No Internet Access from LAN

johnpoz

@NollipfSense why would you have bogon on your lan side network.. If pfsense didn't pull out rfc1918 that would prevent everything from working..

https://team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

There is zero reason to ever put that on a lan side interface..

And you have no rule there that would allow pinging pfsense IP on the lan..

stephenw10

So it could be a pfBlocker update that pulled in a list with a local IP for example.

What's in the privileged ports alias?

NollipfSense

@stephenw10 said in No Internet Access from LAN:

What's in the privileged ports alias?

TCP ports 1 - 1024....so, I am not sure why I didn't think of it earlier but I restored my last good, workable backups...all is back as normal.

That implied that somehow my configuration got corrupted with that IPv6 RA, since despite the separation, both networks are connected to the same modem.

NollipfSense

@johnpoz said in No Internet Access from LAN:

why would you have bogon on your lan side network.. If pfsense didn't pull out rfc1918 that would prevent everything from working..

I had just switch that on before I took that picture trying to diagnose but appreciate the link for knowledge as I was not as well-informed on that.

stephenw10

Nothing some other RA are sending could change the config in pfSense. Nor would it affect anything for IPv4. It could potentially redirect clients using IPv6 to a different router.

johnpoz

@NollipfSense yeah with Steve - there is nothing your RA could do that would have any affect on IPv4 traffic..

Now a non functioning IPv6 network that the client thinks should be working can cause problems when the client doesn't like to switch over to Ipv4, or is delayed in switching..

To be honest, unless you are fully ready for all the changes that IPv6 brings - it really is just easier not to use it.. There are many things that change with IPv6 compared to IPv4, and then the dual stack that is required to actually use the internet brings its own problems..

I have been using IPv6 for prob going on 13 years.. And I feel I am fairly up to speed on its use and even troubleshooting it, etc. But to be honest I have not found a actual valid need for it.. So as anyone should do in running a network - KISS.. Over complicating your network for no or little benefit is never a good choice..

If you want to learn and experiment with IPv6 - great all for it.. But I would limit it to your lab network, or one segment where you play.. Trying to use it for your production/every day use devices - can and will bring its own pain.

NollipfSense

@johnpoz said in No Internet Access from LAN (Solved with last good config backup):

Trying to use it for your production/every day use devices - can and will bring its own pain

The thing is I never planned on or intended on using it on my production box until I fully understand, as that network had another firewall OS - Mikrotik involved, and was totally surprised to see the output in the screenshots of the first post. The only box IPv6 had been configured was my private cloud box...that's it. However, both networks were connected to the T-Mobile's Fast5688w modem through its two Ethernet ports and that cannot be configured in bridge mode...only router cgnat mode

NollipfSense

@stephenw10 said in No Internet Access from LAN (Solved with last good config backup):

Nothing some other RA are sending could change the config in pfSense. Nor would it affect anything for IPv4. It could potentially redirect clients using IPv6 to a different router.

Steve, if you have a little time to try reproducing it when ever you can if it's possible. As I said, I never configured nor intended to have IPv6 on my production box and cannot explain how it happen other than what I had said. In fact, the last backup was made after I had upgraded to v23.5.1.

johnpoz

@NollipfSense said in No Internet Access from LAN (Solved with last good config backup):

try reproducing it when ever you can if it's possible

Reproducing what exactly - its not possible for some RA running on your network to change the config on a pfsense with an interface in the same network.. its just not..

Even if you had pfsense interface in this network set to get an IP, which it could do from this RA running.. That would have zero to do with the IPv4 network setup on this interface.

stephenw10

If you restored the old config you should be able to diff it in the config history with what was failing to see what changed.

I'm not really how I would go about replicating it to be honest. If you can replicate and note what is required to hit it I can try.

Steve

NollipfSense

@johnpoz said in No Internet Access from LAN (Solved with last good config backup):

Reproducing what exactly - its not possible for some RA running on your network to change the config on a pfsense with an interface in the same network.. its just not..

I am not making up what had occurred or appeared to have...no time of that. What explanation you could offer as to why I got the screenshots on a box that was never configured with IPv6 in the first post and how it ended up in the config.xml file showing <ramode>assisted<ramode>?

In fact that's why I click on bogon on LAN to see whether it would change when I clicked save.

stephenw10

That's the default setting for LAN. I don't think the IPv6 settings there were anything to do with the IPv4 connectivity you were seeing.

Try to diff. the config between what was failing and what works now as I said.

Steve

NollipfSense

@stephenw10 said in No Internet Access from LAN (Solved with last good config backup):

That's the default setting for LAN.

Wow, you're correct...thanks for sharing Steve! You had mentioned pfBlockerNG above...wondering now. Below is from the restored backup...

Screenshot 2023-10-26 at 5.01.16 PM.png

This even makes it more puzzling as to what happened. This was my experience only to discovered that T-Mobile does not support dhcpdv6 nor RA from upstream on the Fast5688w: https://forum.netgate.com/topic/183409/implemented-ipv6-still-feel-left-in-the-dark/39

stephenw10

Yeah, it feels like a config difference but it has to be something dynamic like pfBlocker.

Check the config history in Diag > Backup > Config History if it goes back that far since restoring.
Did something write a config change at that time?

NollipfSense

@stephenw10 said in No Internet Access from LAN (Solved with last good config backup):

Yeah, it feels like a config difference but it has to be something dynamic like pfBlocker.

Check the config history in Diag > Backup > Config History if it goes back that far since restoring.
Did something write a config change at that time?

Well, I learn something new today and wished I had check it before restoring...it's just showing the restoration below. A radio station that had been added to pfBlockerNG's whitelist suddenly stop working about a week before the lockup...I just never suspected pfBlockerNG because it was whitelisted and was playing for a long time, as well as didn't have time to check, being busy re-configuring the private cloud box.

	10/25/23 21:50:56	22.9	151 KiB	(system): Updated cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf	Current configuration
	10/25/23 21:50:43	22.9	151 KiB	admin@192.168.1.100 (Local Database): Interfaces settings changed	  
	10/25/23 21:45:07	22.9	151 KiB	(system): Updated cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf	  
	10/25/23 21:44:46	22.9	151 KiB	(system): Updated cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf	  
	10/25/23 21:44:32	22.9	151 KiB	(system): Updated cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf	  
	10/25/23 20:50:09	22.9	151 KiB	(system): Updated cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf	  
	10/25/23 20:49:54	22.9	151 KiB	(system): Updated cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf	  
	10/25/23 20:49:51	22.9	151 KiB	(system): Overwrote previous installation of suricata.	  
	10/25/23 20:49:50	22.9	150 KiB	(system): Installed cron job for /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/suricata/suricata_check_cron_misc.inc	  
	10/25/23 20:49:14	22.9	150 KiB	(system): Intermediate config write during package install for suricata.	  
	10/25/23 20:49:12	22.9	150 KiB	(system): Intermediate config write during package removal for suricata.	  
	10/25/23 20:49:06	22.9	151 KiB	(system): Overwrote previous installation of squid3.	  
	10/25/23 20:49:04	22.9	148 KiB	(system): Installed cron job for /usr/local/bin/freshclam --config-file=/usr/local/etc/freshclam.conf

stephenw10

So one of those changes broke the connection you think?

None of those look like they would. At least none of the system changes.

johnpoz

@NollipfSense said in No Internet Access from LAN (Solved with last good config backup):

Overwrote previous installation of squid3.

So your running a proxy? No that would never break anything <rolleyes>

NollipfSense

@stephenw10 said in No Internet Access from LAN (Solved with last good config backup):

So one of those changes broke the connection you think?

None of those look like they would. At least none of the system changes.

No, that's all after the restoration which happened last night about 8pm...that's no all, just a sample but they were all after 8pm.

NollipfSense

@johnpoz said in No Internet Access from LAN (Solved with last good config backup):

@NollipfSense said in No Internet Access from LAN (Solved with last good config backup):

Overwrote previous installation of squid3.

So your running a proxy? No that would never break anything <rolleyes>

No, just Squid's antivirus.

johnpoz

@NollipfSense said in No Internet Access from LAN (Solved with last good config backup):

No, just Squid's antivirus.

And how and the hell do you think that could work if you don't proxy all your connections through it?