[SOLVED] DNS & Ping work from LAN, but nothing else does

EveningStarNM

@chpalmer:

LAN interface…  any gateway set?

No, just the default obtained by DHCP on the WAN interface, which is the DSL modem. Routing works. I can ping Africa from New Mexico.

LAN rules.  Post them here.

Only the default rules are configured. I've checked them. There are no WAN rules, and only the three default LAN rules allowing everything. I haven't changed or added anything from the setup.

DNS Resolver service running?

Yes. As I said, I've got DNS resolution from both the pfSense gateway and the Windows 7 client.

EveningStarNM

Does no one have any ideas?

johnpoz

If your saying you have the default lan rules of any any.. You sure your not using a proxy?

You sure you Actiontec DSL Modem (172.16.0.250) is not blocking..

Simple test.. sniff on pfsense wan.. Go to some website from your client behind pfsense.. Do you see the http traffic go out?  Do you see an answer?  If you do not see it go out, do you see it hit pfsense lan interface via packet capture on pfsense?

Have you messed with the outbound nat?  If you had some public IP space on there before, and have changed it - pfsense outbound nat should be on auto and be natting your clients IP to its wan IP..

EveningStarNM

Thanks for your reply, johnpoz.

@johnpoz:

If your saying you have the default lan rules of any any.. You sure your not using a proxy?

Yes, no proxy. I've tested this installation on two different networks. One is guarded by a Microsoft Forefront TMG firewall/gateway that I specifically configured to allow the pfsense machine to go through unproxied. The other network was a simple DSL connection managed by an Actiontec modem. Those things aren't proxies. I haven't installed a proxy on pfSense. Also, I disabled the firewall on the Actiontech modem and allowed all traffic from the pfSense machine on TMG.

You sure you Actiontec DSL Modem (172.16.0.250) is not blocking..

With the firewall disabled in the Actiontech modem, there's nothing. It wasn't configured to block any sites or to use scheduled access, either.

Simple test.. sniff on pfsense wan.. Go to some website from your client behind pfsense.. Do you see the http traffic go out?  Do you see an answer?  If you do not see it go out, do you see it hit pfsense lan interface via packet capture on pfsense?

I used the TMG logs to see if I could learn anything. When the client machine to pfSense requests access to a web site, TMG sees the traffic from pfSense (which is between the client and TMG), lets it through, and the corresponding replies are sent back to pfSense. I didn't see anything in pfSense logs indicating that anything was being blocked except for miscellaneous traffic from other machines the network pfSense is using for the WAN – traffic that one hopes would be blocked.

I will, however, capture some traffic with Wireshark to see if I've missed something.

Have you messed with the outbound nat?  If you had some public IP space on there before, and have changed it - pfsense outbound nat should be on auto and be natting your clients IP to its wan IP..

I haven't changed anything in NAT. It's set to auto everything as it was before I changed the LAN's IP block.

TBH, I'm thinking of switching careers and becoming a pastry chef. You can tell if a pastry will hurt you as soon as you open the box, and even then you might enjoy it.

remlei

Go to Advance Option and disable TCP Offloading, this is a common symptom for USB based ethernet cards you can ping and whatnot but nothing in everything else.

jahonix

From  Interfaces:  WAN  look for this checkbox:
Block private networks
When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as
well as loopback addresses (127/8).  You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.

EveningStarNM

@remlei:

Go to Advance Option and disable TCP Offloading, this is a common symptom for USB based ethernet cards you can ping and whatnot but nothing in everything else.

DING!DING!DING!DING!DING!

You win today's cookie!

The USB-to-Ethernet adapter I'm using is a Rocketfish RF-PCC132.

I checked under System/Advanced/Networking. By default. both "Disable hardware TCP segmentation offload" and "Disable hardware large receive offload" were both checked (enabled), but "Disable hardware checksum offload was unchecked. As soon as I enabled it, I got web access from the client.

THANK YOU VERY MUCH! You led me to the right place, and I am very grateful!

EveningStarNM

@jahonix:

From  Interfaces:  WAN  look for this checkbox:
Block private networks

Thank you for trying, Chris. Both bogon and private networks/loopback addresses are allowed by default, and I hadn't changed those settings. The solution turned out to be to disable hardware checksum offloads, which is not disabled by default, in addition to the other two offloads which are disabled by default. Apparently, this is a common problem with USB-to-Ethernet adapters.

Casraw

Hi, Iam on an KVM Virtualisation and your post Saved me :-)

chowpay

@remlei @EveningStarNM
Scoured the interwebs and could not get my home lab working . Same symptoms as you and this fixed it !! Only signed up for the forum to thank you haha