as well. Remember rules apply from the top down, so the first rule that wins will be the topmost one. You don't have any block rules in place which might be stopping your ICMP traffic?
Might be worth posting your Firewall rules as well, just in case.
On Wan and Lan I have the same rule
IPv4 * * * * * * noneand on Lan there is one extra line
-
-
- LAN Address 80 * *
-
-
-
If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.
Your packet capture shows
13:48:41.346544 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 415, length 40
Whose IP is 10.10.10.7?Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
Go to outbound NAT and try click Save button and reboot pfSense and see if it helped. -
If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.
what do you mean with that? sould it work or not?
Your packet capture shows
13:48:41.346544 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 415, length 40
Whose IP is 10.10.10.7?Its a pc on the lan, behind the pfsense
Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
Go to outbound NAT and try click Save button and reboot pfSense and see if it helped.This may happen, if you change your LAN subnet. ?????
save without do any new changes? -
If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.
what do you mean with that? sould it work or not?
Yes this should work anyway.
Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
Go to outbound NAT and try click Save button and reboot pfSense and see if it helped.This may happen, if you change your LAN subnet. ?????
save without do any new changes?In former versions there were no changes necessary to reset NAT rules. But you may also switch to hyprid rule generation and save it to ensure it is saved.
-
If you're pinging from pfSense itself (Diagnostics->ping) there are no firewall rule applied.
what do you mean with that? sould it work or not?
Yes this should work anyway.
Anyway, it isn't translated to WAN address while your NAT rules are okay. This may happen, if you change your LAN subnet.
Go to outbound NAT and try click Save button and reboot pfSense and see if it helped.This may happen, if you change your LAN subnet. ?????
save without do any new changes?In former versions there were no changes necessary to reset NAT rules. But you may also switch to hyprid rule generation and save it to ensure it is saved.
on the ping nothing from the lan interface
I have also change the NAT outbound to Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)
-
look for pings to the destination address (8.8.8.8 ). In the packet capture tab you can enter this address at host for filtering.
The packet capture must be taken from WAN interface. Have you done this above?
The pings there should come from your WAN address regardless, what's the real source, cause of NAT. -
look for pings to the destination address (8.8.8.8 ). In the packet capture tab you can enter this address at host for filtering.
The packet capture must be taken from WAN interface. Have you done this above?
The pings there should come from your WAN address regardless, what's the real source, cause of NAT.10:03:41.159463 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1342, length 40
10:03:45.804347 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1343, length 40
10:03:50.804364 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1344, length 40
10:03:55.804314 IP 10.10.10.7 > 8.8.8.8: ICMP echo request, id 2, seq 1345, length 40 -
If this capture is taken from WAN your outbound NAT isn't working. On LAN it should look like this, apart from missing responses.
Have you disabled firewall and NAT in pfSense? System > Advanced > Firewall / NAT > Disable Firewall.
-
If this capture is taken from WAN your outbound NAT isn't working. On LAN it should look like this, apart from missing responses.
Have you disabled firewall and NAT in pfSense? System > Advanced > Firewall / NAT > Disable Firewall.
ok so before this was checked. now its working because I have uncheck it. so now its on or off the firewall? I dont get it.
-
You don't get "DISABLE all packet filtering" ??
States turns pfsenes into ROUTER only!!
States also turns off NATThat clearly is not checked out of the box… So you must of on purpose checked that... But you don't understand what it says?
What is it exactly that confuses you about that box and its wording?? And that is says DISABLE FIREWALL???
English is not your native language maybe? And your putting that into say google translate and its coming out confusing in your language to if that turns on or off the firewall??
I don't get it is right ;)
-
If this is unchecked firewall and NAT is turned off. Hence your outbound NAT didn't work.
It's unchecked by default, as johnpoz wrote. You may have checked it to prevent double NAT, cause your route also do NAT. If it's possible it's better to turn off NAT at the router. However, double NAT should also work.
-
You don't get "DISABLE all packet filtering" ??
States turns pfsenes into ROUTER only!!
States also turns off NATThat clearly is not checked out of the box… So you must of on purpose checked that... But you don't understand what it says?
What is it exactly that confuses you about that box and its wording?? And that is says DISABLE FIREWALL???
English is not your native language maybe? And your putting that into say google translate and its coming out confusing in your language to if that turns on or off the firewall??
I don't get it is right ;)
I dont remember check in it; so I think its check out of the box.
now Im confuse because its says "disable firewall [checkbox]" that means if I check it the firewall is OFF (check=yes, uncheck=no correct?) and viragomann says otherwise.If this is unchecked firewall and NAT is turned off. Hence your outbound NAT didn't work.
It's unchecked by default, as johnpoz wrote. You may have checked it to prevent double NAT, cause your route also do NAT. If it's possible it's better to turn off NAT at the router. However, double NAT should also work.
Are you sure? because now its working fine. Im going to firewall->rules-> and I put ICMP allow and its passing. I set it off and its blocking. Before no matter what it was always off; no ping was passing through the lan.
-
If this is unchecked firewall and NAT is turned off. Hence your outbound NAT didn't work.
That sentence is the wrong way around, it should say:
If this is checked firewall and NAT is turned off. Hence your outbound NAT didn't work.