Can ping to LAN but not Web Configurator

SKT174

I'm thinking whether it's those USB ethernet adapter is causing it.  I'll see if I can try another brand and see if it makes any difference.

stephenw10

Hard to believe it would work with ICMP but not TCP.
As Derelict said your client is not responding. This appears to be a client side issue. Yet you say you tried a different client? Different browser?

Steve

Derelict

You want to check that "Block private networks" is unchecked on your WAN interface.  I don't know if the installer does that by default if it detects a private WAN address.

Is that wireshark capture a few messages back taken from the 192.168.1.100 windows client?  If so, you need to figure out why it is not sending an ACK in reply to the SYN,ACK sent by pfSense in the connection process before you waste any more time looking at pfSense.

Or, as has been mentioned, USB ethernet interfaces: not a fan.  BUT if they're mucking up the works, it should show in the SYN,ACK captured by wireshark.

Guest

If you look at "Valid interfaces are" the answer is:

Probably not…

Derelict

Yeah.  More likely some software firewall or antivirus or ? on the windows pc.

johnpoz

You will notice that the connection just kind of dies.. Not only do you see retrans from pfsense you call see retrans from .100 to .1

It is not answering dns queries either..

Juts for be complete - how you would verify the mac your pinging is to look in your arp table on the .100 box

So

C:>arp -a

Interface: 192.168.1.100 –- 0xc
  Internet Address      Physical Address      Type
  169.254.7.80          00-26-24-08-8a-ed    dynamic
  169.254.82.185        00-1c-c3-09-05-7a    dynamic
  192.168.1.3          00-0c-29-c8-f2-dc    dynamic
  192.168.1.7          00-0c-29-dd-02-ba    dynamic
  192.168.1.8          00-0c-29-55-4f-95    dynamic
  192.168.1.40          00-1f-29-54-17-14    dynamic
  192.168.1.97          00-26-24-08-8a-ed    dynamic
  192.168.1.98          00-1c-c3-09-05-7a    dynamic
  192.168.1.99          00-06-dc-43-ad-78    dynamic
  192.168.1.253        00-0c-29-1e-18-ae    static
  192.168.1.255        ff-ff-ff-ff-ff-ff    static
  224.0.0.22            01-00-5e-00-00-16    static
  239.255.255.250      01-00-5e-7f-ff-fa    static

You notice from my workstation that is the mac I saw on my ifconfig..

Your sniff is odd.. You see 3 different connections to 80..  And yes you see the syn-ack back, but you never send ack?  And actually start the conversation..  And then you just see a bunch of retrans

You see retrans from pfsense sending his syn-ack because he never got back the ack.. And you see .100 sending back his syn because seems he thinks he never got the syn-ack.

Need to figure out why your client .100 did not send back ACK to the syn-ack he was clearly sent and seen by wireshark for the 3 different connections you tried to create to http (80)

Do you have another client you can try?

Derelict

MACs will also be in your wireshark captures.

johnpoz

yeah in there it looks right

to where he is sending the request for 80

Derelict

Are these captures taken on .1 or .100?

It makes a difference because if from .1 we know the SYN-ACK was sent, but not that it was actually received.  If from .100 we know it was sent and received.

johnpoz

Have to assume it is taken on .100

Since he states
"I've installed Wireshark and as soon as I go to the pfsense box (192.168.1.1) I get the RED text on Black shown in Wireshark"

I doubt he installed wireshark on the pfsense box ;)

SKT174

Hi Guys

I want to isolate the problem, so I grab an old desktop, put an extra NIC in it and install PFSense.

Notebook, Cables, is the same, only difference here is the pfsense box.

Once installation finished

Everything works as it should, I can go to Web Configurator, i can access external internet.

So …

For some strange reason.. pfsense doesn't like those USB to NIC adapters, even though you can ping it.

So disappointed as I really want to use those Intel NUC for pfsense.

Thanks so much for the help, really appreciated.  :)

kejianshi

Hey - I like your pfsense you made with the old computer.  Thats not bad actually.
I bet it can handle whatever you need to throw at it also.

Low power and small is nice, but that one might be pretty trouble free also assuming you can blow out the fans every 6 months or so.

Not sure whats up with the USB NICs - It crossed my mind that they may not be getting enough power from the usb port?
Not sure?

stephenw10

The USB NICs certainly look like the issue then. Weird that you can ping just fine though.
Not sure why we haven't suggested this before but try disabling any hardware offloading options. Looking back at your ifconfig output the nics both claim to support checksum offloading. If that's not working I guess it would explain it.

Steve

SKT174

How do I disable hardware offloading?

I'll willing to give it a try  :)

Derelict

System: Advanced: Networking

stephenw10

Not helpful when you can't access the webgui.  ;)
You could maybe edit the config file. There's probably a way to do this from the developer shell, but I'm not sure what it might be.
You can probably do it temporarily from the command line. Something like:

ifconfig ue1 -txcsum -rxcsum

I imagine that will get reverted when the config is reloaded though.

Steve

Derelict

Duh.  Catch 22.

Those CLI changes might not stick but if they work the GUI should be accessible and the permanent changes saved.

cgehring

@stephenw10:

Not helpful when you can't access the webgui.  ;)
You could maybe edit the config file. There's probably a way to do this from the developer shell, but I'm not sure what it might be.
You can probably do it temporarily from the command line. Something like:

ifconfig ue1 -txcsum -rxcsum

I imagine that will get reverted when the config is reloaded though.

Steve

I happened to be doing the exact same config (Love the Intel NUC!!!).  I was also using two USB NICs, and had the exact same issue.  Disabling checksum offloading as show above fixed it!!!!

Thank you!