Netgate PfSense DHCP on WAN problem. "Internet" not working

Problem: i do get WAN IP and status “online”. i can ping outside but i can´t “surf” the web. input on what to test would be appreciated

Basic setup with the Wizard.
Netgate 2100 with 23.01 release
WAN = DHCP (Public ip)
Lan =
DNS = tested with static ones like google and tested with the one the ISP provide.
Rules = standard rules “LAN to any allow” etc
NAT = automatic rules in place, mode is automatic.

  • Have tested with and without “block private networks” options.
  • Have tested with different DNS options, with or without DNS overice from ISP
  • If i set a static WAN IP it works fine. did just try to change to DHCP and it does not work, tested different connections with a live ISP and in a LAB.

Need more info on your isp link

Is your ISP link dhcp or static, what details has you provider given you.

the ISP gives DHCP with public IP.
But right now i did test in a LAB with a local ip via DHCP, same result. (the Block private network and block bogon networks, options is turned of.

i do get the IP from the other firewall, in this case.
i get the status as “Online”
i can Ping outside but i can´t surf.

If you connect the network cable into a laptop, network settings dhcp can you browse the internet ?

If you can not I would ring your ISP and explain the issue - maybe a issue at their end , or incorrect firewall settings on their firewall

yes if i connect direct to my laptop it works fine. so there is no problem with the connection.
Feels mor like NAT or DNS problem somehow.

When you have it working , as you have a double nat setup you need to untick the follow in pfsense

What are your dns servers within pfsense under System - General Setup

Working example

Run DNS Lookups on Pfsense, to see if it can resolve fqdn

Diagnostics - DNS Lookup

yes, right now when i am dubble nated i have those option turned off, also i did test to turn them off when i had a public ip just because, no luck there.

my DNS servers are and
i have tested with both “DNS Server override” on and off. no difference.

i can´t do a DNS lookup, it “can not be resolved”
i can ping like from my laptop and from the firewall.

Issue is to do with PFSense / DNS somewhere.

Installed System_Patches under Package Manager and apply all patches - Updated pfsense Patch Package - Lawrence Technology Services (

Make sure DNS Forwarder is disabled and DNS resolver is enabled - both under Services

On the pfsense dhcp settings for the network, what are your DNS settings.

Can you post your lan firewall rules

On the wan setup, you have configured IPv6 Configuration type as None

this is so wierd.
i did have IPv6 on, did set it to “None” and saved, then everything worked.
i did a reboot just to be sure it keeps working and after reboot it does not work any more.

(DNS Forwarder was of and resolver on)
i will try download the patches.
Firewall rules:
on WAN there is no rules at all.
on LAN there is the tre standard rules, anti lockout, LAN to ANY allow, and LAN to ANY IPv6 Allow. in that order. have not changed them from the wizard default.

have tested to install all patches, have factory restored the system and tested everything one more time, no luck. still same problem. this starts to be annoying.

Just an update, i have Reinstalled PFsense software on the netgate, no luck, still same problem.

You have to adjust your default gateway to the IP you received via DHCP. It is “automatic” by default but it doesn’t always work for reason I can’t explain. Go in System | Routing and select the correct default gateway. Things should start to work afterward.

i had already tested that,
i did change internet conenction now, and now i get status “offline” on the gateway and 100% loss. but right now it works. and it take about 5-10 minutes from startup before it working so this does not feels like something i want to deploy at a customer.

I am a tad lost so maybe that is it:-) Are and DNS server pets that the ISP gave you?

Have you tried using the ISP supplied DNS and verified you can UDP from a client through the double NAT to the ISP DNS servers?

Again – I may just be missing what you are trying to do. Albeit, double NAT can be painful.

i am not trying to do dubble nat, it is just for testing because i did not get DHCP with public IP to work.
i can get it to work now, but it takes about 10 minutes from firewall startup untill it works. so still i would not like to put that firewall out to a customer.
and jsut to answer, yes i have tested both supplied DNS and 3rd party DNS.

Agree weird. How is the PFSense Wan connected to the ISP?

I’m my case my ProtectLi/PFSense/Opensense box was connected to an ARIS cable modem. When I moved the cable modem from Unifi USG to ProtectLi nothing worked until I rebooted the Aris modem. Reason – ISP, Aris and the “Netgate” wan all need to get in sync. Now in some cases, you may need to spoof the Mac Address of the working computer onto Netgate. ISPs all seem to use different solutions that identify the actual customer connecting to their network:-) in some cases Netgate may need a user/password.

When it is both working and not do you have a way to get the Wan IP address? Are they both logical ie IP address traceable to the ISP and not something g like 169.*.

Hope you somehow get this working wit a bit of magic.