Odd outgoing issues behind pfsense router
-
Sorry for length or complexity -- I have 3 pfsense devices so I am a well experienced novice. My mother got a new PC and a router (GL Net router with openwrt).
I setup a Wireguard server on her router - she has Optimum internet with a gateway in Bridge Mode. (the IP appears to be static but she did not pay for a static address). So I have DDNS setup for subdomain.mydomain.com with cloudflare.
I had many problems getting connectivity to be stable with MOST of my testing from behind my pfsense router at my home out to my mom's home behind the GLnet router.
My issues started with being able to make a connection to the WG server from my iphone (or even from my laptop if I tethered internet form my phone). However I could not get WG to connect if using my internet from the LAN behind my pfsense router. The same problem whether I did my endpoint as subdomain.mydomain.com OR publicIP.
I was thinking it was a Outbound NAT issue which is why I was working in that direction. I did create a firewall rule allowing outboud traffic on the custom port 51826 that I was using to connect to the external WG server.But here is where it really got weird --- could not explain.
If I ping from my laptop (terminal) or if I ping from the pfsense interface I get a timeout using the subdomain.mydomain.com address OR the public IP. I did NOT understand why the public IP would not ping?? (using Frontier fiber internet)
If I connect the laptop to the internet using my phone tethered for internet the I can. ping both domain name or public IP from a terminal. So bottom line is that I am not able to ping or connect going outbound through my pfsense WAN but can ping or connect if I go out through tethered internet.I assume the same thing that is preventing the ping form behind my pfsense network is causing my WG connection issues. Any ideas to help or troubleshoot??
THANKS. If something weird is gonna happen I always seem to find it
-
@ahole4sure
I assume, the remote site doesn't block your public IP. So maybe there is a routing issue in one of the ISP's network.Run a traceroute to the respective other site and look, how far you get.
Then run a traceroute to an accessible public IP for comparison. -
@viragomann
Thanks for reply
2 addnl bits of infoI can ping the public IP of my mom from my work PC
I have disabled packet filtering on the home pfsense device and it still gets 100% packet loss with ping
I have attached the traceroute from the pfsense for both google.com and my mom public IP (both with packet filering still disabled)!
The second pic is the traceroute to my mom's public IP address
EDIT!!! SORRY THE SECOND PIC WAS JUST WHERE I DIDNT GIVE TRACEROUTE TIME TO COMPLETE
(SEE MY NEXT POST)How often does one ISP block another ISP? I know that my work PC that is allowing the oing to happen is on the same ISP (Frontier Fiber)
-
SORRY FOR CONFUSION
Here is what happens with a traceroute WITH packet filtering disabled all together!!! (from pfsense machine)
Why / how can that be?Second pic is ping to same address form work laptop and work internet
-
@ahole4sure
Seems you have an routing issue.
Did you route the remote IP to the WG gateway by any chance?Otherwise show your routing table.
-
I don't have that routed that way - at least not intentionally
Tailscale is running on both the remote router and pfsense --- could some of those routes be doing it ? Could I do some sort of overide in the DNS or static routes?
-
I added this static route to force the IP for my mom to route through my ISP gateway ... and it worked -- was then able to ping that address
Since this might be a dynamic IP what should I do ?
Just do a static for the DDNS host address? -
@ahole4sure
Maybe the routing table brings dissociation.However, I'm not familiar with Tailscale. Don't know, what it does.
