Connection trouble after switching ISP
-
I'm running pfSense 2.4.4 and just switched from an aDSL (PPPoE) to cable Internet (Xfinity) service provider. I'm having some trouble with the connection (well, my pfSense gateway/router, apparently). I changed the configuration for the WAN interface from PPPoE to DHCP. The WAN interface acquires an IPv4 address from Comcast. From pfSense and a laptop connected to my network, I can ping the gateway assigned by Comcast and (sometimes, but not always) Comcast DNS servers such as 75.75.75.75 and 75.75.76.76. I can't ping other well-known public IPs like 8.8.8.8 or 1.1.1.1, etc. At first I thought Comcast needed to do something to activate my cable modem on my account or something to allow routing out of their network and contacted their support. However, if I connect a laptop directly to the cable modem and reboot the modem, I can browse the web, ping well-known public IP addresses, etc. I think I should be able to figure this out (firewall rules, etc...?) but I've been banging my head on this one for a while and thought I'd post here. Obviously not from the network where I'm having the trouble.
Any suggestions/thoughts? Thank you! -
What are you running pfsense on - a Netgate appliance, a PC of your own build, or in a VM (virtual machine) running on a PC?
Was this pfsense machine running fine connected to your old ADSL internet connection, or is the pfsense box new and the Xfinity internet connection is also new?
Jeff
-
@akuma1x
Hi Jeff,I'm running pfSense in a VM on (standalone, not Windows Server with Hyper-V role) Hyper-V Server 2012 (R2, I think). It's the same pfSense install that was working fine with my aDSL connection.
-
@regexaurus said in Connection trouble after switching ISP:
@akuma1x
Hi Jeff,I'm running pfSense in a VM on (standalone, not Windows Server with Hyper-V role) Hyper-V Server 2012 (R2, I think). It's the same pfSense install that was working fine with my aDSL connection.
Try connecting a computer directly to the modem to see if you can ping those addresses. This will help isolate the problem.
-
@JKnott said in Connection trouble after switching ISP:
Try connecting a computer directly to the modem to see if you can ping those addresses. This will help isolate the problem.
Uhh...from my original post:
@regexaurus said in Connection trouble after switching ISP:
...if I connect a laptop directly to the cable modem and reboot the modem, I can browse the web, ping well-known public IP addresses, etc...
-
Still no luck with resolving this problem. An oddity I encountered:
- If I start a promiscuous capture on WAN, do a ping test to 75.75.75.75 (0% packet loss), and stop the capture, I see the expected ICMP echo request/reply packets.
- If I start a promiscuous capture on WAN, do a ping test to 8.8.8.8 (100% packet loss), and stop the capture, I see no captured packets. I expected to at least capture some ICMP echo requests. I get the same result if I change the capture interface to Localhost or LAN, keeping the test the same, otherwise.
Kind of stuck...not sure what else to try/check.
-
I temporarily swapped out the pfSense gateway with a basic router running DD-WRT. The connection is working fine, LAN devices have good connectivity. Seems something is going on with our pfSense install/config, and I'm considering a clean install. I've been wanting to upgrade our Hyper-V Server (now to v. 2019) anyway, which also means "new" hardware to meet later Hyper-V requirements.
Anyone in Southeast PA with a used i5 or i7 PC (preferably SFF) you're looking to sell? -
@regexaurus said in Connection trouble after switching ISP:
I see no captured packets
If you don't see pfsense sending out the packets - then no shit your not going to get an answer... What is your routing? Pfsense thinks 8.8.8.8 is somewhere else then out your default wan?
Where exactly are you pinging from.. Ping from pfsense.. sniff on pfsense wan.. Do you see it sending the request?
-
@johnpoz said in Connection trouble after switching ISP:
@regexaurus said in Connection trouble after switching ISP:
I see no captured packets
If you don't see pfsense sending out the packets - then no shit your not going to get an answer...
Yikes! I did specify that I expected to at least capture ICMP echo request packets (originating from my network / pfSense) even if there is no reply.
I did ping tests mostly from pfSense, and used pfSense capture diagnostic tool. Nothing really unique about my routes, as far as I know. I tried captures on Localhost and LAN just in case pfSense was sending echo requests out the wrong interface (perhaps due to a bad route).
-
Misread your response the first time. Yes, I understand that I won't see ping replies if requests aren't leaving pfSense (or being routed correctly) in the first place. Ping attempts from other LAN devices to well-known IPs like 8.8.8.8, also resulted in 100% loss. Wondering whether running a pfSense capture during such a test would offer any clues as to what pfSense is doing with those packets...
-
@johnpoz
Yes, I was sniffing from pfSense, mostly on WAN, but also tried sniffing on Localhost and LAN (the only interfaces besides WAN that appear in the capture diag utility on my pfSense install), in case ping requests weren't being routed correctly. For the failed ping tests, I didn't capture any related packets, on any interface. -
Are you using a network/mask on your network that overlaps 8.8.8.8? Unless pfsense thinks that IP is attached locally, or has a route to send it somewhere else.. It would send it to its default gateway...
Would not be surprised, have seen many a user just pull IP ranges out their ass and use them internally..
If you do not see them while sniffing, then they are not being sent.. And it would be impossible for you to get a reply.
Are you using any sort of outbound rules on your floating tab, do you have any IPS running in blocking mode?
-
You say you are running pfSense on a Hyper-V VM, so don't forget to check over the setup within Hyper-V networking. You say it worked before with your previous ISP? I would start by looking for what is different? ADSL is PPPoE while cable modems are DHCP. Make sure something is not leftover in your pfSense setup from the old PPPoE connection. Make sure you did not create some weird network configuration in Hyper-V to make the DSL connection work. Like look around and see if you maybe hard-coded the old default gateway someplace.
pfSense just works, but it needs a solid network environment to make things happen. Sounds like something is out of sorts with your setup. First check that all of the old DSL stuff is truly gone from your network setup and the pfSense WAN interface is set for DHCP and is getting the proper IPv4 address from the cable modem along with a proper gateway and sensible/suitable mask.
-
@johnpoz said in Connection trouble after switching ISP:
Would not be surprised, have seen many a user just pull IP ranges out their ass and use them internally..
Not just users... My ISP (Rogers) does this. They use 7.0.0.0/8 for their internal routing. When I asked them why my gateway IP was in USDoD's range, I got a lot of head scratching responses. I eventually got thru to an engineer, who said they ran out of 10.0.0.0/8 space. WTF.
-
@ljr said in Connection trouble after switching ISP:
I eventually got thru to an engineer, who said they ran out of 10.0.0.0/8 space. WTF.
The same thing happened with Comcast, IIRC. They couldn't manage their network, without segmenting it, even with all the RFC 1918 addresses available. Their solution was to move to IPv6. Rogers provides IPv6, but they still have to support IPv4. I hope you're running IPv6, as it will help you avoid that sort of problem.