502 Bad Gateway when PFSense connect WAN port.
-
@Yet_learningPFSense The port number was listed in the address field, so I will upload a hidden version.
-
OK that looks good. Can you ping out from that client at 192.168.2.11? If not how does it fail?
-
I'm getting no response when I ping.If I switch the line that connects to the WAN of the PFSense and the 192.168.2.11 terminal, I can browse the net immediately.
-
It looks like the client has no gateway. Did you set a gateway in the dhcp settings for OPT1-TV? It should use the interface IP address by default if no gateway is set. If you set an invalid gateway the client will ignore it.
-
Thank you. It seems that I had not configured the default gateway. The 3 ports we were using before were a disaster, as we only needed LAN to be configured out of the WAN / LAN / Admin only ports. I have set it up and it is now logged in the firewall.
However, it seems that communication on 443/53 is allowed, but the web page does not appear to be displayed. At first, the Windows network icon was in the "connected" state, but after a while, it changed to the "forbidden" state. Also, the WAN is constantly logging blocked access to port 1900. I don't think that my Netgate-1100 logs anything like that...
-
Those blocks on WAN are from the upstream router sending UPnP discovery packets. They are blocked because all traffic from private networks is blocked by default on a WAN. You can change that setting in the WAN interface settings.
Does ping work? Do you see anything else blocked when the client shows it as 'forbidden'?
-
Thank you @stephenw10,
ping is not getting through 8.8.8.8 and web is also getting DNS errors and timeout errors.
I was able to turn off the error on port 1900 on the WAN at Status Firewalllog.
-
What error do you see on the client when you try to ping 8.8.8.8? Do you see that blocked in the firewall log?
-
When I ping 8.8.8.8 I get a "TTL expired in transit" error.I have also included the FireWall logs for the case where the DNS server is set to 192.168.2.1 and 8.8.8.8/8.8.4.4.It seems to be getting through...
-
@Yet_learningPFSense said in 502 Bad Gateway when PFSense connect WAN port.:
I get a "TTL expired in transit"
What is that coming from? The pfSense interface IP? That almost always implies some sort of routing loop though it could be the client ending a very low TTL packet.
-
@stephenw10 This is the error that came back after pinging from a laptop connected to OPT1-TV, which is given the address 192.168.2.11.If it is looping back, should I review my routing settings?I have not configured anything related to routing so far as it is the default in PFSense.
-
Usually when you see a TTL error though it will come back from a specific IP in the route showing where the loop is. For example something like:
ping 172.27.254.93 source 172.21.254.94 PING 172.27.254.93 (172.27.254.93) from 172.21.254.94 : 56(84) bytes of data. 36 bytes from 172.23.56.1 icmp_seq=1 Time to live exceededShows that the router at 172.23.56.1 was trying to route the packet when it arrived with TTL1 and couldn't be routed.
-
ping 172.27.254.93 source 172.21.254.94
with Windows cmd but I seem to get an error.ping to 8.8.8.8 itself remains as allowed in the FireWall log.DNS packets sent to the DNS server from 192.168.2.1 are also allowed, and DNS query packets from 192.168.2.11 to 192.168.2.1 are also going through.Hmmm...where is the disconnect?
-
OK my Japanese (?) language skills are.... weak!
But it looks like the TTL expired reply is coming from 192.168.2.1?
That implies whatever is looping there is connected directly to that router. I assume that is pfSense?
So it looks like either there is a bad route or some policy routing rules there.
-
Japanese is so interesting , please use your phone's camera to transfer the text and translate it...
As for me, I'm out of luck, since the Firewall logs show that packets are allowed, but I can't browse the internet.If you need any other configuration information, I can take a picture here and paste it into imgur.
-
Well if 192.168.2.1 is indeed pfSense then a routing issue must be there.
The rules you posted previously don't show a gateway on the OPT1 interface so no policy routing. Is that still the case?
What does the routing table show now?
Does traffic on the LAN still work as expected?
-
The OPT1-TV is allowed to connect to the internet and the LAN one is only used to log in to Admin.
In the OPT1-TV interface settings, 192.168.2.1 is specified as the default gateway, but for now, I'll raise a screenshot of the configuration screen that might be helpful.
-
Ah, that's the issue. You should not have a gateway on OPT1-TV. And setting it as default is creating the loop.
Remove the gateway from OPT1-TV. Make sure the default IPv4 gateway is set back to WAN_DHCP.
-
I changed the default gateway to WAN_DHCP on 192.168.100.1 and now the Firewall logs only show permission logs to port 53 on 192.168.2.1 and no permission logs for websites or other addresses.Also, the 8.8.8.8 ping has now changed to a timeout error.
I have been dealing with this problem for quite a while, but it doesn't seem to get resolved.Is it a problem with the LAN card...
-
Do you see logs for the ping to 8.8.8.8?
What do the states looks like in Diag > States whilst the ping is running?
What does the routing table show now?
No it's almost certainly not the NIC. That would prevent you accessing anything.
