No routing to class C WAN

johnpoz

@zak-mckracken there is nothing to do to work in in a double nat setup - the one that that could be a problem is that if the IP your pfsense gets on its wan overlaps the network your using on pfsense lan - then yeah that prob not going to work..

Why are you hiding a 192.168 address? What is the exact address you get on your pfsense wan if it is rfc1918, what is the network your trying to use on your pfsense lan?

Jarhead

@zak-mckracken
Why do you say you can't use pfSense with the new connection?
Is iFrontier or ATT maybe?

JKnott

@zak-mckracken

Class C? Classful addresses have been obsolete for almost 30 years. Is there some reason you can't put your ONT into bridge mode? As for using double NAT, are you trying to use the same subnet for the pfSense LAN as the WAN?

johnpoz

@jknott said in No routing to class C WAN:

have been obsolete for almost 30 years.

I know - it never ceases to amaze me how the terms even still come up.. When I first started in IT they were still a thing - and I haven't used the terms myself in in prob 25 years ;)

Its crazy I could see a habit like saying your taping a show, when your actually recording it on your dvr or something - that was a habit that took a while to break..

Zak McKracken

@johnpoz said in No routing to class C WAN:

@zak-mckracken there is nothing to do to work in in a double nat setup - the one that that could be a problem is that if the IP your pfsense gets on its wan overlaps the network your using on pfsense lan - then yeah that prob not going to work..

Why are you hiding a 192.168 address? What is the exact address you get on your pfsense wan if it is rfc1918, what is the network your trying to use on your pfsense lan?

I didn't mean to hide my local addresses; I just figured the exact numbers wouldn't matter.

The IP range behind the FTTH router is 192.168.1.0/24. Its own address is 192.168.1.254, also given as the default gateway by its DHCP server. I made a reservation to make the pfSense router get 192.168.1.1. Perhaps a bad idea, but other addresses didn't work either.

My LAN uses a class B IP range: 172.17.0.0/16. Could it be that class B ranges are not routed to class C?

Zak McKracken

@jarhead said in No routing to class C WAN:

@zak-mckracken
Why do you say you can't use pfSense with the new connection?
Is iFrontier or ATT maybe?

I just cannot ping out. Or anything else for that matter.

When pfSense is connected to the cable modem, I can do this from my laptop:

macbookpro:~ robert$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=181.717 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=229.149 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=15.548 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=10.914 ms

But when it's connector the the FTTH router, I get this:

macbookpro:~ robert$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
92 bytes from pfsense.xxx.local (172.17.1.1): Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 164a   0 0000  40  01 9a34 172.17.14.10  8.8.8.8

Request timeout for icmp_seq 0
92 bytes from pfsense.xxx.local (172.17.1.1): Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 c396   0 0000  40  01 ece7 172.17.14.10  8.8.8.8 

Jarhead

@zak-mckracken
I'll ask again, is this Frontier or ATT??

There are known issues with both of them working with pfSense and also ways around it.
If one of them is your ISP, the problem is nothing you did and can be fixed very easily.

Zak McKracken

@jknott said in No routing to class C WAN:

@zak-mckracken

Class C? Classful addresses have been obsolete for almost 30 years. Is there some reason you can't put your ONT into bridge mode? As for using double NAT, are you trying to use the same subnet for the pfSense LAN as the WAN?

Yeah; I'm old fashioned that way. This is how I was taught in school, and I'm not a network engineer, so I never got updated. It took my a long time to get used to the /24 notation.

Anyway; Yes, there's a good reason; Its firmware doesn't support it. And yes, I've been nagging about it, and getting a stand-alone bridge from my ISP, but that's taking all of my energy and leading nowhere.

No; Subnets differ.

Zak McKracken

@jarhead said in No routing to class C WAN:

@zak-mckracken
Why do you say you can't use pfSense with the new connection?
Is iFrontier or ATT maybe?

I don't know what those are. In case you mean ISPs (AT&T?); No, we don't have those here in Europe.

johnpoz

@zak-mckracken said in No routing to class C WAN:

macbookpro:~ robert$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
92 bytes from pfsense.delien.local (172.17.1.1): Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 164a 0 0000 40 01 9a34 172.17.14.10 8.8.8.8

Well from that looks like your mac can not talk to pfsense.. did you alter the rules on the lan? Did your macbook get that IP from pfsense dhcp?

Can you access the pfsense gui from this macbook on 172.17.1.1 ?

172.17/16 pretty large network for a home lan ;) you plan on having some 65k some devices? Your macbook has an IP of 172.17.14 seems like an odd IP to get from dhcp that with a 172.17/16 range normally it would be at the end or the beginning of the range..

Zak McKracken

@johnpoz said in No routing to class C WAN:

Well from that looks like your mac can not talk to pfsense..

For a little while you got me scared; I thought I checked that, but wasn't sure.
But it can talk to pfSense. It gets an IP address from the pfSense DHCP server, it can ping it, and the web interface works:

macbookpro:~ robert$ ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 8c:85:90:3f:86:04 
	inet6 fe80::1c8b:d1f8:235b:5071%en0 prefixlen 64 secured scopeid 0x4 
	inet 172.17.14.10 netmask 0xffff0000 broadcast 172.17.255.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
macbookpro:~ robert$ ping 172.17.1.1
PING 172.17.1.1 (172.17.1.1): 56 data bytes
64 bytes from 172.17.1.1: icmp_seq=0 ttl=64 time=3.761 ms
64 bytes from 172.17.1.1: icmp_seq=1 ttl=64 time=2.344 ms
64 bytes from 172.17.1.1: icmp_seq=2 ttl=64 time=2.128 ms
^C
--- 172.17.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.128/2.744/3.761/0.724 ms

did you alter the rules on the lan?

Not that I'm aware of. I didn't change anything recently.

Did your macbook get that IP from pfsense dhcp?

Yes.

Can you access the pfsense gui from this macbook on 172.17.1.1 ?

Yes. And on pfsens.xxx.local.

172.17/16 pretty large network for a home lan ;) you plan on having some 65k some devices? Your macbook has an IP of 172.17.14 seems like an odd IP to get from dhcp that with a 172.17/16 range normally it would be at the end or the beginning of the range..

My OCD demands me have devices grouped by categories. 172.17.14 is for WLAN laptops and tablets. All devices use DHCP, but all have reservations too, so I can quickly spot new devices, or devices that don't belong on my network. Yeah, it's terrible, I know.

johnpoz

@zak-mckracken said in No routing to class C WAN:

it can ping it, and the web interface works:

So while on the pfsense web gui - go to the ping under diagnostic - can pfsense ping 8.8.8.8?

can you do dns?

JKnott

@zak-mckracken said in No routing to class C WAN:

My LAN uses a class B IP range: 172.17.0.0/16. Could it be that class B ranges are not routed to class C?

No, that has nothing to do with it. I use 172.16.0.0 for my local subnet and it works find. And please forget about class b, c, etc.. As I mentioned, those terms have been obsolete for decades. Classless Inter-Domain Routing (CIDR) has been around since 1993, where you specify a network address and size, such as 172.16.0.0/24 for mine.

JKnott

@zak-mckracken said in No routing to class C WAN:

But when it's connector the the FTTH router, I get this:

What happens if you connect a computer directly to the FTTH router? If it still doesn't work then there's a problem on the ISP side that has nothing to do with pfsense.

Zak McKracken

@johnpoz said in No routing to class C WAN:

@zak-mckracken said in No routing to class C WAN:
So while on the pfsense web gui - go to the ping under diagnostic - can pfsense ping 8.8.8.8?

No, it cannot; No response.

can you do dns?

No, host could not be resolved.

But it does route from my LAN to the FTTH router intermediate network. From my laptop on my LAN, I can ping the WAN IP address, 192.168.1.1. I can even ping the FTTH router itself on 192.168.1.254, from my laptop on my LAN, through the pfSense router.

It seems like my pfSense router doesn't know any default gateways, as it itself concludes that 8.8.8.8 it unreachable, instead of forwarding it to 192.168.1.254. I can't remember I ever had to configure such a thing.

Zak McKracken

@jknott said in No routing to class C WAN:

What happens if you connect a computer directly to the FTTH router? If it still doesn't work then there's a problem on the ISP side that has nothing to do with pfsense.

That works just fine. I'm not getting the speed advertised, but that's rather standard since the dawn of ISPs.

Zak McKracken

I'm sorry if I cannot respond the next two days, as my wife has declared this an internet-free house for Christmas. I witheld my urge to argue, asking her if she realises how much stuff in our house will nog longer, just barely. She probably just means screen-staring.

Merry Christmas!

JKnott

@zak-mckracken said in No routing to class C WAN:

I'm not getting the speed advertised, but that's rather standard since the dawn of ISPs.

Yep, Here's what I just got on my 500/30 connection:

johnpoz

@zak-mckracken said in No routing to class C WAN:

I'm not getting the speed advertised, but that's rather standard since the dawn of ISPs.

Would depend on how much your off, if your suppose to get 500 and your getting 300, I would look into that - if your getting 480 then maybe not, etc..

I had and issue for a bit where I was not seeing the 50 up that suppose to get - was only getting like 30 top.. Took them 3 days and 2 truck rolls but they got it fixed.. And now see 50.. sometimes a bit over.. and have never had any issues getting my 500 down.

Seeing touch under my 50 currently - but also streaming off my plex to one of my users at over 5mbps..

Zak McKracken

Ok, spent Christmas with the family, now back to debugging.
As said, everything seems to work: I can ping nodes on the intermediate network on the WAN side. I can even visit the fiberglass router's webpages from the LAN side.Routing from WAN to LAN works just fine. The only thing that doesn't work, is forwarding traffic for neither network to a default gateway. And I think I've found something.

When connected to the cable modem (in bridge mode), my gateways look like this:

But when connected to the fiberglass router (not capable of bridge mode), they look like this:

The WANGW setting seems to be fixed, hard-coded. And it is configured as the IPv4 default gateway.

I can easily fix it, but I do not like hard-coded settings that are normally received over DHCP. Because if my ISP changes something, my internet connections stops working, and the searching game is on.

Does anybody know what the WANGW setting is for? I do have ntopng installed.