Unable to browse the web

Tom8888

@ptt
Thanks for the link, i am following the instructions and i am trying all the tests in the diagnostic part of this document, they have been all succesfull apart from this one, so i am trying to fix it with the info provided.

"Test NAT: Try to ping 8.8.8.8 (Diagnostics > Ping) using LAN as the Source Address

    If this fails but the other tests work, then the problem is likely Outbound NAT (See the WAN/LAN gateway checks above)"

Tom8888

So far, the problem seems to be with the "Outbound NAT".
I believe that it might be the default gateway, but i am not able to understand this scheme:

IPv4 Routes
Destination Gateway Flags Use Mtu Netif Expire
default 192.168.1.1 UGS 622 1500 re1
1.1.1.1 192.168.1.1 UGHS 20 1500 re1
8.8.8.8 192.168.1.1 UGHS 36 1500 re1
127.0.0.1 link#4 UH 104 16384 lo0
172.16.1.0/24 link#1 U 4 1500 re0
172.16.1.254 link#1 UHS 0 16384 lo0
192.168.1.0/24 link#2 U 16946 1500 re1
192.168.1.254 link#2 UHS 0 16384 lo0

ptt

Your WAN IP address is ?

Your LAN IP address is ?

pfSense's "default" (out of the box) outbound NAT config should/must work

Tom8888

@ptt
WAN 192.168.1.254/24
LAN 172.16.1.254/24
Default Gateway 192.168.1.1

chpalmer

Go to- Firewall / NAT / Outbound

Click "save".. see if that makes things work.

NogBadTheBad

Have you unticked Block private networks and loopback addresses on your WAN interface.

johnpoz

block bogon and rfc1918 would have nothing to do with being behind a double nat. They only come into play when there are devices on your wan (the rfc1918 network) that would be wanting to access any port forwards you have setup.

Tom8888

@chpalmer said in Unable to browse the web:

Go to- Firewall / NAT / Outbound

Click "save".. see if that makes things work.

Everytime i do that, PFSense stop working (basically i can no longer see the interface and a white page saying the connection is taking too long is displaied), so i click 8 (Shell) directly inside the pc where PFSense is installed, the DOS looking one, then "pfctl -d" and it restart working.

NAT it's set on "automatic"

Automatic Rules:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 127.0.0.0/8 ::1/128 172.16.1.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 ::1/128 172.16.1.0/24 * * * WAN address * Auto created rule

Tom8888

@NogBadTheBad said in Unable to browse the web:

Have you unticked Block private networks and loopback addresses on your WAN interface.

Yes, all unticked as suggested on the "connectivity troubleshooting" guide

johnpoz

can pfsense ping its gateway? Can pfsense do dns lookups?

Tom8888

@johnpoz
Yes i did try all the troubleshooting tests suggested on the guide, they were all succesfull apart from this:

Test NAT: Try to ping 8.8.8.8 (Diagnostics > Ping) using LAN as the Source Address

    If this fails but the other tests work, then the problem is likely Outbound NAT (See the WAN/LAN gateway checks above)

johnpoz

well if you turned off NAT, then not sure how you think clients are going to be working.. Since your upstream is not going to nat those - unless you set it up too.

pfctl -d

chpalmer

Tom:

Do a packet capture on your WAN using the diagnostic menu and then repeat the ping attempt from a LAN client.

chpalmer

@Tom8888 said in Unable to browse the web:

NAT it's set on "automatic"

Are you sure your upstream router is 192.168.1.1 ?

Tom8888

@chpalmer
I did try to post here the results, but i get an error message telling me that Akismet flagged my content as spam.

Yes the default gateway is definetely 192.168.1.1, but if you look at this, for the LAN the default gateway is set as " link#1 "

IPv4 Routes
Destination Gateway Flags Use Mtu Netif Expire
default 192.168.1.1 UGS 622 1500 re1
1.1.1.1 192.168.1.1 UGHS 20 1500 re1
8.8.8.8 192.168.1.1 UGHS 36 1500 re1
127.0.0.1 link#4 UH 104 16384 lo0
172.16.1.0/24 link#1 U 4 1500 re0
172.16.1.254 link#1 UHS 0 16384 lo0
192.168.1.0/24 link#2 U 16946 1500 re1
192.168.1.254 link#2 UHS 0 16384 lo0

Tom8888

@johnpoz said in Unable to browse the web:

well if you turned off NAT, then not sure how you think clients are going to be working.. Since your upstream is not going to nat those - unless you set it up too.

pfctl -d

What should i do exactly? (sorry i am not an IT)

johnpoz

you shouldn't be running that cmd, if you want pfsense to actually nat, that disable firewall and natting.

That is not the default gateway for the lan, that is the interface in the lan address.. So yeah that is how it talks to that network.. You didn't set a gateway on the lan interface did you?

Tom8888

@chpalmer said in Unable to browse the web:

Tom:

Do a packet capture on your WAN using the diagnostic menu and then repeat the ping attempt from a LAN client.

These are just a few lines taken out from the middle of the report, i hope is going to get posted and not flagged as a spam....

16:04:53.151476 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 16249, length 8
16:04:53.380004 IP 192.168.1.214.57189 > 192.168.1.254.80: tcp 1
16:04:53.380038 IP 192.168.1.254.80 > 192.168.1.214.57189: tcp 0
16:04:53.444004 ARP, Request who-has 192.168.1.254 tell 192.168.1.1, length 46
16:04:53.444020 ARP, Reply 192.168.1.254 is-at 40:62:31:02:ac:c4, length 28
16:04:53.682654 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 16250, length 8
16:04:53.683323 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 16250, length 8

johnpoz

yeah that pfsense pinging its gateway.

Now do that sniff when you try and ping from the lan address to 8.8.8.8

Tom8888

@johnpoz
No i did not set a default gateway on the LAN, as the guide suggested not to do it as well