502 Bad Gateway when PFSense connect WAN port.
-
ping 172.27.254.93 source 172.21.254.94
with Windows cmd but I seem to get an error.ping to 8.8.8.8 itself remains as allowed in the FireWall log.DNS packets sent to the DNS server from 192.168.2.1 are also allowed, and DNS query packets from 192.168.2.11 to 192.168.2.1 are also going through.Hmmm...where is the disconnect?
-
OK my Japanese (?) language skills are.... weak!
But it looks like the TTL expired reply is coming from 192.168.2.1?
That implies whatever is looping there is connected directly to that router. I assume that is pfSense?
So it looks like either there is a bad route or some policy routing rules there.
-
Japanese is so interesting , please use your phone's camera to transfer the text and translate it...
As for me, I'm out of luck, since the Firewall logs show that packets are allowed, but I can't browse the internet.If you need any other configuration information, I can take a picture here and paste it into imgur.
-
Well if 192.168.2.1 is indeed pfSense then a routing issue must be there.
The rules you posted previously don't show a gateway on the OPT1 interface so no policy routing. Is that still the case?
What does the routing table show now?
Does traffic on the LAN still work as expected?
-
The OPT1-TV is allowed to connect to the internet and the LAN one is only used to log in to Admin.
In the OPT1-TV interface settings, 192.168.2.1 is specified as the default gateway, but for now, I'll raise a screenshot of the configuration screen that might be helpful.
-
Ah, that's the issue. You should not have a gateway on OPT1-TV. And setting it as default is creating the loop.
Remove the gateway from OPT1-TV. Make sure the default IPv4 gateway is set back to WAN_DHCP.
-
I changed the default gateway to WAN_DHCP on 192.168.100.1 and now the Firewall logs only show permission logs to port 53 on 192.168.2.1 and no permission logs for websites or other addresses.Also, the 8.8.8.8 ping has now changed to a timeout error.
I have been dealing with this problem for quite a while, but it doesn't seem to get resolved.Is it a problem with the LAN card...
-
Do you see logs for the ping to 8.8.8.8?
What do the states looks like in Diag > States whilst the ping is running?
What does the routing table show now?
No it's almost certainly not the NIC. That would prevent you accessing anything.
-
I don't think it's the NIC's fault either, but if it doesn't work so well,
I'll have to think about it.Diag > States , I took a picture of it but didn't know where the routing table was.
-
The routing table is under Diag > Routes.
Try to run a continuous ping to 8.8.8.8 then filter the state table to find states containing 8.8.8.8.
You should have one state on OPT and one state on WAN with NAT. For example when I ping from my local LAN interface:
-
Hmm, when I set the DefaultGateway to 192.168.2.1, I get an error message that the packet is unreachable or that the TTL time has expired, but when I set it to 192.168.1.1 (WAN IP), I get the timeouterror message.Diag -> Route or State image when set to 192.168.2.1 is here and
Here's one when I set it to 192.168.1.1. 8.8.8.8's send or receive bytes, one of which seems to be 0B.
-
OK so you can see in that second see of images that the state for the ICMP 8.8.8.8 traffic on WAN does not have NAT applied.
That means either outbound NAT is not set to automatic (check Firewall > NAT > Outbound) or that there is no gateway on the WAN interface (check Interfaces > WAN).
The default route must be via the WAN gateway. There should not be a gateway on OPT.
-
@stephenw10 Thanks.But I've been busy with work lately and will check the PFSense settings again on Saturday or Sunday.Sorry.
-
I have checked the Outbound rules and it seems to be configured for Automatic outbound. As for the configuration, it is the one in this screenshot.
Is it ok? -
Ok those settings are good. But you can see it has added automatic rules on the OPT1_TV intreface which implies there is a gateway defined on it still. There should not be a gateway on OPT1_TV.
