Why outgoing LAN being blocked?
-
821ms 998ms 966ms 10.xxx.x.1
10 address is not public, so your behind a double nat. is that your ISP doing gobal nat or is that the device your pfsense is directly connected too.. You mention "modem" what model number - since its seems to be doing NAT.. and then your ping times to isp would be this hop
3 73ms 926ms 1001ms 68.6.12.38
So to me it looks like you have a problem between pfsense and whatever that 10.x devices is – your "modem" Which would be local on your network.. and should be more like the speeds your seeing to pfsense of <1ms
So what need to figure out what this 10.x.x is - is that your local device or something outside your location at the ISP.. I am thinking its your modem which would be local... BTW anything that starts with 10.x.x.x is a rfc1918 address and not routeable on the internet - so no reason to hide that, just like the 192.168.x.x addresses.
edit: So your 3rd hop which I would to me be first hop to your ISP with that 10.x address as second.. I am seeing
PING 68.6.12.38 (68.6.12.38): 56 data bytes
64 bytes from 68.6.12.38: icmp_seq=0 ttl=244 time=81.579 ms
64 bytes from 68.6.12.38: icmp_seq=1 ttl=244 time=81.943 ms
64 bytes from 68.6.12.38: icmp_seq=2 ttl=244 time=80.031 ms80ms -- I am in Chicago, where are you and your see 800ms to the first hop after pfsense which I have to think is your local modem. And would cause you to see delays talking to anything past that.
-
821ms 998ms 966ms 10.xxx.x.1
10 address is not public, so your behind a double nat. is that your ISP doing gobal nat or is that the device your pfsense is directly connected too.. You mention "modem" what model number - since its seems to be doing NAT.. and then your ping times to isp would be this hop
3 73ms 926ms 1001ms 68.6.12.38
So to me it looks like you have a problem between pfsense and whatever that 10.x devices is – your "modem" Which would be local on your network.. and should be more like the speeds your seeing to pfsense of <1ms
So what need to figure out what this 10.x.x is - is that your local device or something outside your location at the ISP.. I am thinking its your modem which would be local... BTW anything that starts with 10.x.x.x is a rfc1918 address and not routeable on the internet - so no reason to hide that, just like the 192.168.x.x addresses.
edit: So your 3rd hop which I would to me be first hop to your ISP with that 10.x address as second.. I am seeing
PING 68.6.12.38 (68.6.12.38): 56 data bytes
64 bytes from 68.6.12.38: icmp_seq=0 ttl=244 time=81.579 ms
64 bytes from 68.6.12.38: icmp_seq=1 ttl=244 time=81.943 ms
64 bytes from 68.6.12.38: icmp_seq=2 ttl=244 time=80.031 ms80ms -- I am in Chicago, where are you and your see 800ms to the first hop after pfsense which I have to think is your local modem. And would cause you to see delays talking to anything past that.
I am in Southern California and my modem is a Cisco-model DPQ3212 DOCSIS 3.0.
I don't know if my ISP is doing global NAT, first time hearing about such a thing.
When I first installed pfSense my firewall kept blocking those 10.x addresses every minute so I turned off logging for that traffic because it looked like DHCP broadcast traffic.
UPDATE: So I called my ISP and told them that I was getting very high latency on the gateway IP and just before he was going to transfer me to tech level 2 he reset the modem and now I am getting 7-9ms on that gateway IP. He didn't know why I was getting that 10.x address BTW.
However, the trace route to google dns still shows that 10.x address in the hop. Is that something I need to be worried about?
Here is the new trace route to google dns:
1 10.x.x.x 7.748 ms 6.194 ms 5.948 ms
2 68.6.12.38 8.211 ms 8.286 ms 7.702 ms
3 * * *
4 68.6.8.100 9.710 ms 9.896 ms 10.090 ms
5 68.1.5.137 75.889 ms 15.220 ms 55.754 ms
6 68.105.30.181 14.028 ms 14.192 ms 13.443 ms
7 64.233.174.238 22.924 ms 14.571 ms
216.239.46.40 17.534 ms
8 72.14.238.0 39.652 ms
64.233.174.188 16.144 ms
72.14.238.0 55.597 ms
9 72.14.239.160 40.011 ms
72.14.239.162 40.368 ms
72.14.239.155 39.777 ms
10 216.239.48.165 40.960 ms
216.239.48.167 40.724 ms
216.239.48.165 48.806 ms
11 * * *
12 8.8.8.8 42.643 ms 41.818 ms 40.886 ms -
Good that the latency is better now. Next you probably want to understand what the 10.x.x.x address is about. As JohnPoz said, there is no need to hide those as it is private address space and no-one can find you using "10" addresses.
What is your WAN IP and WAN gateway addresses?
(Status->Interfaces should tell you what addresses the WAN was given)
Most likely they are 10.x.x.x and that just means your cable modem is in router mode rather than bridge mode. -
Well if that is your model number, it is just a cable modem I don't see anywhere in its docs talking about NAT.. So if your seeing a 10.x.x.x as you next hop.. Your ISP is doing it..
Again 10.x.x.x is PRIVATE its NOT routeable on the internet..
http://en.wikipedia.org/wiki/Private_network
Normally in a cable connection, I have one I have a SB6120 cable modem - my pfsense gets a public IP address 24.13.x.x – this is own by comcast.
whois 24.13.0.0
NetRange: 24.0.0.0 - 24.15.255.255
CIDR: 24.0.0.0/12
NetName: EASTERNSHORE-1
NetHandle: NET-24-0-0-0-1
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2003-10-06
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-24-0-0-0-1
OrgName: Comcast Cable Communications, Inc.Look up 10.x.x.x
whois 10.0.0.0
NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
OriginAS:
NetType: IANA Special Use
NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVEDComment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers
So just like pfsense NATS changes your private range on your private side to normally what is a public address, pfsense is natting yours to your 10.x.x.x address, then your ISP HAS to change it again to some routeable address on the internet or sites you try to go to would not be able to talk back to you - since they can not talk to a 10.x.x.x address
If you ISP has no idea why you have a 10.x.x.x address you should really call them back and ask to talk to someone that does know ;) unless they are doing a 1:1 nat to what your public address is - its not possible for you to allow for unsolicited traffic behind a nat.. Port Forwards, maybe thats something your ok with? Maybe they do 1:1 but that seems utterly pointless for them to do.
But your connections should be much better now ;) with nice low ping time to your gateway.. Internet must be much better!
-
Good that the latency is better now. Next you probably want to understand what the 10.x.x.x address is about. As JohnPoz said, there is no need to hide those as it is private address space and no-one can find you using "10" addresses.
What is your WAN IP and WAN gateway addresses?
(Status->Interfaces should tell you what addresses the WAN was given)
Most likely they are 10.x.x.x and that just means your cable modem is in router mode rather than bridge mode.My external IP and Gateway IP match except for the last octet, they aren't 10.x.x.x but start with 68.x.x.x
-
My external IP and Gateway IP match except for the last octet, they aren't 10.x.x.x but start with 68.x.x.x
And how is that since your first hop is 10.x.x.x
So on pfsense what does it show for your wan interface?
Sorry your hop shows you talking to a 10 address.. its not possible for a 68.x.x.x address to talk to a 10 address directly.. If you have a 68 address on pfsense, I am at a complete loss to how a 10 address would show up in your trace.
-
My external IP and Gateway IP match except for the last octet, they aren't 10.x.x.x but start with 68.x.x.x
And how is that since your first hop is 10.x.x.x
So on pfsense what does it show for your wan interface?
Sorry your hop shows you talking to a 10 address.. its not possible for a 68.x.x.x address to talk to a 10 address directly.. If you have a 68 address on pfsense, I am at a complete loss to how a 10 address would show up in your trace.
This is what mine is showing.
-
Well, that is completely wacky. If you are still getting 10.x.x.x appearing early in your traceroute (from pfSense and/or a LAN client) then look in config.xml:
Diagnostics->Edit
/cf/conf/config.xml
Search for "10."
and Diagnostics->Routes - what is the default route?
Is there some VPN server and client that connects to itself and routes around in a loop to make that bonus hop, or what??? -
Well, that is completely wacky. If you are still getting 10.x.x.x appearing early in your traceroute (from pfSense and/or a LAN client) then look in config.xml:
Diagnostics->Edit
/cf/conf/config.xml
Search for "10."
and Diagnostics->Routes - what is the default route?
Is there some VPN server and client that connects to itself and routes around in a loop to make that bonus hop, or what???Hey Phil,
I did as you asked and looked in the config.xml file, I pasted it into Word and ran a search for anything matching "10".. It didn't come back with any 10.x.x.x. I also looked through the file without the search function and didn't notice anything.
The IPv4 routing tables don't have any 10.x.x.x addresses listed. The default Gateway is 68.105.x.1, as it is for 8.8.4.4 and 8.8.8.8
Ran traceroute again, its still showing the 10.x.x.x as the first hop.
I have Private Internet Access configured on my PC but that is the only VPN I use and it is almost always disconnected. Running traceroute on my PC the first hop is 192.168.1.1 and the 2nd is 10.x.x.x
I do appreciate the help from both you and John, if nothing else I am learning a lot from this!
-
I don't recall ever seeing anything like this before.
On pfsense check the mac of that 10 address if you can – we should then be able to figure out what hardware it is, maybe its your "modem" device.. Very strange!!
So in pfsense ping that hop directly 10.175.0.1 and then look in your arp table on pfsense with arp -a, do you see it listed.. What are the first 3 numbers at least and we can look them up via websites like this
http://www.coffer.com/mac_find/
-
The 10.x.x.x IP is his cable company's CMTS.
-
I don't recall ever seeing anything like this before.
On pfsense check the mac of that 10 address if you can – we should then be able to figure out what hardware it is, maybe its your "modem" device.. Very strange!!
So in pfsense ping that hop directly 10.175.0.1 and then look in your arp table on pfsense with arp -a, do you see it listed.. What are the first 3 numbers at least and we can look them up via websites like this
http://www.coffer.com/mac_find/
I pinged 10.175.0.1 and got a response but under Diagnostics -> ARP Table, or when using arp -a, I don't see any 10.x.x.x
$ arp -a
pfsense.localdomain (192.168.1.1) at 54:be:f7:X:X:72 on em1 permanent [ethernet]
? (192.168.1.152) at 6c:f0:49:ce:8a:8d on em1 expires in 1195 seconds [ethernet]
? (192.168.1.120) at 54:26:96:35:d8:ef on em1 expires in 1158 seconds [ethernet]
? (192.168.1.125) at 00:11:32:1a:a0:6e on em1 expires in 1039 seconds [ethernet]
? (192.168.1.188) at d4:3d:7e:18:94:ad on em1 expires in 1038 seconds [ethernet]
ip68-105-X-X.cox.net (68.105.X.X) at 54:be:f7:X:X:71 on em0 permanent [ethernet]
ip68-105-X-1.cox.net (68.105.X.1) at 00:26:99:X:X:X on em0 expires in 1199 seconds [ethernet]I did search the MAC address belonging to the Gateway IP with the site you linked and it returned 2 results:
Cisco Systems
Prefix: 00:26:99 -
Can you run a under diag, on pfsense a capture on your wan interface and then ping it and capture the traffic. Then we can see its mac in the wirecapture.. Then compare its mac to mac of your isp router at the 68.
Once you have the capture you can download into wireshark and see the mac.. Maybe its the same as your isp router? Very odd how you get a hop between pfsense and its gateway that reports a 10.x.x.x address.
I can honestly say I don't believe I have ever seen such a thing.
-
Again, this is the cable company CMTS: http://en.wikipedia.org/wiki/Cable_modem_termination_system
It's not that rare. Doing a traceroute over a Charter or Comcast connection will show a 10.x.x.x IP as well.
-
"Doing a traceroute over a Charter or Comcast connection will show a 10.x.x.x IP as well."
No not really - I am on comcast, and as you see there is no 10.x in my trace.
See hop 2, next hop after my pfsense box
;; ANSWER SECTION:
xx.xx.13.24.in-addr.arpa. 7194 IN PTR c-24-13-xx-xx.hsd1.il.comcast.net.NetRange: 24.0.0.0 - 24.15.255.255
CIDR: 24.0.0.0/12
OrgName: Comcast Cable Communications, Inc.
-
I've seen it on some Comcast connections in the past. Here is mine (Charter):
Tracing route to 8.8.8.8 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.1.16.1 2 8 ms 7 ms 8 ms 10.216.96.1 3 11 ms 10 ms 9 ms 96.34.70.34 4 13 ms 10 ms 9 ms 96.34.70.116 ... -
Your first hop is 10, which is local with that <1ms response time, and then your second hop is also 10..
So your saying your router (pfsense/other) shows a public IP on it like his and mine, 68.x and my 24.x or does yours have a 10.x.x.x something on where the mask puts in in the same network as your hop 3 10.216.96.1
What your showing makes sense where nat to public happening between hop 2 and 3.
What doesn't make sense in his setup is he has a public showing a public gateway – but a 10.x in the middle. Your trace looks like a typical double nat setup to me..
-
My router (pfSense) is 10.1.16.1. My first hop outside of my network is 10.216.96.1 which is the CMTS interface (Charter).
-
No 10.1.16 is your LAN of pfsense - what is the WAN of your pfsense. Is it 10.216 or say something public like my 24.x or his 68.x
Your routers WAN ip would never been shown in a hop. Unless tracing inbound to your IP.
-
My WAN IP is 68.186.x.x which of course isn't shown on an outbound tracert.
