No routing to class C WAN

Zak McKracken

@jarhead said in No routing to class C WAN:

@zak-mckracken
Why do you say you can't use pfSense with the new connection?
Is iFrontier or ATT maybe?

I just cannot ping out. Or anything else for that matter.

When pfSense is connected to the cable modem, I can do this from my laptop:

macbookpro:~ robert$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=181.717 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=229.149 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=15.548 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=10.914 ms

But when it's connector the the FTTH router, I get this:

macbookpro:~ robert$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
92 bytes from pfsense.xxx.local (172.17.1.1): Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 164a   0 0000  40  01 9a34 172.17.14.10  8.8.8.8

Request timeout for icmp_seq 0
92 bytes from pfsense.xxx.local (172.17.1.1): Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 c396   0 0000  40  01 ece7 172.17.14.10  8.8.8.8

Jarhead

@zak-mckracken
I'll ask again, is this Frontier or ATT??

There are known issues with both of them working with pfSense and also ways around it.
If one of them is your ISP, the problem is nothing you did and can be fixed very easily.

Zak McKracken

@jknott said in No routing to class C WAN:

@zak-mckracken

Class C? Classful addresses have been obsolete for almost 30 years. Is there some reason you can't put your ONT into bridge mode? As for using double NAT, are you trying to use the same subnet for the pfSense LAN as the WAN?

Yeah; I'm old fashioned that way. This is how I was taught in school, and I'm not a network engineer, so I never got updated. It took my a long time to get used to the /24 notation.

Anyway; Yes, there's a good reason; Its firmware doesn't support it. And yes, I've been nagging about it, and getting a stand-alone bridge from my ISP, but that's taking all of my energy and leading nowhere.

No; Subnets differ.

Zak McKracken

@jarhead said in No routing to class C WAN:

@zak-mckracken
Why do you say you can't use pfSense with the new connection?
Is iFrontier or ATT maybe?

I don't know what those are. In case you mean ISPs (AT&T?); No, we don't have those here in Europe.

johnpoz

@zak-mckracken said in No routing to class C WAN:

macbookpro:~ robert$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
92 bytes from pfsense.delien.local (172.17.1.1): Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 164a 0 0000 40 01 9a34 172.17.14.10 8.8.8.8

Well from that looks like your mac can not talk to pfsense.. did you alter the rules on the lan? Did your macbook get that IP from pfsense dhcp?

Can you access the pfsense gui from this macbook on 172.17.1.1 ?

172.17/16 pretty large network for a home lan ;) you plan on having some 65k some devices? Your macbook has an IP of 172.17.14 seems like an odd IP to get from dhcp that with a 172.17/16 range normally it would be at the end or the beginning of the range..

Zak McKracken

@johnpoz said in No routing to class C WAN:

Well from that looks like your mac can not talk to pfsense..

For a little while you got me scared; I thought I checked that, but wasn't sure.
But it can talk to pfSense. It gets an IP address from the pfSense DHCP server, it can ping it, and the web interface works:

macbookpro:~ robert$ ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 8c:85:90:3f:86:04 
	inet6 fe80::1c8b:d1f8:235b:5071%en0 prefixlen 64 secured scopeid 0x4 
	inet 172.17.14.10 netmask 0xffff0000 broadcast 172.17.255.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
macbookpro:~ robert$ ping 172.17.1.1
PING 172.17.1.1 (172.17.1.1): 56 data bytes
64 bytes from 172.17.1.1: icmp_seq=0 ttl=64 time=3.761 ms
64 bytes from 172.17.1.1: icmp_seq=1 ttl=64 time=2.344 ms
64 bytes from 172.17.1.1: icmp_seq=2 ttl=64 time=2.128 ms
^C
--- 172.17.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.128/2.744/3.761/0.724 ms

did you alter the rules on the lan?

Not that I'm aware of. I didn't change anything recently.

Did your macbook get that IP from pfsense dhcp?

Yes.

Can you access the pfsense gui from this macbook on 172.17.1.1 ?

Yes. And on pfsens.xxx.local.

172.17/16 pretty large network for a home lan ;) you plan on having some 65k some devices? Your macbook has an IP of 172.17.14 seems like an odd IP to get from dhcp that with a 172.17/16 range normally it would be at the end or the beginning of the range..

My OCD demands me have devices grouped by categories. 172.17.14 is for WLAN laptops and tablets. All devices use DHCP, but all have reservations too, so I can quickly spot new devices, or devices that don't belong on my network. Yeah, it's terrible, I know.

johnpoz

@zak-mckracken said in No routing to class C WAN:

it can ping it, and the web interface works:

So while on the pfsense web gui - go to the ping under diagnostic - can pfsense ping 8.8.8.8?

can you do dns?

JKnott

@zak-mckracken said in No routing to class C WAN:

My LAN uses a class B IP range: 172.17.0.0/16. Could it be that class B ranges are not routed to class C?

No, that has nothing to do with it. I use 172.16.0.0 for my local subnet and it works find. And please forget about class b, c, etc.. As I mentioned, those terms have been obsolete for decades. Classless Inter-Domain Routing (CIDR) has been around since 1993, where you specify a network address and size, such as 172.16.0.0/24 for mine.

JKnott

@zak-mckracken said in No routing to class C WAN:

But when it's connector the the FTTH router, I get this:

What happens if you connect a computer directly to the FTTH router? If it still doesn't work then there's a problem on the ISP side that has nothing to do with pfsense.

Zak McKracken

@johnpoz said in No routing to class C WAN:

@zak-mckracken said in No routing to class C WAN:
So while on the pfsense web gui - go to the ping under diagnostic - can pfsense ping 8.8.8.8?

No, it cannot; No response.

can you do dns?

No, host could not be resolved.

But it does route from my LAN to the FTTH router intermediate network. From my laptop on my LAN, I can ping the WAN IP address, 192.168.1.1. I can even ping the FTTH router itself on 192.168.1.254, from my laptop on my LAN, through the pfSense router.

It seems like my pfSense router doesn't know any default gateways, as it itself concludes that 8.8.8.8 it unreachable, instead of forwarding it to 192.168.1.254. I can't remember I ever had to configure such a thing.

Zak McKracken

@jknott said in No routing to class C WAN:

What happens if you connect a computer directly to the FTTH router? If it still doesn't work then there's a problem on the ISP side that has nothing to do with pfsense.

That works just fine. I'm not getting the speed advertised, but that's rather standard since the dawn of ISPs.

Zak McKracken

I'm sorry if I cannot respond the next two days, as my wife has declared this an internet-free house for Christmas. I witheld my urge to argue, asking her if she realises how much stuff in our house will nog longer, just barely. She probably just means screen-staring.

Merry Christmas!

JKnott

@zak-mckracken said in No routing to class C WAN:

I'm not getting the speed advertised, but that's rather standard since the dawn of ISPs.

Yep, Here's what I just got on my 500/30 connection:

alt text

johnpoz

@zak-mckracken said in No routing to class C WAN:

I'm not getting the speed advertised, but that's rather standard since the dawn of ISPs.

Would depend on how much your off, if your suppose to get 500 and your getting 300, I would look into that - if your getting 480 then maybe not, etc..

I had and issue for a bit where I was not seeing the 50 up that suppose to get - was only getting like 30 top.. Took them 3 days and 2 truck rolls but they got it fixed.. And now see 50.. sometimes a bit over.. and have never had any issues getting my 500 down.

Seeing touch under my 50 currently - but also streaming off my plex to one of my users at over 5mbps..

Zak McKracken

Ok, spent Christmas with the family, now back to debugging.
As said, everything seems to work: I can ping nodes on the intermediate network on the WAN side. I can even visit the fiberglass router's webpages from the LAN side.Routing from WAN to LAN works just fine. The only thing that doesn't work, is forwarding traffic for neither network to a default gateway. And I think I've found something.

When connected to the cable modem (in bridge mode), my gateways look like this:
Gateways - cablemodem.png
But when connected to the fiberglass router (not capable of bridge mode), they look like this:
Gateways - fiberrouter.png
The WANGW setting seems to be fixed, hard-coded. And it is configured as the IPv4 default gateway.

I can easily fix it, but I do not like hard-coded settings that are normally received over DHCP. Because if my ISP changes something, my internet connections stops working, and the searching game is on.

Does anybody know what the WANGW setting is for? I do have ntopng installed.

johnpoz

@zak-mckracken you created a gateway by hand - remove it you should only have the wan_dhcp gateway.

Click the little trash can next to the wangw

Zak McKracken

@johnpoz said in No routing to class C WAN:

@zak-mckracken you created a gateway by hand - remove it you should only have the wan_dhcp gateway.

Click the little trash can next to the wangw

I leaned towards that conclusion too, but this is really not something I would do, because I'm just not knowledgeable enough to be comfortable with settings like that.

So at first I thought it was the result of some other setting, or some package that I had installed. But that doesn't make sense.

So I went through my posting history here on the forum, because I've probably consulted people here about this setting, and I've found this post:
https://forum.netgate.com/post/993975
Apparently, I had overridden my WAN IP address, netmask and default gateway to work around a provider-problem. Later, I reverted back the WAN IP address and netmask, but most likely neglected to revert the default gateway override.

Does that make sense, or could it still be a package or another setting that's responsible for WANGW?

johnpoz

@zak-mckracken clearly your not going to be using isp A ip address with isp B clearly the wants was added by hand you have dhcp delete it

Zak McKracken

@johnpoz said in No routing to class C WAN:

@zak-mckracken clearly your not going to be using isp A ip address with isp B clearly the wants was added by hand you have dhcp delete it

Well, I was considering to change it to the new intermediate network gateway, but that doesn't make sense: The added gateway is identical to the DHCP gateway, kind'a confirming it was added manually due to the problem I described in the other thread.

So you're right; It has to go!

And so it went, nothing seems to break down with it.

Thanks for all the help, guys!