No Internet Access from LAN
-
That still wouldn't affect IPv4 on the local subnet.
Can you ping client IPv4 addresses on the LAN from pfSense?
-
@stephenw10 said in No Internet Access from LAN:
Can you ping client IPv4 addresses on the LAN from pfSense?
No and I just deleted/removed IPv6 firewall rule...still no luck...this is a weird issue...luckily I am communicating through the private-cloud box.
I had seen several other had similar complaints and from what I have seen there is no solid explanation...
-
@NollipfSense said in No Internet Access from LAN:
I had seen several other had similar complaints
where? I am on here all the time, and don't recall any flood of such complaints..
So you have a box on your network.. Doesn't really matter if lan or some opt you created.. Is a tagged vlan or native?
What are the rules on the interface?
So what is the IP on pfsense? What is the IP on the client? Did the client get an IP from dhcp?
Look at the arp table on the client.. Does its show an mac address for pfsense IP address? What does pfsense arp table show for the client IP.. Are these mac addresses correct?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
Yeah if you can't ping either way across the LAN this has to be something low level. Check the basics.
-
@stephenw10 said in No Internet Access from LAN:
Yeah if you can't ping either way across the LAN this has to be something low level. Check the basics.
Well, it turned out that the reason I could not ping the laptop that was directly connected to LAN was the laptop had firewall on and when disabled, it could ping it. However, the laptop could not surf the Internet.
Also, I attached the WIFI directly to LAN and I can ping the WIFI but clients to the WIFI could not ping the firewall.
I may have a spare NIC to dig out of storage to try...to look for it... -
@NollipfSense again you need to look at basics.. What are the firewall rules on the pfsense interface? Many users will create a tcp only rule.. This is normally not very workable because ping doesn't work a simple connectivity test, and dns fails, etc. because dns is almost always just udp..
If devices can not ping each other, and your sure firewall rules allow be it pfsense or some host device your trying to ping from pfsense.. You need to validate they see the mac addresses.. Firewall rules not going to come into play with seeing the mac address or not..
And they are on the same network with the correct mask.. If not seeing mac you got something wrong in your network that not to do with pfsense or your host.
Have seen users setup static arp, and then wonder why doesn't work when the mac address changed for the IP that is not in line with the static arp setting..
-
@johnpoz Here, despite these are old however, I have seen at least three recently and before I post that comment, I didn't check the date, just the search results...
@johnpoz said in No Internet Access from LAN:
native?
Yes@johnpoz said in No Internet Access from LAN:
o what is the IP on pfsense? What is the IP on the client? Did the client get an IP from dhcp?
Pfsense - 192.168.1.1, client, a Mikrotik - 192.168.1.100
yes, from Mikrotik...everything was work fine for years and most of the day yesterday until about 9pm last night when suddenly no Internet access.
No, there're not on the same network and mask is good...pfSense LAN is Mikrotik WAN.
-
@NollipfSense why would you have bogon on your lan side network.. If pfsense didn't pull out rfc1918 that would prevent everything from working..
https://team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
There is zero reason to ever put that on a lan side interface..
And you have no rule there that would allow pinging pfsense IP on the lan..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
So it could be a pfBlocker update that pulled in a list with a local IP for example.
What's in the privileged ports alias?
-
@stephenw10 said in No Internet Access from LAN:
What's in the privileged ports alias?
TCP ports 1 - 1024....so, I am not sure why I didn't think of it earlier but I restored my last good, workable backups...all is back as normal.
That implied that somehow my configuration got corrupted with that IPv6 RA, since despite the separation, both networks are connected to the same modem.
-
@johnpoz said in No Internet Access from LAN:
why would you have bogon on your lan side network.. If pfsense didn't pull out rfc1918 that would prevent everything from working..
I had just switch that on before I took that picture trying to diagnose but appreciate the link for knowledge as I was not as well-informed on that.
pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud. -
Nothing some other RA are sending could change the config in pfSense. Nor would it affect anything for IPv4. It could potentially redirect clients using IPv6 to a different router.
-
@NollipfSense yeah with Steve - there is nothing your RA could do that would have any affect on IPv4 traffic..
Now a non functioning IPv6 network that the client thinks should be working can cause problems when the client doesn't like to switch over to Ipv4, or is delayed in switching..
To be honest, unless you are fully ready for all the changes that IPv6 brings - it really is just easier not to use it.. There are many things that change with IPv6 compared to IPv4, and then the dual stack that is required to actually use the internet brings its own problems..
I have been using IPv6 for prob going on 13 years.. And I feel I am fairly up to speed on its use and even troubleshooting it, etc. But to be honest I have not found a actual valid need for it.. So as anyone should do in running a network - KISS.. Over complicating your network for no or little benefit is never a good choice..
If you want to learn and experiment with IPv6 - great all for it.. But I would limit it to your lab network, or one segment where you play.. Trying to use it for your production/every day use devices - can and will bring its own pain.
-
@johnpoz said in No Internet Access from LAN (Solved with last good config backup):
Trying to use it for your production/every day use devices - can and will bring its own pain
The thing is I never planned on or intended on using it on my production box until I fully understand, as that network had another firewall OS - Mikrotik involved, and was totally surprised to see the output in the screenshots of the first post. The only box IPv6 had been configured was my private cloud box...that's it. However, both networks were connected to the T-Mobile's Fast5688w modem through its two Ethernet ports and that cannot be configured in bridge mode...only router cgnat mode
-
@stephenw10 said in No Internet Access from LAN (Solved with last good config backup):
Nothing some other RA are sending could change the config in pfSense. Nor would it affect anything for IPv4. It could potentially redirect clients using IPv6 to a different router.
Steve, if you have a little time to try reproducing it when ever you can if it's possible. As I said, I never configured nor intended to have IPv6 on my production box and cannot explain how it happen other than what I had said. In fact, the last backup was made after I had upgraded to v23.5.1.
-
@NollipfSense said in No Internet Access from LAN (Solved with last good config backup):
try reproducing it when ever you can if it's possible
Reproducing what exactly - its not possible for some RA running on your network to change the config on a pfsense with an interface in the same network.. its just not..
Even if you had pfsense interface in this network set to get an IP, which it could do from this RA running.. That would have zero to do with the IPv4 network setup on this interface.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
If you restored the old config you should be able to diff it in the config history with what was failing to see what changed.
I'm not really how I would go about replicating it to be honest. If you can replicate and note what is required to hit it I can try.
Steve
-
@johnpoz said in No Internet Access from LAN (Solved with last good config backup):
Reproducing what exactly - its not possible for some RA running on your network to change the config on a pfsense with an interface in the same network.. its just not..
I am not making up what had occurred or appeared to have...no time of that. What explanation you could offer as to why I got the screenshots on a box that was never configured with IPv6 in the first post and how it ended up in the config.xml file showing <ramode>assisted<ramode>?
In fact that's why I click on bogon on LAN to see whether it would change when I clicked save.
-
That's the default setting for LAN. I don't think the IPv6 settings there were anything to do with the IPv4 connectivity you were seeing.
Try to diff. the config between what was failing and what works now as I said.
Steve
-
@stephenw10 said in No Internet Access from LAN (Solved with last good config backup):
That's the default setting for LAN.
Wow, you're correct...thanks for sharing Steve! You had mentioned pfBlockerNG above...wondering now. Below is from the restored backup...
This even makes it more puzzling as to what happened. This was my experience only to discovered that T-Mobile does not support dhcpdv6 nor RA from upstream on the Fast5688w: https://forum.netgate.com/topic/183409/implemented-ipv6-still-feel-left-in-the-dark/39
