Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    After updating WAN IP traffic does not route over the WAN interface anymore.

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      Pantsaloons
      last edited by

      No, those are sanitized representations of my actual IP addresses.

      I suppose I could have used a better example but the IP addresses I am assigned are in public, not private space.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Well, without knowing what you're actually dealing with I don't know how we can help you.

        If you configure the WAN interface correctly, it will work.  Double check everything.  Address, netmask, gateway, etc.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P Offline
          Pantsaloons
          last edited by

          Gateway as per my ISP
          WAN interface
          WAN status

          Out of frustration I re-installed pfSense and used the latest version 2.2, same issue with gateway showing offline and no traffic being router externally on a barebones set up, nothing changed from the stock image aside from the above pics.

          If I put those exact same setting directly into my laptop it functions as intended.

          Is it possible it isn't translating the /24 to a 255.255.255.0 netmask somehow? I'm just pulling at straws here since I can't think what I am over looking.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Nope.  This can be confirmed looking at ifconfig in the shell.

            When you test with the laptop are you taking the cable out of pfSense and plugging it into the laptop or plugging it in someplace else?

            You might want to talk to your ISP.  You might be looking at an ARP cache issue or something else on their end.

            This is a pretty simple config.

            Nothing in the firewall logs on WAN? With gateway monitoring you should be seeing an entry per second if there's a firewall problem (which there shouldn't be unless you have some floating rules on WAN direction out).

            I trust you have tried it without block bogons checked?  For now I would uncheck them both just to be sure, even though any hits would be logged, I think.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P Offline
              Pantsaloons
              last edited by

              This is the output of ifconfig

              $ ifconfig
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 18:03:73:c7:7c:06
	inet6 fe80::1a03:73ff:fec7:7c06%em0 prefixlen 64 scopeid 0x1 
	inet XXX.XXX.XXX.XXX netmask 0xffffff00 broadcast XXX.XXX.XXX.XXX
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 68:05:ca:27:30:24
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 
	inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2 
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
pflog0: flags=100 <promisc>metric 0 mtu 33144
pfsync0: flags=0<> metric 0 mtu 1500
	syncpeer: 224.0.0.240 maxupd: 128 defer: on
	syncok: 1
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
	options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
	nd6 options=21 <performnud,auto_linklocal>enc0: flags=0<> metric 0 mtu 1536
	nd6 options=21<performnud,auto_linklocal></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>

              When I test with my laptop I take it from the pfSense WAN port, plug it into my laptop's only ethernet port, configure the interface with the ISP provided values and I have full access.

              For firewall traffic I see nothing hitting the WAN, all LAN traffic only.

              I tried disabling both bogons and private rules and it didn't make a change.

              I've been at this with my ISP for 2 days and them having wiped their hands clean of this, do you know of a way I could conclusively prove this isn't something related to my firewall?

              btw, I appreciate you taking the time to go through all of this and help me.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Configure your laptop as the ISP default gateway (.254 instead of .130) and plug it into pfSense WAN.  Make sure the laptop allows inbound pings.  Does the gateway come up then?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P Offline
                  Pantsaloons
                  last edited by

                  Okay, so that is doing stuff!

                  When I do that I show actual data on the status and I see WAN traffic.

                  This should mean that something my ISP is doing is cocking it all up correct?

                  I also see firewall traffic targeting the WAN port too.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    It means that something between your pfSense WAN port and the ISP is hosed.

                    The modem?  The ISP?  The cabling? something.  Not pfSense WAN.

                    If you have some sort of modem, put pfSense back on it, Unplug the modem for a few, and plug it back in.  See if that helps.

                    I'm still suspecting ARP in the ISP switch.  Plug in pfSense, call them one more time, and have them tell you what MAC address is associated with .130.  If it is not 18:03:73:c7:7c:06, have them clear it and watch your WAN come up.

                    Or you could take the MAC address of your laptop and put it into pfSense WAN.  I'd do that as a last resort and if it works, make your ISP fix it so your hardware MAC works.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • P Offline
                      Pantsaloons
                      last edited by

                      Thank you so effing much!

                      Turns out that my modem has a cocked up firmware on it that has issues when bridging it.

                      After some work with the ISP I am online.

                      If possible I would like to send you something via paypal as an appreciation, if you feel like accepting PM me where I can send it to.

                      Thanks you again!!!

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Please donate whatever you feel is appropriate to the Electronic Frontier Foundation or FreeBSD Foundation.

                        Glad to help.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          Pantsaloons
                          last edited by

                          Consider it done!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.