Internet Connection Icon
-
I am running pfSense 2.3 in an ESXi VM, everything is working fine except local PCs show the yellow triangle exclamation mark, which indicate there is no internet connection. However the internet is connected. This yellow triangle icon sometimes on and sometimes off, so I don't understand why this happen?
I had pfSense 2.2.6 running for about couple weeks before the 2.3, and I don't remember this happen.
Does anyone see this happen on their PC?
-
Nope.
-
I've seen this in the past when running versions 2.2.x. Didn't know that it was pfSsense causing it, but so far haven't noticed it with version 2.3 except when 2.3 has it's random LAN interface issues causing things go haywire.
-
That is windows checking if it has internet connectivity per is own methods.. While sure you could block its methods, it really has nothing to do with internet connectivity.. Just MS network awareness either working or not working how its designed. It tries to resolve a external name via dns query so yeah if that is failing then you would have windows giving you errors about its internet connectivity.
in a nutshell
NCSI performs a DNS lookup on www.msftncsi.com, then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-text file and contains only the text Microsoft NCSI.NCSI sends a DNS lookup request for dns.msftncsi.com. This DNS address should resolve to 131.107.255.255. If the address does not match, then it is assumed that the internet connection is not functioning correctly.
> dig dns.msftncsi.com ; <<>> DiG 9.10.4 <<>> dns.msftncsi.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58647 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.msftncsi.com. IN A ;; ANSWER SECTION: dns.msftncsi.com. 30 IN A 131.107.255.255 ;; Query time: 41 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Sun May 08 10:35:35 Central Daylight Time 2016 ;; MSG SIZE rcvd: 61
Here some info http://blog.superuser.com/2011/05/16/windows-7-network-awareness/ while this might had some slight changes to its functionality in newer versions of windows, still overall same thing - windows checks if it can lookup something, checks if it can get something after looking it up. If part of that fails or all of it then windows will tell you it has no internet access even though you might just have a proxy up, or captive portal blocking its dns and or check of connectivity. Or something wrong with dns to where windows trying to resolve.
There is nothing in pfsense out of the box that would mess with this… But sure running a proxy, running something like snort or pfblocker or etc.. in packages or making changes to your firewall rules that might block what its trying to do for sure could prevent the microsoft system from working out it really has internet access..
Here is good read on the subject as well
https://technet.microsoft.com/en-us/library/ee126135%28WS.10%29.aspx -
That is windows checking if it has internet connectivity per is own methods.. While sure you could block its methods, it really has nothing to do with internet connectivity.. Just MS network awareness either working or not working how its designed. It tries to resolve a external name via dns query so yeah if that is failing then you would have windows giving you errors about its internet connectivity.
in a nutshell
NCSI performs a DNS lookup on www.msftncsi.com, then requests http://www.msftncsi.com/ncsi.txt. This file is a plain-text file and contains only the text Microsoft NCSI.NCSI sends a DNS lookup request for dns.msftncsi.com. This DNS address should resolve to 131.107.255.255. If the address does not match, then it is assumed that the internet connection is not functioning correctly.
> dig dns.msftncsi.com ; <<>> DiG 9.10.4 <<>> dns.msftncsi.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58647 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.msftncsi.com. IN A ;; ANSWER SECTION: dns.msftncsi.com. 30 IN A 131.107.255.255 ;; Query time: 41 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Sun May 08 10:35:35 Central Daylight Time 2016 ;; MSG SIZE rcvd: 61
Here some info http://blog.superuser.com/2011/05/16/windows-7-network-awareness/ while this might had some slight changes to its functionality in newer versions of windows, still overall same thing - windows checks if it can lookup something, checks if it can get something after looking it up. If part of that fails or all of it then windows will tell you it has no internet access even though you might just have a proxy up, or captive portal blocking its dns and or check of connectivity. Or something wrong with dns to where windows trying to resolve.
There is nothing in pfsense out of the box that would mess with this… But sure running a proxy, running something like snort or pfblocker or etc.. in packages or making changes to your firewall rules that might block what its trying to do for sure could prevent the microsoft system from working out it really has internet access..
Here is good read on the subject as well
https://technet.microsoft.com/en-us/library/ee126135%28WS.10%29.aspxThank you for the explanation, after further digging I found out DNSBL was the issue. I suppress couple blocked domains and looks like the yellow triangle icon has gone away.
-
simple fix is just turn off the active connection in windows… This way MS not informed that your online ;) And from what IP.. hehehe
You can do it with a simple reg entry or gpedit.. Now it doesn't do the active checks..
-
simple fix is just turn off the active connection in windows… This way MS not informed that your online ;) And from what IP.. hehehe
You can do it with a simple reg entry or gpedit.. Now it doesn't do the active checks..
Thanks again. That is a wonderful recommendation, however I have several PCs and VM running, it is too much to change every ones. It is better to fix the source in DNSBL. ::)
-
You could make the change on 1000's of machines in a few seconds be it group policy if they are member of AD.. Or simple push of reg edit from cmd line.. if you have account that has permissions on the machines…
Saying you have lots of machines so too much work to make a change on them seems odd...
https://blogs.technet.microsoft.com/heyscriptingguy/2012/03/17/edit-the-registry-on-multiple-remote-computers-with-powershell/