My pfSense keeps breaking (novel inside…)
-
Packet captured pings from laptop through the LAN interface (which all came back as "Request timed out." on my laptop) and this is what the capture looks like:
16:38:32.824386 00:1b:38:62:d0:1a (oui Unknown) > 54:04:a6:f3:2b:05 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 29038, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 117, length 40
16:38:37.490298 00:1b:38:62:d0:1a (oui Unknown) > 54:04:a6:f3:2b:05 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 29085, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 118, length 40
16:38:42.490628 00:1b:38:62:d0:1a (oui Unknown) > 54:04:a6:f3:2b:05 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 29122, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 119, length 40
16:38:47.490840 00:1b:38:62:d0:1a (oui Unknown) > 54:04:a6:f3:2b:05 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 29150, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 120, length 40As for the MAC addresses: I checked my arp tables on my laptop and all of the correct MAC addresses show as being associated with the correct IP addresses for both the WAN and LAN interfaces. So everything is good there.
-
So now with the same ping running, does a packet capture on the WAN interface show the ping leaving the pfSense box? If so, what is the source IP address?
-
Interface set to WAN, Host set to 8.8.8.8, Full detail, Reverse DNS Lookup turned OFF:
18:01:55.094629 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4003, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > 8.8.8.8: ICMP echo request, id 1, seq 133, length 40
18:01:59.796664 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4006, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > 8.8.8.8: ICMP echo request, id 1, seq 134, length 40
18:02:04.795955 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4009, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > 8.8.8.8: ICMP echo request, id 1, seq 135, length 40
18:02:09.795179 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4013, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > 8.8.8.8: ICMP echo request, id 1, seq 136, length 40Interface set to WAN, Host set to 8.8.8.8, Full detail, Reverse DNS Lookup turned ON:
18:03:26.746456 54:04:a6:f3:2b:07 (oui Unknown) > 00:26:62:1b:09:87 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4104, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 137, length 40
18:03:31.294265 54:04:a6:f3:2b:07 (oui Unknown) > 00:26:62:1b:09:87 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4109, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 138, length 40
18:03:36.293619 54:04:a6:f3:2b:07 (oui Unknown) > 00:26:62:1b:09:87 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4115, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 139, length 40
18:03:41.293819 54:04:a6:f3:2b:07 (oui Unknown) > 00:26:62:1b:09:87 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 4118, offset 0, flags [none], proto ICMP (1), length 60)
192.168.168.100 > google-public-dns-a.google.com: ICMP echo request, id 1, seq 140, length 40192.168.168.100 is of course my laptop's IP address (where the pings are coming from).
-
I would really like to know where traffic is stopping inside pfSense. The above shows that it's tracking and trafficking my echo-requests…. but no echo-replies whatsoever. Just doesn't make sense.
Like check this out... INSIDE pfSense >> Diagnostics >> Ping: I set the interface to my WAN and tell it to ping 8.8.8.8 while I packet capture the WAN interface for the host address 192.168.168.2 (the WAN interface's ip address) and this is what I get:
18:29:04.862197 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 54046, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 3411, length 60
18:29:04.907335 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 54046, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 3411, length 60
18:29:05.862197 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 7269, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 3667, length 60
18:29:05.905440 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 7269, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 3667, length 60
18:29:06.862202 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 5674, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 3923, length 60
18:29:06.905499 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 5674, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 3923, length 60
18:29:07.862204 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 21147, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 4179, length 60
18:29:07.907530 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 21147, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 4179, length 60
18:29:08.069025 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 35388, offset 0, flags [none], proto ICMP (1), length 84)
192.168.2.2 > 8.8.8.8: ICMP echo request, id 22433, seq 0, length 64
18:29:08.199553 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 54, id 19673, offset 0, flags [none], proto ICMP (1), length 84)
8.8.8.8 > 192.168.2.2: ICMP echo reply, id 22433, seq 0, length 64
18:29:08.862208 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 50512, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 4435, length 60
18:29:08.909580 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 50512, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 4435, length 60
18:29:09.069780 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 3448, offset 0, flags [none], proto ICMP (1), length 84)
192.168.2.2 > 8.8.8.8: ICMP echo request, id 22433, seq 1, length 64
18:29:09.199595 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 54, id 19674, offset 0, flags [none], proto ICMP (1), length 84)
8.8.8.8 > 192.168.2.2: ICMP echo reply, id 22433, seq 1, length 64
18:29:09.862210 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 25233, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 4691, length 60
18:29:09.907438 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 25233, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 4691, length 60
18:29:10.070764 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 16652, offset 0, flags [none], proto ICMP (1), length 84)
192.168.2.2 > 8.8.8.8: ICMP echo request, id 22433, seq 2, length 64
18:29:10.199526 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 54, id 19675, offset 0, flags [none], proto ICMP (1), length 84)
8.8.8.8 > 192.168.2.2: ICMP echo reply, id 22433, seq 2, length 64
18:29:10.862211 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 35094, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 4947, length 60
18:29:10.907478 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 35094, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 4947, length 60
18:29:11.862212 54:04:a6:f3:2b:07 > 00:26:62:1b:09:87, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 64, id 36592, offset 0, flags [none], proto ICMP (1), length 80)
192.168.2.2 > 10.39.5.1: ICMP echo request, id 33034, seq 5203, length 60
18:29:11.905614 00:26:62:1b:09:87 > 54:04:a6:f3:2b:07, ethertype IPv4 (0x0800), length 94: (tos 0x0, ttl 126, id 36592, offset 0, flags [none], proto ICMP (1), length 80)
10.39.5.1 > 192.168.2.2: ICMP echo reply, id 33034, seq 5203, length 60So it's showing that when I tell the WAN to send off data, IT DOES and TRACKS IT! But if I try to send data THROUGH pfSense (from the LAN to the WAN) I get nothing. Just does not make sense.
-
You have turned off NAT in pfSense (at least for LAN to WAN traffic). If NAT was turned on the source address (as seen at the WAN interface) for the ping to 8.8.8.8 would be the pfSense WAN IP address.
I suspect your ADSL router doesn't have a route to the subnet of the pfSense LAN interface hence it doesn't know on which interface to forward packets with destinaion IP address 192.168.168.100.
You should turn NAT on in pfSense or add an appropriate route to your ADSL router.
-
Well, I've turned Dynamic Routing Version 2 ON in my DSL router.
And I renabled automatic NAT again in pfSense (since turning it to manual didn't make a difference).
Is there anything else I need to enable in pfSense in order for it to send RIP data back and forth between the two routers?
While I was remoted in to my laptop (using LogMeIn) I switched it back over to use the pfSense as it's default gateway and lost my connection and can't get it back (which I expected). So obviously traffic still isn't flowing through it. I'll have to continue work on this tomorrow morning since I'm at home now.
-
Can you put the modem in bridge mode and let the router do the login?
-
Thank you for any and all help in setting up my equipment. If setting my dsl router to bridge mode will simplify, speed up, make more stable or just all around better my connection I will be more than happy do it.
Now, please don't take this the wrong way as me being rude, I just want this post to get back on track… so I'll reiterate:
It's not my equipment that is the issue here.
I AM HAVING THE SAME PROBLEM WITH 1 DSL LINE WITH A ROUTER, 1 T1 LINE USING AN ADTRAN CSU/DSU, AND 1 T1 LINE USING A CISCO CSU/DSU TESTED WITH ANY AND ALL PORTS ON MY PFSENSE.ALL DO NOT WORK. ALL WITH THE SAME EXACT SYMPTONS.
It is NOT equipment OR how I've configured pfSense. I've had pfSense up and running perfectly fine countless times. It works great. The problem is that out of no where when I've reset states one too many times it breaks and NEVER COMES BACK... that is UNTIL I COMPLETELY REINSTALL PFSENSE. <<=== That is the issue. There is a bug somewhere. I want to know where and I want to know if there's a way to fix it without me having to re-install the entire program entirely. Because currently re-installation is the ONLY way I have been successful in getting pfSense to work properly again.
So again: I can't communicate THROUGH pfSense with ANY equipment I plug on the other side of it. Communication FROM pfSense itself works great! But THROUGH it doesn't. <<=== AND ALL OF THIS IS ONLY AFTER PFSENSE BREAKS. After I've had everything setup and working hunky-dory and then I tweak a few firewall rules, reset states one too many times and BAM! Broke and unreparable (unless someone can help me find the broken part and fix it).
Again, please don't take offense, I just want to keep my eye on the prize.
-
No worries- I guess I missed any mention of you resetting states to make this happen…. I did lose my glasses so need new ones...
But the DSL modem bridge comment... Im of the opinion that you shouldn't double NAT unless there is no other way... Bridge mode just keeps it simpler...
In my case- Ive reset states here quite often and guess Ill go back and read more about resetting states and see if I can reproduce it here...
Id be curious what your MBUF is at...
And how many states your machine maxes out at...
-
Well, I've turned Dynamic Routing Version 2 ON in my DSL router.
Why?
Is there anything else I need to enable in pfSense in order for it to send RIP data back and forth between the two routers?
Considering the difficulty you have had so far, why would that be a better solution than adding a static route to your DSL router or NATing in pfSense or adopting chpalmer's suggestion of using your DSL router in bridge mode?
While I was remoted in to my laptop (using LogMeIn) I switched it back over to use the pfSense as it's default gateway and lost my connection and can't get it back (which I expected).
Did you expect to lose your connection because your analysis of traffic paths showed a problem in that configuration or did you expect to lose the connection because your experience has shown you the network was fragile over configuration changes?
So obviously traffic still isn't flowing through it. I'll have to continue work on this tomorrow morning since I'm at home now.
What approach will you adopt for solving this?
Thank you for any and all help in setting up my equipment. If setting my dsl router to bridge mode will simplify, speed up, make more stable or just all around better my connection I will be more than happy do it.
DSL router in bridge mode is an option but depending on how the other equipment that connects you to the internet behaves you might might want to adopt a different approach.
It is NOT equipment OR how I've configured pfSense. I've had pfSense up and running perfectly fine countless times. It works great. The problem is that out of no where when I've reset states one too many times it breaks and NEVER COMES BACK… that is UNTIL I COMPLETELY REINSTALL PFSENSE. <<=== That is the issue. There is a bug somewhere. I want to know where and I want to know if there's a way to fix it without me having to re-install the entire program entirely. Because currently re-installation is the ONLY way I have been successful in getting pfSense to work properly again.
As best I can tell you need NAT in pfSense to pass traffic through since your DSL router doesn't seem to have a route to the LAN subnet downstream of pfSense. Somehow NAT was disabled in pfSense. Presumably as a consequence of a "few" firewall rule tweaks. I have no reason to believe that n+1 (n currently unknown) firewall state resets will disable NAT. Depending on what you call a firewall rule tweak (some action you get to through the firewall menu?) a firewall rule tweak can disable NAT.
Again, please don't take offense, I just want to keep my eye on the prize.
OK, I promise not to take offence. Please do the same for me.
I think the best ways you can accomplish your goal and help the pfSense project is to
1. keep detailed notes on what you do and the consequences of change. I doubt any readers of these forums have the time or interest to do a random sequence of state table resets and firewall rule tweaks in the hope of chancing upon the same sequence you claim causes your problems. Without knowing what you did no-one can say for any certainty if the system is behaving correctly or you have found a bug.
2. Before making a change answer the question "Why will this change make the behaviour I'm looking for?" If you can't answer that you shouldn't be making the change. If the change "doesn't work" find out why it doesn't work before making further changes. This will help you avoid making the same futile change in the future.
3. Take small steps and test changes carefully so you can easily go back to a working configuration. If necessary, backup your pfSense configuration frequently and document the features of that backed up configuration. In most cases you should be able to recover desired behaviour by restoring a saved configuration file and rebooting.
4. Read a few articles (e.g. from Wikipedia or a good IP networking textbook) on IP routing and NAT. With three different connections to the internet through three different pieces of equipment it is quite possible you will not be able to replicate configuration for one WAN interface onto another. Future troubleshooting will probably be eased if you understand how each device connecting to the internet is supposed to behave.
That's probably enough for now.
-
But the DSL modem bridge comment… Im of the opinion that you shouldn't double NAT unless there is no other way... Bridge mode just keeps it simpler...
I'm fine with that recommendation. But considering the multiple WAN interfaces proposed I would strongly recommend the "no other way" issue be settled by analysis rather than trying a few "firewall rule tweaks".
-
Just to chime in here. I agree that double NAT is best avoided but it only gives trouble in rare circumstances. I have run double NAT for months with no problems at all.
This is not a double NAT problem.You don't seem to have fully explored the packet capture that showed that pfSense was not NATing traffic. Simply switching from auto to manual should not stop NAT working. You would have to deliberately remove the NAT rules.
Switch it back to auto, I would reboot the box at this point, then rerun your packet captures to demonstrate that NAT is working.Also unexplained is the fact that you somehow ended up without a default route? :-\
Going right back to the beginning; is it a specific set of configuration changes that cause pfSense to stop forwarding traffic or simply making too many changes of any sort?
Steve