No WAN connectivity (Static IP)
-
@pawprint
Well. And even with gateway monitoring disabled, you cannot ping 8.8.8.8 from pfSense itself?And yes, @stephenw10 was faster. The ARP entry would be the next question.
-
I'm hampered a bit by the fact I need to work today and swapping off the D-Link drops my net. I'm pretty sure the gw appeared correctly in the arp table but I'll try again when I can go offline to confirm it. I've not been able to ping the gateway form the pfSense (I confirmed it DOES respond to ping from the d-Link)
To remove another variable I'm going to re-configure the pfSense to use DHCP and connect it THROUGH the d-link, just to see if I can get it online that way. My Cable modem won't provide a DHCP address since it's in bridge mode and locked to the static. If that works then at least it narrows down the problem to the static IP config on the pfSense.
I'll re-check the arp and ping when I can afford downtime again.
To @viragomann 's question correct even with monitoring disabled I can't ping anything - even the gateway from the WebGUI or from the shell - but I'll try this again too so I can include screenshots.
This all feels like my usual rule of troubleshooting that if it takes longer then 5 mins to solve, it's going to be something stupid - so I really appreciate the 2nd sets of eyes on this. I probably have some silly config somewhere.
-
@pawprint said in No WAN connectivity (Static IP):
My Cable modem won't provide a DHCP address since it's in bridge mode and locked to the static.
Did you get the D-Link from your provider?
If so maybe he has locked the connection to its MAC. If this is the case you can spoof the MAC in the WAN settings. -
@viragomann no - it's just an old one I got myself. The ISP connection was previously running on a home-built linux firewall with a different MAC. The d-link is just my stop-gap since the old Linux box died.
-
I would still at least be sure to power cycle the modem.
-
@stephenw10 Done that several times over the course of my attempts (both with and without the WAN cable connected) but I'll do that again as well.
-
Are you running 2.7?
I would run a pcap on WAN and see what's coming in, if anything, and if it's tagged at all.
-
@stephenw10 I'm running Netgate pfSense Plus 23.05.1 (I believe this is the latest release?)
More background:
I purchased the Netgate 2100 yesterday along with a SSD (128Gb) separately (This was significantly less expensive then buying the version with the 32Gb pre-installed.)
Got the firmware image from Netgate (with fairly awesome support timeline I have to say), installed the SSD and installed the firmware on the SSD (incidentally the web-instructions for this are quite out of date)
Then I started my saga to get it connected to the net.So I'm coming at this with a factory reset blank slate.
-
Update:
Since I could attempt this without loosing my net. I re-configured the pfSense to connect THROUGH the d-link. Allowing the d-link to provide a DHCP address to the pfSense. When I do that I can connect to the net and ping 8.8.8.8
This isn't a functioning configuration but it does eliminate several variables:
The pfSense wan port is actually working
The firewall isn't getting in the way
Outbound connections actually work
Cables work
the OS is workingI can conclude the issue is entirely with the configuration of the Static IP and it's associated routing.
-
Ok that's good. Try setting pfSense to have a static IP in the DLink LAN subnet and that works the same. I'd be very surprised if it doesn't but if that failed it might indicate a general config problem.
-
I image you have but I don't actually see you have confirmed that the 2100 WAN is linking to the cable modem correctly?
If the modem is set to 100M fixed speed for example the 2100 WAN would need to match that. The DLink may well be using a switch port for it's WAN which allows it.
Steve
-
@stephenw10 Good test. Yes static through the D-Link works as well.
Re your other question. Actually beyond a link-light and seeing traffic indicator blinking, I didn't formally confirm the media layer (ifconfig did show an active link). I had the port set to auto-negotiate (I'm pretty sure the modem is happy with 1000baseT Full Duplex which is what the auto gave me (and how the pfSense is connecting to the d-link) but I can't confirm from the D-link how it's connecting to the modem - D-link doesn't show it anywhere. (my service is a 1G down so it won't be in the 100 ranges anyway)
I'll confirm how the other gateway is connected for my other static it will be the same (same type of modem) - I'm 90% sure it;s 1000bT Full but I'll confirm that.
-
If you saw link LEDs and the interface status showed link it's almost certainly OK.
Another test you might try is just to use the IP directly on a laptop or similar. That would confirm that any MAC will work and you could see the link type.
-
@stephenw10 I thought the same about the LED indications.
Sadly the only laptop I have access to is one of the silly new ones with no physical ethernet port :(
That said - the modem was previously connected to my old Gateway box (MAC 1) and then the D-Link (MAC 2) and both worked (within the last 48 hours) - years ago it had a different one from that. I'm confident there is no MAC restriction thwarting me. That said, I have several other old consumer routers and could swap out the D-link to put even more MACs to the test but I feel this is a bit of red herring.
-
Ok, well I'd first confirm that ARP works to the gateway from the 2100 and run a pcap.
You can try assigning one of the 2100 switched ports as a WAN and connecting that. Going through the switch can remove some issues, though those should all be fixed in 23.05.1.
-
@stephenw10 So the other gateway is also 1000bT Full
Arp to the gateway is not working from the 2100:
Right now I'm running on my PC connected through the LAN on the pfSense which is going through the d-link and all that is working. Really seems like everything is fine but the gateway.
I have to get back into meetings again but I'm going to try running "through" a spare switch to the modem and see what that does as soon as I can accept downtime again.
I've not done pcap from BSD before - I assume I would need to install the utility first and then do that from the shell?
-
You can run a pcap in the gui:
https://docs.netgate.com/pfsense/en/latest/diagnostics/packetcapture/webgui.htmlI assume those screenshots were taken when the dlink router was not connected?
-
@stephenw10 Yes the screenshots are with the modem connected directly to the netgate.
I tried connecting through a switch but no joy.
Thanks, totally missed the utility in the gui (I was probably looking more for tcpdump)... anyway Ran a pcap - when filtering on traffic rlated to my subnet I can see a steady stream of ARP broadcasts trying to find the gateway, but no replies.
-
Hmm, that's got to be something low level then. Like the gateway is configured with static ARP for that IP, which seems unlikely.
I would try to connect a separate client directly even if it's not a laptop and make sure that static IP works there.
Otherwise using one of the switched ports as a WAN might reveal an issue if the WAN port is somehow dropping the incoming packets in hardware. I've only ever seen that with DHCP though and that was fixed in 23.05.
-
@stephenw10 I have tried 2 different old gateways - one d-link and one netgear. Totally different MACs and they would need to ARP for the gateway. Incidentally I also did a pcap from the netgate while one of these was establishing it's connection and could see it's ARP go out (never saw a reply though which is interesting!)
I will try switching to one of the WAN ports. Given the above fail to see the reply it does sound like responses might be getting dropped.
