Netgate 2100 - Initial Setup - Cannot access internet

ngpfskrak

Hi,

I just bought a Netgate 2100 router and this is my first attempt to use pfsense. So, I am a newbie. I have used the Setup Wizard to do the initial basic configuration. The Netgate 2100 is connected to the ISP (Frontier Fios). The 2100 router does get the WAN IP address from the ISP. But the LAN cannot access anything on the WAN side. I cannot ping google.com.
I am using a Windows 11 laptop on the LAN side.

I have attached below, the screenshot of the 2100 connection status.

Can anyone enlighten me what configuration that I am missing.

Thanks for any help you can provide in this regard

SteveITS

@ngpfskrak well you have 11 open states in the image. Can you ping 8.8.8.8? (i.e. is it a DNS problem?)

ngpfskrak

@SteveITS Thanks for the response. No, I cannot ping 8.8.8.8 nor www.google.com. It appears that it could be DNS. But I had it working with the 9.9.9.9 DNS config the very first time I decided to change my LAN subnet and in doing so somehow my Netgate 2100 was not accessible. I had a custom DHCP range which I didn't clear it out before changing the subnet which made the 2100 not accessible. So, I had to do a factory reset. After that I am not able to access the internet. Only thing I don't remember is whether the firewall rules were the same as of now, when I was able to access the internet.

Here are results when I pinged 8.8.8.8 & www.google.com

Pinging 9.9.9.9 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 9.9.9.9:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pinging 8.8.8.8 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Ping request could not find host www.google.com. Please check the name and try again.

When I had access to the internet, I did a speed test and the speed was greater than that with the Fios router. With the Fios router I am getting a 350+ out of 500 MBPS whereas with the Netgate 2100, I was getting close the max.

Thanks,

crucialguy

@ngpfskrak

Hi - first thing, on your second image you have a rule on your WAN permitting access from your WANIP to your LAN Subnet IP - get rid of that.

On the LAN rules you have LAN Address > to WAN address, get rid of that as well as it won't do anything. The IPV4/IPv6 default allows are setup right.

Your ping responses are suggestive of more of a local issue on your device though, drivers/NIC settings etc. I'd use another device (if you can) to see if that works. I've often found that the 'general failure' messages windows throws out are more of a L1 issue, so I'd start there.

SteveITS

@ngpfskrak out of the box I’d expect it should work.

If you changed IP ranges did you use a /24 mask? The default is /32.

Can you ping pfSense LAN IP?

Can you ping out using Diagnostics/Ping?

ngpfskrak

@crucialguy

Thanks for pointing out the 2 rules. I did delete the 2 rules (WAN & LAN) that you have mentioned.
However, when I deleted the WAN rule, it displays the message "All incoming connections on this interface will be blocked..." (Screen shot attached). Is this ok? It is saying connections and not messages. So does that mean IP packets will be delivered?

As regards, the ping "General Failure" output, I don't know why this message appeared. My suspicion is maybe I had a loose ethernet connection. Now I am getting the timeout message. BTW, this time I used a Windows 10 laptop as you suggested. When I connect to the Fios router, the pings are successful on both my Windows 10 & 11 laptops.

Pinging 9.9.9.9 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 9.9.9.9:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

ngpfskrak

@SteveITS
Yes, I did use the /24 mask. It is the default in the Netgate 2100. So, I didn't have to touch it. The LAN side is working fine. I can access the pfSense dashboard and I can ping the Netgate 2100 gateway from my laptop. I get a response. It is only on that I cannot access the WAN side.

As per your suggestion I did the Diagnostics -> Ping and the ping is successful in the GUI. Yet I cannot access anything on the WAN side. For example, google.com. I am confused.

SteveITS

@ngpfskrak You would normally want all inbound connections from the Internet to be blocked so that warning is OK.

Can you ping your pfSense LAN IP from your client PC?

If that succeeds can you "nslookup google.com" from your client PC?

crucialguy

@ngpfskrak Yeah, that's correct on the WAN message. The only situation you'd add rules to the WAN is for corresponding Port Forwards, for example you're hosting a web server internally so you'd have a NAT port forwarding and an associated ACL allowing that in. Allowing any any from WAN IP to LAN IP is bad - anything set on WAN is allowing inbound, nothing to do with outbound.

That ping response looks better, whenever I've seen general failure it's 99% down to the local device in some way.

The screenshot with pfsense pinging outside of the WAN suggests it 'should work'..., if pfsense can get out via the same subnet your client is sat on then your client should also be able to get out. Your rule is set to LAN Subnets so it would capture devices within that subnet on your LAN network. Can you confirm your outbound NAT rules just to make sure it's capturing the entire /24? (it should be if it's defaults)

Can you also verify the IP's your clients are picking up? I assume DHCP is issuing the default range for the LAN subnet.

If all of that checks out I'd be tempted to look upstream at your ISP device, although as pfsense it's self can get out it's a bit of a stretch.

ngpfskrak

@SteveITS

Please find below the requested info:

Windows IP Configuration

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : home.arpa
Link-local IPv6 Address . . . . . : fe80::a1a7:fc16:xxx:xxxx
IPv4 Address. . . . . . . . . . . : 192.168.2.38
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::92ec:77ff:xxxx:xxxx

Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

nslookup google.com
Server: KrakpfSense.home.arpa
Address: 192.168.2.1

Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:4023:1004::64
2607:f8b0:4023:1004::8b
2607:f8b0:4023:1004::8a
2607:f8b0:4023:1004::66
142.250.115.100
142.250.115.102
142.250.115.113
142.250.115.138
142.250.115.101
142.250.115.139

ngpfskrak

@crucialguy

Thanks for the explanation. All informative for me. I appreciate it.

Please find below the requested outbound NAT config. I didn't configure anything. So, this is the default.

Gertjan

@ngpfskrak

This info :

tells me that you can try something that would work 100 % and I'm 100 % sure.

Reset pfSense to default.
Change just one ( 1 ) thing : the password.
Nothing else.

So :
Do not change WAN settings.
Do not change LAN settings.
Do not change DNS settings. This also implies : do not add / enter / touch - don't even look at DNS - do nothing.

Also : do not import your saved config, as this would bring you back to square one : "Cannot access internet".

As you already might suspect : pfSense, out of the box, works ( ! ! )
This means you could give a pfSense to "Grand Ma" and she would have a working set up after hooking up the cables and power.

And don't worry, you won't loose anything, as you can always can import your saved config, and your back at the subject of the thread.