Internet lost in PfSense but VPN or everythingelse work well?

stephenw10

There should be no need to run that command manually in 2.7.2. The pkg scripts run it anyway when it's required.

How were you testing? If you simply ran pkg update from the CLI the client cert may have expired. Checking from the webgui should never hit that though.

mucip

Dear @stephenw10,
I updated from WEB GUI not CLI.
In any case this morning the people said me that there is no internet out from Linux server.
I applied our famous command "certctl rehash" from webgui command execute menu and everything turn to normal again.
I will check. If I need to apply same command again than I add this command in the cron and run every midnight.

Regards,
Mucip:)

stephenw10

Hmm, that is odd. The only thing that should help with is local certs on pfSense itself. So access to the pkg repos which requires a client side cert.

It shouldn't make any difference to routing traffic. Unless maybe that is going via VPN that requires a cert.

mucip

Hi @stephenw10,
Well what should I do now?
And advice?
Adding in to cron?

Regards,
Mucip:)

stephenw10

It seems unlikely the issue is actually cert related. Somehow running that is re-loading something that allows traffic to restart. So I would be trying to determine exactly what fails when traffic stops.

mucip

Dear @stephenw10,
But how? What shoul I check if the internet stops again?

Or I need to write script to check internet connetion in pfsense. When the internet lost than I need to run "certctl rehash" command again? I don't know?

Regards,
Mucip:)

stephenw10

You are able to reach the pfSense gui from LAN when it fails yes?

So I would first test what pfSense itself can do in that situation. Can it ping 8.8.8.8? Can it ping google.com?

If it can then can LAN side clients do either of those?

mucip

Hi @stephenw10,
I made php scipt to check internet connection in LAN Debian server.
If not than it will send me an email. Than I will check what's going on in the PfSense.
I put this php code in the cron now.

Let's see...

P.S: But I am wrong! If internet lost how can Debian send me an email?!
I need to create script in pfsense and check internet from LAN because I checked before
How can check internet connectivity in LAN with bash or php command in Pfsense?

Regards,
Mucip:)

mucip

Dear @stephenw10,

I may add this php file to cron but it must check internet connectivity from LAN not WAN.
Because normally there is internet on WAN but there isn't on LAN unfortunatelly.
Regards,
Mucip:)

<?php

$internetVar=false;


switch (connection_status()){	
	
	case CONNECTION_NORMAL:
	  $txt = 'Connection is in a normal state';
	  $internetVar=true;
	  break;
	case CONNECTION_ABORTED:
	  $txt = 'Connection aborted';
	  break;
	case CONNECTION_TIMEOUT:
	  $txt = 'Connection timed out';
	  break;
	case (CONNECTION_ABORTED & CONNECTION_TIMEOUT):
	  $txt = 'Connection aborted and timed out';
	  break;
	default:
	  $txt = 'Unknown';
	  break;
}



echo "$txt\n";
?> 

stephenw10

You can source your test from the LAN IP and that will confirm NAT is working.

However reviewing the symptoms you have here I'd be willing to bet it's a gateway/routing issue.

What gateways do you have defined in System > Routing?

If you have more than one and the default gateway is still set to automatic try setting it to the WAN gateway specifically. It may be switching to one of the others if the WAN ever has an issue.

mucip

Dear @stephenw10,
Well, What is the CLI command equavelent of below screen?

Our Geteway config is:

Regards,
Mucip:)

stephenw10

The command would be:

[2.7.2-RELEASE][admin@t70.stevew.lan]/root: ping -c 3 -S 192.168.226.1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.226.1: 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=6.036 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=12.178 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=6.225 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 6.036/8.146/12.178/2.852 ms

Where 192.168.226.1 is the LAN IP address.

However what are you using that gateway on LAN for? You have other subnets behind a router at 192.168.0.1?
If that's the LAN IP address it should not be there.

mucip

Dear @stephenw10,
I have modem in the office. PfSense gets internet from modem.
Modem IP block is 192.168.1.X
PfSense WAN 192.168.1.99
PfSense LAN is 192.168.0.1

Untill recent 3-5 days everything was OK. But nowadays I have problem I don't know why?

Regards,
Mucip:)

stephenw10

Ah, OK then that LAN gateway you have set as the LAN interface IP is wrong. You should remove it, it can only cause conflicts.

mucip

Dear @stephenw10,
Are you teeling that I need to delete below "LanKapi" ?

Regards,
Mucip:)

stephenw10

Yes, you should only ever have a gateway on LAN if you have some other router in the LAN subnet. And even then it would never be the LAN IP address.

mucip

Dear @stephenw10,
I deleted. Let's see what is happening afterwards... :)

Regards,
Mucip:)

mucip

@stephenw10 ,
Now I have below error :(

stephenw10

Looks like you have monitoring disabled on the WAN gateway so it's not running. Re-enable moniroring on WAN.

mucip

@stephenw10,
Now it's OK. But what is the monitoring and what is used for?