Strange WAN/LAN Issues with Readynas pfsense 2.2

jsmwalker

Hi guys,

Just upgraded to pfsense 2.2, however since the upgrade my readynas is no longer able to connect to the internet. Even pinging the firewall fails and gets no response, details of the ping are below:

ReadyNas.1 > pfSense.254: ICMP echo request, id 31285, seq 1, length 64
20:41:14.977314 ReadyNas:5a > pfSense:b9, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    ReadyNas.1 > pfSense.254: ICMP echo request, id 31285, seq 2, length 64
20:41:15.818569 ReadyNas:5a > pfSense:b9, ethertype IPv4 (0x0800), length 67: (tos 0x0, ttl 64, id 29889, offset 0, flags [DF], proto UDP (17), length 53)

However everything else on the network appears to work correctly. To confirm this is all types of connections (UDP/TCP etc)

ReadyNas.1.52719 > pfSense.53: [udp sum ok] 49665+ A? plex.tv. (25)
20:41:15.975561 ReadyNas:5a > pfSense:b9, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

Any thoughts on what could be causing this? Firewall just doesn't respond to it in anyway, there is a nat address, but another box has a nat and doesn't cause any issues.

Cheers

J

johnpoz

And can other devices ping pfsense?  Do you have any rules on lan of pfsense that would block ping?

is the do not frag set on that packet [DF]  why would that be set?  You could try setting

Clear invalid DF bits instead of dropping the packets
This allows for communications with hosts that generate fragmented packets with the don't fragment (DF) bit set. Linux NFS is known to do this. This will cause the filter to not drop such packets but instead clear the don't fragment bit.

In the pfsense advanced options firewall/nat

jsmwalker

Hi there,

Yep nothing else having any issues at all (tested a second readynas, same issue) Here is the output from Laptop:

21:25:35.985266 Laptop:03 > pfSense:b4, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 13623, offset 0, flags [none], proto ICMP (1), length 60)
    Laptop.190 > pfSense:254: ICMP echo request, id 1, seq 6569, length 40
21:25:35.985304 pfSense:b4 > 00:25:00:49:28:03, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 59943, offset 0, flags [none], proto ICMP (1), length 60)
    pfSense:254 > Laptop.190: ICMP echo reply, id 1, seq 6569, length 40
21:25:37.000432 00:25:00:49:28:03 > pfSense:b4, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 13624, offset 0, flags [none], proto ICMP (1), length 60)

And another Scientific Linux box has no issue. Made the change Ignore DF and still not working. Just to confirm no rules set on Lan interface to block anything apart from IPv6 traffic, and tested Readynas on another IP from DHCP range and also made no difference. Very very strange indeed..

Thanks for your quick response, let me know any other thoughts and ideas, have been using pfSense since 1.2.1 (maybe earlier) and never had an issue like this before.

Cheers

J

johnpoz

Notice your laptop is not setting DF "flags [none]"

Why would readynas set DF on a icmp echo request that is clearly tiny packet ;)

jsmwalker

LOL, that would involve me saying something about netgear taking over a great product… and erm... anyway we digress  :)

jsmwalker

To make you happy..

21:47:01.702827 ReadyNas:5a > pfSense:b9, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 26639, offset 0, flags [none], proto ICMP (1), length 84)
    ReadyNas:1 > pfSense.254: ICMP echo request, id 27475, seq 13, length 64
21:47:02.042045 pfSense:b9 > 00:0c:29:02:b6:99, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60173, offset 0, flags [none], proto ICMP (1), length 84)
21:47:02.702837 ReadyNas:5a > pfSense:b9, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 26640, offset 0, flags [none], proto ICMP (1), length 84)
    ReadyNas:1 > pfSense.254: ICMP echo request, id 27475, seq 14, length 64

However this doesn't pass any traffic :-(

jsmwalker

Just to add fun to this, pfsense will pass traffic to the internet:

pfSenseWan210 > 8.8.8.8: ICMP echo request, id 4340, seq 1, length 64
22:04:52.865653 e8:e7:32:3d:f7:e2 > pfSenseWan, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 54, id 31084, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > pfSenseWan210: ICMP echo reply, id 4340, seq 1, length 64
22:04:52.865682 pfSenseWan > e8:e7:32:3d:f7:e2, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 64, id 57103, offset 0, flags [none], proto ICMP (1), length 56)

And gets a response back, but never passes that back to the Readynas..

J

johnpoz

So readynas pinged 8.8.8.8, pfsense sent that out wan got a response.. but you don't ever see the packet go out the lan interface back to readynas mac??

So you don't have any static arp stuff setup?  Or any rules with specific gateways?

Enable Static ARP entries
  Note: This option persists even if DHCP server is disabled. Only the machines listed below will be able to communicate with the firewall on this NIC.

jsmwalker

Hangs head in shame and walks away… yes Enable Static arp was set.....

Can we all just delete this thread now?

doktornotor

@jsmwalker:

Can we all just delete this thread now?

johnpoz

Why should the thread be deleted, it gives example troubleshooting the problem.. Your sniffing and not seeing response, etc.  And then things to look at - like why was DF set, and final solution static arp.

What is odd, is did you enable static arp after the upgrade?  And just forgot?  Or removed the freenas mac for some other reason??  Was it enabled before the upgrade and didn't work??