#PFSense not serving WAN traffic to LAN?

Newly set up PFSense box hooked up to my WAN via modem and my LAN. I'm able to access my LAN, including the pfsense box, via my access point; my former LINKSYS Router/WAP combo.

The PFSense box has a WAN IP and can ping from the web interface, but I can't reach the internet from any client on the LAN.

Did you create rules to allow traffic? pfsense is a deny by default deal

It'll be something similar to this, though with LAN net as your source and default as your gateway

Mine's different because I'm using opnsense

I'll take a look at the rules and add away

Start with rules that let anything through then work your way to more fine grained

I've blanket allowed everything on both WAN and LAN interfaces, and I'm still not seeing internet access

What do your logs show? Make sure your rules have the Log box checked

But you should NOT need any rules on WAN

Yea, disable that WAN rule. You're letting all inbound traffic in

You only need to make WAN rules if you're trying to do some port forwarding

Did you set up DHCP ranges and whatnot?

Yeah, default gave from 10.0.0.10 - 10.0.0.245 during setup wizard

That's your LAN net range then?

Yes. WAN is set to dhcp on IPV4 and IPV6 disabled

Do you have the LAN interface enabled?

This is mine for reference

Yeah, it's enabled. I'm connecting to the box wirelessly on the lan

Look at your firewall logs, see if it shows you traffic being blocked

(this assumes logs are enabled for your rule)

I'm pretty sure pfsense does that still

Looking for where logs are

https://docs.netgate.com/pfsense/en/latest/monitoring/logs/index.html#filtering-log-entries

Derp wrong link

https://docs.netgate.com/pfsense/en/latest/monitoring/logs/firewall.html

Status > System Logs, on the Firewall tab

Found it

Those are coming in at your WAN

Right. I dont quite understand why they've been blocked though...

Because you don't have a rule allowing in WAN traffic. That's expected

Try setting a ping from your pc to 1.1.1.1 and just let it run. Trying to remember how to get windows to not auto stop it

ping -t 1.1.1.1

then look at your firewall logs and change the source to your PC IP

Running Ubuntu. I believe it's continuous by default

Oh then much easier, yea

Looks like you don't have logs turned on for your rule

Turned on logs for the rule. Still don't see logs from the ping test

I think maybe your linksys device is getting in the way somehow

Especially if it's got its own DHCP server running

I'm starting to think that as well. When I visit it's IP I get a weird message after signing in

Is your PC IP in the range of your pfsense LAN?

ip a

10.0.0.128

Try taking the linksys out of the chain for now

Just deleted LINKSYS from LAN. Adding new hard-line interface on pfsense.

Wait, are you intending on creating a new interface? Shouldn't need to, just plug into the same port the linksys was in

LINKSYS was plugged into a switch... Nvm caught it as I was typing it

Ahh

Pc froze when running dhclient rebooting

oof

Oh boy. Can't reach the web Configurator now and running sudo dhclient now returns "Operation not possible due to RF-kill"

Looks like your PC isn't being given a dhcp lease

Never seen the need to run dhclient though

Should be automatic

Hmm. I was trying to use old router as dhcp server. dhcp server probably didn't spin up when I unplugged LINKSYS

pfsense should be handling it for sure

Now that I've lost dhcp, do I have to/would it be better to reset to factory defaults, or can I start the dhcp server from command line?

I don't know pfsense cli off the top of my head, but you should be able to do it with a monitor plugged directly into the box assuming you have an igpu in it

But a factory reset might be easier

In general, you want to start off as simple as possible to make troubleshooting easier

The linksys router should be put into bridge/AP mode once you get things working hard wired

Yeah, I think I'll stick to just the modem, the switch and the pfsense box for now.

If you have the money, I use omada gear myself for switch & APs with the controller in a docker container to manage all my stuff. Works well

Has a mobile app for it, too

Controller for what is in docker container?

The omada controller

Can create up to 8 wifi networks on a single AP each on its own vlan.

You can get the controller in a physical box for like $100, but the docker container works just as well for free

Interesting. Just spent $300 on this little box to experiment with PFSense, looking like I'll need at least 1 standalone AP at this point. Might do a whole migration 🤷‍♂️

I started off like that, too. But found the wonders of using a 1 liter thin client PC as my router/firewall. Got it off ebay for just under $200 and it's WAY more powerful than those boxes if you got like a protectli or similar

Protect Li! That's the one

Okay.

I used this as inspiration. I snagged a m920q off ebay
https://smallformfactor.net/forum/threads/lenovo-m720q-tiny-router-firewall-build-with-aftermarket-4-port-nic.14793/

Just finished running through setup wizard agaom

Pfsense has my public IP and my WAN rules show the default blocked message!

That's normal. Did your PC get assigned an IP?

I assume so since you're looking

Correct

Do you have internet access?

Negative

Created a LAN rule too?

Default LAN rules look like they should be enough?

Try changing the gateway to WAN

Change destination from "*" to "WAN Net"?

No this

looks like some traffic is going over LAN at least

But turn on logs for the rules too

Found the setting. Buried in advanced tab

Still no internet. Trying to find logs tab again

And set the src to your PC IP

??? I can ping! No Google though

Ok that's a good 1st step

Looks like DNS is next

Put source as 10.0.0.1/16 would that suffice？

That's a whole shitload of IPs lol, but yea

Go through this and make sure you did everything
https://docs.netgate.com/pfsense/en/latest/multiwan/interfaces-and-dns.html

You might need to assign a DNS service for pfsense to send queries to

Sorry that link's for multi-WAN, one sec

This one should work
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html

Probably need to set system DNS servers

When checked, unbound will use the system DNS Servers from System > General Setup or those received from a dynamic WAN, rather than using the root servers directly.

Try dig @9.9.9.9 google.com

On your PC

If that works, then you need to set up DNS on pfsense

This is my output, for reference

; <<>> DiG 9.18.17 <<>> @9.9.9.9 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65054
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             10      IN      A       172.253.62.102
google.com.             10      IN      A       172.253.62.138
google.com.             10      IN      A       172.253.62.139
google.com.             10      IN      A       172.253.62.101
google.com.             10      IN      A       172.253.62.113
google.com.             10      IN      A       172.253.62.100

;; Query time: 14 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Fri Aug 11 23:35:52 CDT 2023
;; MSG SIZE  rcvd: 135

I've got similar output from dig commanf

Then you know your problem lol

Bit confused. Should I enable DNS forwarder instead of DNS resolver then?

Start with resolver

Your ISP might be a bitch and block that, then forwarding mode would be next to try

You can test pfsense dns by just doing dig google.com. That should query it

! Changed outgoing network interfaces to WAN and enabled DNS QUERY Forwarding mode

Start with All for outgoing interfaces

But i'm glad it resolved for ya

I've heard before "it's always DNS" but this is just ridiculous 😆

lol

Just wait till you get into pfblockerNG

DNS blocking (aka ad blocking) galore

Ooh boy. I think I'll just get a pre-made container of pihole thank you very much lol

Oh pihole works great too!

I like adguard home more, personally. Gives you more fine grained controls, like blocking certain URLs for individual clients

Pihole is just all or none

Not something that I had thought of before. I will certainly look to see if that's something that would be useful for the family, though.

Something I do that might interest you is forcing all clients on your network to use only pfsense for DNS

I've got to thank you so much for helping guide me through this, btw!

You're very welcome

Next immediate project I'll be looking for is to set a second LAN interface on pfsense that only allows VPN traffic through. Wireguard would be nice too

I do that with my opnsense

Though I do it via VLANs

I also have a managed switch capable of them

Nice. Nice. I'm thinking of having a small server right near the router to download my Linux isos, and I want that to always be over VPN.

If you don't have a VPN provider, I recommend mullvad, proton, ivpn, or windscribe. They are decent companies in a sea of scummery

Would be simple to just have 1 whole interface dedicated to that purpose

That's exactly what I do with my truenas server

I use Proton for privacy, and nord for basic security: free wifi and whatnot

Well good luck to ya

Thanks again!