Why outgoing LAN being blocked?
-
Good that the latency is better now. Next you probably want to understand what the 10.x.x.x address is about. As JohnPoz said, there is no need to hide those as it is private address space and no-one can find you using "10" addresses.
What is your WAN IP and WAN gateway addresses?
(Status->Interfaces should tell you what addresses the WAN was given)
Most likely they are 10.x.x.x and that just means your cable modem is in router mode rather than bridge mode. -
Well if that is your model number, it is just a cable modem I don't see anywhere in its docs talking about NAT.. So if your seeing a 10.x.x.x as you next hop.. Your ISP is doing it..
Again 10.x.x.x is PRIVATE its NOT routeable on the internet..
http://en.wikipedia.org/wiki/Private_network
Normally in a cable connection, I have one I have a SB6120 cable modem - my pfsense gets a public IP address 24.13.x.x – this is own by comcast.
whois 24.13.0.0
NetRange: 24.0.0.0 - 24.15.255.255
CIDR: 24.0.0.0/12
NetName: EASTERNSHORE-1
NetHandle: NET-24-0-0-0-1
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2003-10-06
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-24-0-0-0-1
OrgName: Comcast Cable Communications, Inc.Look up 10.x.x.x
whois 10.0.0.0
NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
OriginAS:
NetType: IANA Special Use
NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVEDComment: These addresses are in use by many millions of independently operated networks, which might be as small as a single computer connected to a home gateway, and are automatically configured in hundreds of millions of devices. They are only intended for use within a private context and traffic that needs to cross the Internet will need to use a different, unique address.
Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry. The traffic from these addresses does not come from ICANN or IANA. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/answers
So just like pfsense NATS changes your private range on your private side to normally what is a public address, pfsense is natting yours to your 10.x.x.x address, then your ISP HAS to change it again to some routeable address on the internet or sites you try to go to would not be able to talk back to you - since they can not talk to a 10.x.x.x address
If you ISP has no idea why you have a 10.x.x.x address you should really call them back and ask to talk to someone that does know ;) unless they are doing a 1:1 nat to what your public address is - its not possible for you to allow for unsolicited traffic behind a nat.. Port Forwards, maybe thats something your ok with? Maybe they do 1:1 but that seems utterly pointless for them to do.
But your connections should be much better now ;) with nice low ping time to your gateway.. Internet must be much better!
-
Good that the latency is better now. Next you probably want to understand what the 10.x.x.x address is about. As JohnPoz said, there is no need to hide those as it is private address space and no-one can find you using "10" addresses.
What is your WAN IP and WAN gateway addresses?
(Status->Interfaces should tell you what addresses the WAN was given)
Most likely they are 10.x.x.x and that just means your cable modem is in router mode rather than bridge mode.My external IP and Gateway IP match except for the last octet, they aren't 10.x.x.x but start with 68.x.x.x
-
My external IP and Gateway IP match except for the last octet, they aren't 10.x.x.x but start with 68.x.x.x
And how is that since your first hop is 10.x.x.x
So on pfsense what does it show for your wan interface?
Sorry your hop shows you talking to a 10 address.. its not possible for a 68.x.x.x address to talk to a 10 address directly.. If you have a 68 address on pfsense, I am at a complete loss to how a 10 address would show up in your trace.
-
My external IP and Gateway IP match except for the last octet, they aren't 10.x.x.x but start with 68.x.x.x
And how is that since your first hop is 10.x.x.x
So on pfsense what does it show for your wan interface?
Sorry your hop shows you talking to a 10 address.. its not possible for a 68.x.x.x address to talk to a 10 address directly.. If you have a 68 address on pfsense, I am at a complete loss to how a 10 address would show up in your trace.
This is what mine is showing.
-
Well, that is completely wacky. If you are still getting 10.x.x.x appearing early in your traceroute (from pfSense and/or a LAN client) then look in config.xml:
Diagnostics->Edit
/cf/conf/config.xml
Search for "10."
and Diagnostics->Routes - what is the default route?
Is there some VPN server and client that connects to itself and routes around in a loop to make that bonus hop, or what??? -
Well, that is completely wacky. If you are still getting 10.x.x.x appearing early in your traceroute (from pfSense and/or a LAN client) then look in config.xml:
Diagnostics->Edit
/cf/conf/config.xml
Search for "10."
and Diagnostics->Routes - what is the default route?
Is there some VPN server and client that connects to itself and routes around in a loop to make that bonus hop, or what???Hey Phil,
I did as you asked and looked in the config.xml file, I pasted it into Word and ran a search for anything matching "10".. It didn't come back with any 10.x.x.x. I also looked through the file without the search function and didn't notice anything.
The IPv4 routing tables don't have any 10.x.x.x addresses listed. The default Gateway is 68.105.x.1, as it is for 8.8.4.4 and 8.8.8.8
Ran traceroute again, its still showing the 10.x.x.x as the first hop.
I have Private Internet Access configured on my PC but that is the only VPN I use and it is almost always disconnected. Running traceroute on my PC the first hop is 192.168.1.1 and the 2nd is 10.x.x.x
I do appreciate the help from both you and John, if nothing else I am learning a lot from this!
-
I don't recall ever seeing anything like this before.
On pfsense check the mac of that 10 address if you can – we should then be able to figure out what hardware it is, maybe its your "modem" device.. Very strange!!
So in pfsense ping that hop directly 10.175.0.1 and then look in your arp table on pfsense with arp -a, do you see it listed.. What are the first 3 numbers at least and we can look them up via websites like this
http://www.coffer.com/mac_find/
-
The 10.x.x.x IP is his cable company's CMTS.
-
I don't recall ever seeing anything like this before.
On pfsense check the mac of that 10 address if you can – we should then be able to figure out what hardware it is, maybe its your "modem" device.. Very strange!!
So in pfsense ping that hop directly 10.175.0.1 and then look in your arp table on pfsense with arp -a, do you see it listed.. What are the first 3 numbers at least and we can look them up via websites like this
http://www.coffer.com/mac_find/
I pinged 10.175.0.1 and got a response but under Diagnostics -> ARP Table, or when using arp -a, I don't see any 10.x.x.x
$ arp -a
pfsense.localdomain (192.168.1.1) at 54:be:f7:X:X:72 on em1 permanent [ethernet]
? (192.168.1.152) at 6c:f0:49:ce:8a:8d on em1 expires in 1195 seconds [ethernet]
? (192.168.1.120) at 54:26:96:35:d8:ef on em1 expires in 1158 seconds [ethernet]
? (192.168.1.125) at 00:11:32:1a:a0:6e on em1 expires in 1039 seconds [ethernet]
? (192.168.1.188) at d4:3d:7e:18:94:ad on em1 expires in 1038 seconds [ethernet]
ip68-105-X-X.cox.net (68.105.X.X) at 54:be:f7:X:X:71 on em0 permanent [ethernet]
ip68-105-X-1.cox.net (68.105.X.1) at 00:26:99:X:X:X on em0 expires in 1199 seconds [ethernet]I did search the MAC address belonging to the Gateway IP with the site you linked and it returned 2 results:
Cisco Systems
Prefix: 00:26:99 -
Can you run a under diag, on pfsense a capture on your wan interface and then ping it and capture the traffic. Then we can see its mac in the wirecapture.. Then compare its mac to mac of your isp router at the 68.
Once you have the capture you can download into wireshark and see the mac.. Maybe its the same as your isp router? Very odd how you get a hop between pfsense and its gateway that reports a 10.x.x.x address.
I can honestly say I don't believe I have ever seen such a thing.
-
Again, this is the cable company CMTS: http://en.wikipedia.org/wiki/Cable_modem_termination_system
It's not that rare. Doing a traceroute over a Charter or Comcast connection will show a 10.x.x.x IP as well.
-
"Doing a traceroute over a Charter or Comcast connection will show a 10.x.x.x IP as well."
No not really - I am on comcast, and as you see there is no 10.x in my trace.
See hop 2, next hop after my pfsense box
;; ANSWER SECTION:
xx.xx.13.24.in-addr.arpa. 7194 IN PTR c-24-13-xx-xx.hsd1.il.comcast.net.NetRange: 24.0.0.0 - 24.15.255.255
CIDR: 24.0.0.0/12
OrgName: Comcast Cable Communications, Inc.
-
I've seen it on some Comcast connections in the past. Here is mine (Charter):
Tracing route to 8.8.8.8 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.1.16.1 2 8 ms 7 ms 8 ms 10.216.96.1 3 11 ms 10 ms 9 ms 96.34.70.34 4 13 ms 10 ms 9 ms 96.34.70.116 ... -
Your first hop is 10, which is local with that <1ms response time, and then your second hop is also 10..
So your saying your router (pfsense/other) shows a public IP on it like his and mine, 68.x and my 24.x or does yours have a 10.x.x.x something on where the mask puts in in the same network as your hop 3 10.216.96.1
What your showing makes sense where nat to public happening between hop 2 and 3.
What doesn't make sense in his setup is he has a public showing a public gateway – but a 10.x in the middle. Your trace looks like a typical double nat setup to me..
-
My router (pfSense) is 10.1.16.1. My first hop outside of my network is 10.216.96.1 which is the CMTS interface (Charter).
-
No 10.1.16 is your LAN of pfsense - what is the WAN of your pfsense. Is it 10.216 or say something public like my 24.x or his 68.x
Your routers WAN ip would never been shown in a hop. Unless tracing inbound to your IP.
-
My WAN IP is 68.186.x.x which of course isn't shown on an outbound tracert.
-
Can you run a under diag, on pfsense a capture on your wan interface and then ping it and capture the traffic. Then we can see its mac in the wirecapture.. Then compare its mac to mac of your isp router at the 68.
Hi John, can you please clarify the process of running an under diag on pfSense? On pfSense I would go to "Diagnostics -> Packet Capture"? I apologize if that is incorrect, this is all still somewhat new to me.
I get this when I ran a packet capture on the WAN interface and used that 10.x (found in my tracert) as the Host Address->
"IP 10.175.0.1.67 > 255.255.255.255.68: UDP, length 300".
When I opened that packet capture in WireShark and looked for the MAC address I found–->
"Ethernet II, Src: Cisco_X:X:X (00:26:99:X:X:X), Dst: Broadcast (ff:ff:ff:ff:ff:ff)".
The arp -a showed that "ip68-105-X-1.cox.net (68.105.X.1) at 00:26:99:X:X:X on em0 expires in 1199 seconds [ethernet]"
Under the Bootstrap Protocol section for the DHCP ACK its showing the Client MAC Address as "Motorola" prefix 00:0b:06.
Under the same section, but for the DHCP Offer, its showing the Client MAC Address as "Cisco" prefix 00:22:6b.
-
"My WAN IP is 68.186.x.x which of course isn't shown on an outbound tracert."
And how exactly does a 68.186 address talk to a 10.x address? And what exactly does pfsense say is your gateway address is?
Where is anything close to 68.186?
1 <1 ms <1 ms <1 ms 10.1.16.1
2 8 ms 7 ms 8 ms 10.216.96.1
3 11 ms 10 ms 9 ms 96.34.70.34Your trace makes NO sense if your saying pfsense shows your public IP as 68.186.x.x
Notice in my trace..
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.253 1.726 ms 1.603 ms 1.557 ms
2 24.13.xx.1 19.559 ms 20.384 ms 38.945 ms
3 68.85.131.149 19.922 ms 19.911 ms 19.906 msWhere my wan IP is 24.13.x.x with a /21 mask - and when I trace I show that hop my router talked to next – in the same network as actually IN.. ie 24.13.x.x/21
You are looking at dhcp packets - no you want icmp in the dropdown of the packet capture.. And ping the 10.175.0.1 address from a client.. And only capture stuff to 10.175.0.1
See where I use 8.8.8.8 use that 10.175.0.1 address you see in your trace
