My pfSense keeps breaking (novel inside…)

stephenw10

Perhaps the novel is overheating your cpu?  :D

But seriously…
The fact that:

I remove all installed packages… that does nothing.
I DELETE all of my changes... that does nothing.
I reset pfSense to factory defaults and reset just the basic connections (IP for the LAN and WAN along with the gateway for the WAN to be associated with)... that does nothing.

By 'nothing' I'm assuming you mean no internet access from LAN side clients but please elaborate on that.

This implies to me that something has altered the underlying FreeBSD config in a way that isn't controlled by pfSense. When you reset to factory defaults you are replacing the config.xml file with the default one but not resetting the entire OS or replacing binaries as you do when you re-install.
This is likely to be caused by a package. What packages do are you using?

Steve

soteriologist

Interfaces all show that their connections are up.

I can connect fine from the LAN side to the web gui, and through SSH.  But all traffic on the WAN side won't leave.  There are no states of any sort showing.  There's no active connections.

When I check the states and firewall the browser has fully loaded the page whenever I look at it.

By does nothing, I mean ALL of the following:
There are not states listed AT ALL.
There is no firewall traffic listed AT ALL.
I'm able to get into the box… BUT no traffic is leaving it.

soteriologist

As for what traffic was tried through the box,
icmp 8
tcp 53
tcp 80
tcp 443
tcp 25
tcp 143
and a bunch of voip traffic in the 6K block of ports.

soteriologist

The package I'm using is:
pfSense-2.0.1-RELEASE-amd64.iso

that I have burned to a CD and am installing from an internal DVD drive onto my 64GB SSD that's in the machine.

As for resetting, I'm doing so by clicking on the reset to factory defaults options inside the WebGui.  So it's resetting with what options it has in place using that built in function.

soteriologist

I can't remember ALL of the packages that I had installed the first time this happened but some of them were:
pfBlocker
file manager
squid
squidguard
and maybe one or two more (all reporting ones)

This last time around I had just the following:
file manager
squid
squidguard
and I tried out the widescreen theme.

stephenw10

Well none of those packages look like obvious suspects, never the less I would try without any packages to rule that out.  :-\

Steve

soteriologist

I've already uninstalled all the packages.

The current state I'm in is:
No packages installed.
Reset to factory defaults.
Only the most basic settings have been applied in order to get an internet connection up on it.

And yet I still see no traffic.   :-\

It's as I were creating a super-massive star when all of a sudden it imploded into a supernova and warped into a blackhole.   :'(
I want my super-massive pfSense star back.

soteriologist

The only thing left for me to do is re-install and start from scratch… AGAIN.

But before I do that, I figured I'd post on here to see if someone had a suggestion to diagnose this shit and hopefully stop others from running into the same problem  AND hopefully prevent me from running through it all over again a third time.

I figured if there truly is a horribad bug somewhere in the code, someone would want to know about it and get it fixed.

soteriologist

ok,  so I turned on accessing the web configurator from the wan side.  One of my internet connections is DSL which uses a wired/wireless router/modem combo.  So I've plugged my laptop into one of the other wired ports on the little DSL router and can access my pfSense box through the WAN port there.  So at least SOME traffic is flowing through that connection.    But it's not showing up in the states/firewall logs.

Still no pings, webpages, email, etc are going through it though.    :'(
Can't get a connection to the internet through the pfSense.  :-\

wallabybob

@soteriologist:

The only thing left for me to do is re-install and start from scratch… AGAIN.

There are still a number of alternatives, including plugging your laptop into the DSL router and attempting to access the pfSense WAN port.

@soteriologist:

One of my internet connections is DSL

What are the others?

@soteriologist:

So I've plugged my laptop into one of the other wired ports on the little DSL router and can access my pfSense box through the WAN port there.

Can you also access the management interface on the DSL router? What does it tell you about the WAN interface of the DSL router?

What is the interface type of your pfSense WAN interface? (Static? DHCP? PPP?)

Please post the output of of the pfSense shell command```

netstat -rn -f inet;  traceroute -n 8.8.8.8

soteriologist

Tried pinging with pfSense's web configurator (under Diagnostics >> Ping) to both 4.2.2.2 and google.com (along with a handful of other sites) and get no response.  Tried  pinging the DSL router, and get a response.  Tried pinging my laptop that is also plugged into the same router and get a response form my laptop's ip address.

Still nothing shows in states/firewall logs though?

I'll try that traceroute command.

soteriologist

Here are the results:

netstat -rn -f inet ; traceroute -n 8.8.8.8
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
127.0.0.1          link#12            UH          0    3412    lo0
192.168.2.0/24    link#7            U          0    10355    em2
192.168.2.2        link#7            UHS        0        0    lo0
192.168.168.0/24  link#5            U          0      341    em0
192.168.168.1      link#5            UHS        0        0    lo0
traceroute: findsaddr: failed to connect to peer for src addr selection.

wallabybob

You don't have a default route hence most of the traffic that would normally go out the WAN interface doesn't go out the WAN interface because there isn't a route saying that is where it should go.

Your pfSense WAN interface type is? (Depending on that I might be able to give you a pfSense shell command to add a default route.) But that won't help if the upstream link from your DSL router is broken. Can you get status of the upstream (to the Internet) link on the DSL router?

What version of pfSense are you running? Please post the version information from the home page of your pfSense box.

stephenw10

Hmm, you have no default route and no route to anywhere outside your network. Problem!
Is your WAN connection up? (or was it when you did this).
@soteriologist:

I've already uninstalled all the packages.

The reason I suspected packages is that they sometimes either overwrite things they shouldn't or remove things they shouldn't when you uninstall them.

Uninstalling all the packages is not necessarily the same thing as never having installed them!  ::)

Something has messed up your routing table, either directly or by messing up something that controls the routing table.

Steve

Edit: Typed too slow.

soteriologist

I'm able to get an internet connection fine through all of my WAN devices I've had in the past (and currently have) attached to pfSense.   Even when I plug in using the same cables/ports that pfSense would use to those devices.

I ruled out any hardware problems at the get-go.

As for my current version:
Version 2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6

As for the default route, I can check mark that box for the interface.  Right now it's unchechked because I had a loadbalancing group created and had "Allow default gateway switching" under "System >> Advanced >> Miscellaneous >> Load Balancing"  checked.

I can recheck to have just that default DSL line checked as the "Default Gateway" and uncheck the other setting… brb.

cmb

You need to set a default gateway even if you're policy routing your egress traffic. And uncheck the default gateway switching.

What type of WANs?

soteriologist

I just rechecked to have just that default DSL line checked as the "Default Gateway" and unchecked "Allow default gateway switching" under "System >> Advanced >> Miscellaneous >> Load Balancing".
Still no ping response beyond the router/modem it's plugged into.
Stil no internet connection.
Still nothing in state/firewall logs.

Re-ran traceroute and this is what I have now:

netstat -rn -f inet;  traceroute -n 8.8.8.8

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.2        US          0       51    em2
127.0.0.1          link#12            UH          0     3524    lo0
192.168.2.0/24     link#7             U           0    19094    em2
192.168.2.2        link#7             UHS         0        0    lo0
192.168.168.0/24   link#5             U           0      341    em0
192.168.168.1      link#5             UHS         0        0    lo0
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets

soteriologist

The three WANs that I have are:
One DSL connection through a Verizon router/modem
One T1 through an AdTran DSU/CSU
One T1 through a Cisco DSU/CSU

AT THE MOMENT I'm ONLY using the DSL for testing.  Just to simplify things and because the entire company is actively using the two T1s at office.  But when I had everything plugged in during off hours, they were all working fine until… well... everything stopped working.  So I had to put everything back they way I had it in the very late hours of the night before everyone came back in the next day and BACK TO THE DRAWING BOARD!

wallabybob

@soteriologist:

Re-ran traceroute and this is what I have now:

Your traceroute output is incomplete.

soteriologist

@wallabybob:

@soteriologist:

Re-ran traceroute and this is what I have now:

Your traceroute output is incomplete.

Ya… just realized that I hadn't copied everything, SORRY!

Here we go:

netstat -rn -f inet;  t                                                                            raceroute -n 8.8.8.8
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.2        US          0      201    em2
127.0.0.1          link#12            UH          0    3568    lo0
192.168.2.0/24    link#7            U          0    22223    em2
192.168.2.2        link#7            UHS        0        0    lo0
192.168.168.0/24  link#5            U          0      341    em0
192.168.168.1      link#5            UHS        0        0    lo0
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1  * * *
2  * *traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*
traceroute: sendto: Host is down
3 traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*
traceroute: sendto: Host is down
4 traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*
traceroute: sendto: Host is down
5 traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*
traceroute: sendto: Host is down
6 traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote 8.8.8.8 52 chars, ret=-1
*
traceroute: sendto: Host is down
7 traceroute: wrote 8.8.8.8 52 chars, ret=-1
^C