TTL exceeded
-
pfsense 2.0
lan–-pfsense---modem---net
|
wifi(rosewill card in pfsense)Default NAT rules.
Default LAN rules.
WLAN rules added a ANY rule like that default from LAN(DNS internal nor external query did not work until this was added, makes sense).
RFC1918 blocking turned off on LAN and WLAN.
Tried with BOGONS off though it should not matter.
Tested a lower MTU on WAN interface as modem wants 1400.From LAN client:
-DNS queries work, pfsense gui works, ssh to pfsense works, pings to pfsense work, etc.
-DNS to external dns servers see to work (ie: dig @externaldns)
-Everything else fails.*Pings return a time to live exceeded error.
*telnet to port 8018:17:32.001648 IP 192.168.7.177.44936 > 72.14.204.105.http: Flags [s], seq 1869472157, win 5840, options [mss 1460,sackOK,TS val 28314908 ecr 0,nop,wscale 6], length 0 18:17:32.004295 IP 192.168.7.254 > 192.168.7.177: ICMP time exceeded in-transit, length 68 From WLAN client: -Same as above. From a shell locally on firewall: -Same as above. I can not for the life of me figure out what is going on here. Anyone seen this sort of scenario and/or can clue my clueless self in? Thanks![/s]
-
Traceroute client:
[foo@bar]> traceroute www.google.com
traceroute to www.google.com (72.14.204.147), 30 hops max, 60 byte packets
1 ares.local (192.168.7.254) 0.359 ms 0.544 ms 0.445 ms
2 ares.local (192.168.7.254) 0.687 ms 2.134 ms 2.180 ms
3 ares.local (192.168.7.254) 2.537 ms 2.810 ms 2.715 ms
4 ares.local (192.168.7.254) 2.957 ms 3.194 ms 3.099 ms
…
28 ares.local (192.168.7.254) 6.358 ms 6.561 ms 6.408 ms
29 ares.local (192.168.7.254) 6.244 ms 6.409 ms 6.608 ms
30 ares.local (192.168.7.254) 6.454 ms 6.659 ms 6.504 msTraceroute pfsense locally:
Same as above but out to 64 and "localhost" vs "ares.local". IP and ms changed of course. -
You've somehow created a routing loop. Did you create any static routing rules?
-
Thats actually what it looks like to me but no. I created no routes manually whatsoever. The setup effectively default. That is, other than those simple firewall rules I added to the wifi interface everything is setup based off what pfsense automatically generates.
Bit more info:
vr0 = lan
vr1 = wan192.168.7.x -> 192.168.7.254(pfsense)192.168.15.3 -> 192.168.15.1(modem)NET
[2.0-RELEASE][root@ares.local]/root(2): ping www.google.com PING www.l.google.com (72.14.204.104): 56 data bytes 36 bytes from localhost (127.0.0.1): Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 0983 0 0000 01 01 d309 192.168.7.254 72.14.204.104 Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.7.254 UGS 0 31623 vr0 63.251.62.33 192.168.15.1 UGHS 0 15 vr1 127.0.0.1 link#4 UH 0 870 lo0 192.168.7.0/24 link#1 U 0 11361 vr0 192.168.7.254 link#1 UHS 0 57819 lo0 192.168.15.0/24 link#2 U 0 307 vr1 192.168.15.3 link#2 UHS 0 0 lo0 192.168.241.192/26 link#8 U 0 0 ral0_w 192.168.241.254 link#8 UHS 0 57376 lo0 204.74.97.104 192.168.15.1 UGHS 0 15 vr1
-
UG! :-[ I found the problem. Apparently at some time ago when I first attempted the wireless setup I created a "Gateway" under Routing. Im not entirely sure why this impacted everything but in the GUI it was shown as:
name wlan1 192.168.7.254 192.168.7.254
Id have thought that would only impact the wlan1 interface. Regardless a typical case of PEBCAK. Upon removal of that gateway all my problems vanished.
Sorry for the run around, sincerely.