New Install, No Internet Issue using Virgin Media (cable) modem
-
I have installed pfSense on a dedicated PC and it has two NICs.
The WAN link has been configured to use DHCP allocated from the Virgin Media hub (which is in modem mode) and i can see that pfSense has a lease and is getting an IP without issue.
However, nothing can access the internet or ping any internet domains, which I presume is DNS related. So out of the box, pfSense does not work with this HW setup which is a shame.
I have tried setting Google DNS servers in General Setup (and ticking the override DHCP DNS servers box) as well as using the DHCP allocated settings to no avail.
I saw when going through the initial install that the DNS resolver is setup automatically. Do I need to change any of the default settings to make that work?
Is there anything else that I need to consider and configure?
[Note, I have changed my LAN DHCP server settings so clients are pointed to the new gateway, so that is setup correctly and clients can ping the pfSense device].
-
The WAN link has been configured to use DHCP allocated from the Virgin Media hub (which is in modem mode) and i can see that pfSense has a lease and is getting an IP without issue.
What IP / Gateway ? You got a real "Internet IP" or some RFC 1988 one ?
Login to console, use option 7 or 8 - can you ping the IP - some Google IP ?However, nothing can access the internet or ping any internet domains, which I presume is DNS related. So out of the box, pfSense does not work with this HW setup which is a shame.
Hardware not ok ?
I guess it is ok, both NIC's are recognized, the GUI is UP ? You're ok.I have tried setting Google DNS servers in General Setup (and ticking the override DHCP DNS servers box) as well as using the DHCP allocated settings to no avail.
As soon as people start using these, also before the system works, things go even more down-hill fast.
My advise : use 8.8.8.8 when everything is stable and humming. As soon as you made up the contract with Google - like they will pay you for all those DNS requests so they can profile you to the max - and you have some time to loose, then start playing with DNS, and discover known and less known consequences.
I saw when going through the initial install that the DNS resolver is setup automatically. Do I need to change any of the default settings to make that work?
The build in Resolver will be fine in 99,9999 % of all cases. No need to touch anything - no need to give 8.8.8.8 your requests.
Is there anything else that I need to consider and configure?
When setup of WAN is done, your ok. You'll be having a working system.
But, there can be one exception : when the WAN IP is something like 192.168.1.x/24 and, knowing that LAN is also 192.168.1.1/24 nothings works any more. This is by design ;) (and many are proving this on a daily basis)[Note, I have changed my LAN DHCP server settings so clients are pointed to the new gateway, so that is setup correctly and clients can ping the pfSense device].
:o what Gateway ?
No need to change LAN settings 192.168.1.1/24 is just perfect. Billions are using it.
Normally, we don't touch/use Services => DHCP Server => LAN Other options => Gateway.
Change the size pool if you need to. Change anything else after all is ok.I advise you to reset settings.
Configure WAN - let the DHCP client obtain an IP and Gateway - if a no ho, post your sttings / results.
Like this :WAN (wan) -> rl0 -> v4/DHCP4: 192.168.10.11/24 LAN (lan) -> fxp0 -> v4: 192.168.1.1/24 v6: 2001:470:1f13:5cf:2::1/64 PORTAL (opt1) -> sis0 -> v4: 192.168.2.1/24 HENETV6 (opt2) -> gif0 -> v6: 2001:47o:1f12:5c9::2/128The build in Resolver will completely ignore the (ISP) DNS received from FHCP-client on WAN? it will hit the 13 global root-servers directly (fastest wins). For DNS to work, an Internet connection should work - or at least, port 53 UDP/TCP outgoing/incoming should work.
Test using console, option 8 and thendig google.com +tracewill show you that entire DNS resolution.
And proves that the connection is ok. -
Thanks for reply, and as I am away this weekend I will have to wait until Monday to test some of these suggestions.#
However, what i have already tried is resetting all settings back to their defaults, the only alteration is setting the LAN IP to one that is on my subnet (which is 172.16.1.x/23 for servers and appliances, and 172.16.0.x/23 for clients) so i set the pfSense LAN IP to 172.16.1.240/23 and i can access the web interface fine.
The cable modem always sets itself with an IP of 82.x.x.1 and the WAN port on pfSense always receives the address 82.x.x.35 - this was exactly the same using my previous TP-Link router so i assume the fw of the modem is hard coded to use those addresses.
So without any DNS changes, using the default settings above, clients cannot access the internet.
I also see that pfSense itself does not seem able to talk to the internet as it cannot resolve the packages list, so the LAN failing to talk to the internet is an extension of that it seems.
I have not tried pinging an internet IP without using DNS yet, i will try that next week too.
One other comment - I am using a Windows domain and so i have Windows DNS servers, and clients are pointed at those. This wasnt an issue before when using a different router for the cable modem, clients and servers resolve external/internet DNS queries fine, which i believe to be the default forwarder settings in Windows DNS? My point being that clients being pointed to my Windows DNS servers is a working setup. I tried restarting the Windows DNS services and obviously changed the gateway address from the TP-Link router (172.16.1.254) to the new pfSense box (172.16.1.240) to no avail.
On Monday I will try resetting the pfSense config to defaults, then switching off the TP-Link and choosing the address 172.16.1.254 for pfSense and seeing if that works - so just swapping out the router HW but leaving same IP addresses - which would indicate the problem being on the LAN side.
Thanks for help so far, will let you know how i get on on Monday.
Cheers, Mike.
-
I have not tried pinging an internet IP without using DNS yet, i will try that next week too.
This would be your step1 basic troubleshooting. If u can ping address but not a name, then the problem is Name Resolution, isn't it.
To me, networking is actually the simplest of all IT disciplines. For the most part you are asking, why can't I go from point A to point B? Answer, you next ask can I go from point A to point A.1 (next hoop), then A.1 to A.2 etc-etc until you find the "break."
-
However, what i have already tried is resetting all settings back to their defaults, the only alteration is setting the LAN IP to one that is on my subnet (which is 172.16.1.x/23 for servers and appliances, and 172.16.0.x/23 for clients) so i set the pfSense LAN IP to 172.16.1.240/23 and i can access the web interface fine.
OK, I think your issue is with the routing for the rest of your LAN hosts, rather than pfSense. You can reach pfSense GUI because it's a local LAN IP. But without the correct routing, you won't be able to reach "the Internet" through it. Basicially you need to tell the rest of the hosts to use 172.16.1.240 as their default gateway. pfSense assumes that you are using its DHCP server for your LAN and would normally take care of that via DHCP.
Initially you had me thinking two subnets with the "172.16.1.x/23" until I realized that was not a cannonical form, and they both normalize to the same subnet. So I'm going to assume you mean you have one subnet, 172.16.0.0/23 and that you put clients in the lower half and servers in the upper. If you really have two subnets and therefore a LAN router, the answer changes from below and you need to provide more info.
I'm going to assume you have a combination of some static and some DHCP going on. If it's all one or the other, just ignore the other bits. First DHCP: Decide if you want to keep your existing DHCP Server or use pfSense. DISABLE THE OTHER ONE. If you kept your original DHCP server, set it to hand out 172.16.1.240 as the default gateway. In both cases, have each DHCP client renew it's lease to get the new default gateway. Secondly the Statically configured hosts: you will need to update the statically configured default gateway on each host to 172.16.1.240 and reboot (or update the hosts route table manually if you're confident).
If you intend to take advantage of the pfSense DNS caching, you will also need to update the DNS nameserver information to the pfSense LAN IP on all your LAN hosts, the same as you updated the default gateway, above. Likewise if you install one of the pfSense packages that provide proxy services, then you need to update the clients on the LAN to use it.
-
@Jed:
OK, I think your issue is with the routing for the rest of your LAN hosts, rather than pfSense. You can reach pfSense GUI because it's a local LAN IP. But without the correct routing, you won't be able to reach "the Internet" through it. Basicially you need to tell the rest of the hosts to use 172.16.1.240 as their default gateway.
What IP / Gateway ? You got a real "Internet IP" or some RFC 1988 one ?
Login to console, use option 7 or 8 - can you ping the IP - some Google IP ?OK, so the problem I am experiencing is nothing to to with my LAN configuration, changing gateways, DHCP etc. etc.
The pfSense box itself cannot ping any internet addresses or resolve any internet domain names.
What can be the cause of that?
Please go back over the information I have provided above before asking questions.
Thanks.
-
(Careful with those trying to help you!)
how are you splitting that range, as it seems that there is some overlap (172.16.0.0/23 and 172.16.1.0/23) ?
pfsense works fine out of the box with VM, I'm posting from such a setup.
I'd suggest you reset everything to defaults and not change anything, then make incremental changes to see where it breaks. Posting some info from the 'Status-> interfaces' might help. -
(Careful with those trying to help you!)
What does this mean??
As for the problems, I have factory reset the pfSense box, connected it to cable modem only (not to my LAN) and enabled DHCP.
After connecting a laptop to pfSense, which successfully gets an IP, i cannot get to the internet. Accessing the pfSense console and pinging known WAN IP addresses does not return a result for pfSense. It certainly seems that pfSense is not able to access the internet - this has nothing to do with my LAN configuration/subnets
What could be the cause? What else can I try?
-
(Careful with those trying to help you!)
What does this mean??
As for the problems, I have factory reset the pfSense box, connected it to cable modem only (not to my LAN) and enabled DHCP.
After connecting a laptop to pfSense, which successfully gets an IP, i cannot get to the internet. Accessing the pfSense console and pinging known WAN IP addresses does not return a result for pfSense. It certainly seems that pfSense is not able to access the internet - this has nothing to do with my LAN configuration/subnets
What could be the cause? What else can I try?
Can you see that pfSense is getting the lease and setting DHCP properly?
Can you do a traceroute from pfSense to the Internet? Where does it stop?
Have you replaced the cable?
-
Can you see that pfSense is getting the lease and setting DHCP properly?
I don't know what properly means, I can see that it gets an IP address from the modem, and that it can ping the modem on its IP, so it is established on that network segment.
Can you do a traceroute from pfSense to the Internet? Where does it stop?
Can you advise how I run a tracert from the pfSense box itself? I am not familiar with Linux console commands - I presume this is a linux command that is run via the console in pfSense?
Have you replaced the cable?
Cable is not an issue, it works fine with my other router, it's a 0.5m cable and i can see it has no damage and negs at 1 Gbits fine.
-
Can you see that pfSense is getting the lease and setting DHCP properly?
I don't know what properly means, I can see that it gets an IP address from the modem, and that it can ping the modem on its IP, so it is established on that network segment.
In the WebUI, on the Dashboard, enable the Interfaces widget. Does it show that pfSense is connected and has an IP address?
It doesn't matter if your DHCP server thinks it's given a lease out, I want to know that pfSense grabbed that IP address.
Can you do a traceroute from pfSense to the Internet? Where does it stop?
Can you advise how I run a tracert from the pfSense box itself? I am not familiar with Linux console commands - I presume this is a linux command that is run via the console in pfSense?
From the WebUI, go to the Diagnostic Menu and select Traceroute. There, enter the IP address of a server on the Internet. I used Google DNS servers, 8.8.8.8, and pfSense shows the route from pfSense to that IP address. 10 hops in my case. Run that utility and post the results here.
Have you replaced the cable?
Cable is not an issue, it works fine with my other router, it's a 0.5m cable and i can see it has no damage and negs at 1 Gbits fine.
Replace it anyway with another working cable just to eliminate it as a potential issue.
-
Yes, pfSense has an IP on the WAN interface, it also has a gateway address.
Doing a tracert from pfSense to 8.8.8.8 just shows asterisks if i remember correctly.
Tracert from my laptop shows the same failure.C:>tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms pfSense.localdomain [192.168.1.1]
2 * * * Request timed out.From my laptop I can ping the WAN interface IP, but not the gateway address assigned to the WAN.
I've replaced both cables. Not the issue.
It is behaving as though, either due to pfSense or HW that no traffic is permitted between the two interfaces. Is there anything in the default firewall/NAT setup that could do this?
Any other ideas?
-
Yes, pfSense has an IP on the WAN interface, it also has a gateway address.
Doing a tracert from pfSense to 8.8.8.8 just shows asterisks if i remember correctly.
Tracert from my laptop shows the same failure.C:>tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms pfSense.localdomain [192.168.1.1]
2 * * * Request timed out.From my laptop I can ping the WAN interface IP, but not the gateway address assigned to the WAN.
I've replaced both cables. Not the issue.
It is behaving as though, either due to pfSense or HW that no traffic is permitted between the two interfaces. Is there anything in the default firewall/NAT setup that could do this?
Any other ideas?
If pfSense is getting an IP address on the WAN interface, the system is on the network. If it cannot get upstream from there, the issue may be with the next device upstream.
pfSense has an IP address and a traceroute fails from pfSense indicates to me that either the DHCP configuration is wrong, or the upstream device is not allow traffic from pfSense.
-
If pfSense is getting an IP address on the WAN interface, the system is on the network. If it cannot get upstream from there, the issue may be with the next device upstream.
pfSense has an IP address and a traceroute fails from pfSense indicates to me that either the DHCP configuration is wrong, or the upstream device is not allow traffic from pfSense.
If I add a USB network adapter as the WAN device, it all starts working immediately.
I'm thinking it's hardware.
