Unable to browse the web

johnpoz

well if you turned off NAT, then not sure how you think clients are going to be working.. Since your upstream is not going to nat those - unless you set it up too.

pfctl -d

chpalmer

Tom:

Do a packet capture on your WAN using the diagnostic menu and then repeat the ping attempt from a LAN client.

chpalmer

@Tom8888 said in Unable to browse the web:

NAT it's set on "automatic"

Are you sure your upstream router is 192.168.1.1 ?

Tom8888

@chpalmer
I did try to post here the results, but i get an error message telling me that Akismet flagged my content as spam.

Yes the default gateway is definetely 192.168.1.1, but if you look at this, for the LAN the default gateway is set as " link#1 "

IPv4 Routes
Destination Gateway Flags Use Mtu Netif Expire
default 192.168.1.1 UGS 622 1500 re1
1.1.1.1 192.168.1.1 UGHS 20 1500 re1
8.8.8.8 192.168.1.1 UGHS 36 1500 re1
127.0.0.1 link#4 UH 104 16384 lo0
172.16.1.0/24 link#1 U 4 1500 re0
172.16.1.254 link#1 UHS 0 16384 lo0
192.168.1.0/24 link#2 U 16946 1500 re1
192.168.1.254 link#2 UHS 0 16384 lo0

Tom8888

@johnpoz said in Unable to browse the web:

well if you turned off NAT, then not sure how you think clients are going to be working.. Since your upstream is not going to nat those - unless you set it up too.

pfctl -d

What should i do exactly? (sorry i am not an IT)

johnpoz

you shouldn't be running that cmd, if you want pfsense to actually nat, that disable firewall and natting.

That is not the default gateway for the lan, that is the interface in the lan address.. So yeah that is how it talks to that network.. You didn't set a gateway on the lan interface did you?

Tom8888

@chpalmer said in Unable to browse the web:

Tom:

Do a packet capture on your WAN using the diagnostic menu and then repeat the ping attempt from a LAN client.

These are just a few lines taken out from the middle of the report, i hope is going to get posted and not flagged as a spam....

16:04:53.151476 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 16249, length 8
16:04:53.380004 IP 192.168.1.214.57189 > 192.168.1.254.80: tcp 1
16:04:53.380038 IP 192.168.1.254.80 > 192.168.1.214.57189: tcp 0
16:04:53.444004 ARP, Request who-has 192.168.1.254 tell 192.168.1.1, length 46
16:04:53.444020 ARP, Reply 192.168.1.254 is-at 40:62:31:02:ac:c4, length 28
16:04:53.682654 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 16250, length 8
16:04:53.683323 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 16250, length 8

johnpoz

yeah that pfsense pinging its gateway.

Now do that sniff when you try and ping from the lan address to 8.8.8.8

Tom8888

@johnpoz
No i did not set a default gateway on the LAN, as the guide suggested not to do it as well

Tom8888

PING 8.8.8.8 (8.8.8.8) from 172.16.1.254: 56 data bytes

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Tom8888

Packet Capture from WAN while pinging 8.8.8.8

16:37:23.724824 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 19996, length 8
16:37:23.725314 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 19996, length 8
16:37:23.796500 IP 192.168.1.214.59665 > 224.0.0.252.5355: UDP, length 33
16:37:23.826400 IP 192.168.1.100.138 > 192.168.1.255.138: UDP, length 201
16:37:24.206639 IP 192.168.1.254.123 > 80.211.82.90.123: UDP, length 48
16:37:24.206996 IP 192.168.1.214.59665 > 224.0.0.252.5355: UDP, length 33
16:37:24.231761 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 19997, length 8
16:37:24.232228 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 19997, length 8
16:37:24.262468 IP 80.211.82.90.123 > 192.168.1.254.123: UDP, length 48
16:37:24.763824 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 19998, length 8

Doing the same test on LAN i just get a blank page (????)

Tom8888

Here is how my different machines are connected to each other:

1. i have a main router from where the internet connection is coming from, with 4 LAN ports AND wifi
2. a laptop is connected by wifi to this main router and i can control PFSense from this browser
3. a LAN wire connect the main router to an old pc, which is hosting a local site not on the web
4. a second LAN wire goes to a brand new (powerful) mini pc which has only the last version of PFSense installed
5. from the PFSense machine, there is a second LAN wire which goes to an access point, broadcasting a second wifi connection not protected by password

If i try to connect with my laptop to the other wifi coming from the AP of PFSense, i can still control PFSense from it, but NOT browse the web.
When i enter this command (pfctl -e) into the PFSense Shell (option 8), i can no longer access the control panel of PFSense, but if i insert another command (pfctl -d), then i can again visualize the interface.
In both cases i cannot browse the web, unless i connect directly to the main router.
If i eliminate the PFSense box and connect the wire from the AP directly to the main router, then even this wifi connection works perfectly.

Version 2.4.4-RELEASE-p3 (amd64)
built on Wed May 15 18:53:44 EDT 2019
FreeBSD 11.2-RELEASE-p10

The system is on the latest version.
Version information updated at Mon Aug 19 17:38:24 UTC 2019
CPU Type Intel(R) Celeron(R) CPU J3160 @ 1.60GHz
Current: 1600 MHz, Max: 1601 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)
Kernel PTI Enabled
Uptime 00 Hour 43 Minutes 15 Seconds
Current date/time
Mon Aug 19 17:39:02 UTC 2019
DNS server(s)

127.0.0.1
1.1.1.1
8.8.8.8

chpalmer

@Tom8888

For that setup you need a WAN rule from 192.168.1.0/24 to "WAN Address" in order to come in from the WAN side the way you are doing it.

Tom8888

The problem has been solved, i will post the details but not now as here is 1am, thanks all for your support.

Tom8888

So, basically, i hired someone on Fiverr.com which after a month of struggles, has been able to do half the job i hired him for, the resolution of this problem i posted here will likely lead us to the final step, which is redirecting all the clients accessing the free wifi to a locally hosted site.
The problem was apparently a misconfiguration of the AP, so people could connect to the wifi, get an IP address but unable to navigate anywhere, as only a white page would display and say the connection was taking too long.

johnpoz

So your AP was either running a captive portal, or it wasn't actually in AP mode and was trying to route, etc. which was prob the same network on both sides, etc. Its wan and its lan.. So yeah not going anywhere.