Problems with flaky internet and pfSense

johnpoz

Not saying your your lying or anything - but I am doubtful... What is more likely is your behind your isp devices nat.. And your pfsense is maybe set as dmz host?

What is the ping time to your "gateway" in pfsense?

Bob.Dig

@johnpoz No, but I am no network professional.

Bob.Dig

What is the ping time to your "gateway" in pfsense?

I am not sure what you mean by that but I will try to find out.

johnpoz

What does pfsense show for its response time to your gateway on the dashboard widget?

Who is the ISP exactly?

Bob.Dig

@johnpoz Just added it:

 WAN_DHCP
100.65.191.254
	8.9ms 	2.0ms 	0.0%

Telecolumbus in germany

johnpoz

They are using 100.64/10 space - yes that is CGnat space..

I still find odd that they would be doing 1:1 nat to some public IP - and passing all ports to you..

But ok - when your clients are having a problem - does pfsense still have access to internet?

But now we are getting some info, so we can understand your setup, and figure out what is going on.

Bob.Dig

@johnpoz I will test this next time it happens.

bmeeks

Depending on the specific model of cable modem you have, you may need to have pfSense "reject" DHCP lease offers from the internal IP of the cable modem.

For example, I had a Motorola cable modem where 192.168.100.1 was the internal LAN-side IP of the cable modem. I used the modem in bridge mode so my external public IP for the modem was passed to my pfSense firewall. When the external cable signal went down and the modem went into a carrier search and retrain mode, it would seemingly switch out of bridge mode and offer my firewall WAN an IP address from the modem's internal 192.168.100.0/24 net block. My firewall's WAN interface would happily accept the new IP. However, once the external cable signal came back online and the modem switched to bridge mode again, my WAN would frequently be left holding onto that 192.168.100.x IP address and thus I had no Internet connectivity. I would have to manually "release the lease" and renew to pick back up the bridge mode public IP.

You can prevent this by putting your cable modem's private LAN IP address in the Reject leases from box on the WAN interface settings page --

Bob.Dig

@bmeeks I already Block private networks and loopback addresses but if this is something different, I will happily try this. Thank you!

bmeeks

@Bob-Dig said in Problems with flaky internet and pfSense:

@bmeeks I already Block private networks and loopback addresses but if this is something different, I will happily try this. Thank you!

Yes, this setting is different from that.

Bob.Dig

@bmeeks It will not hurt anyway I guess.

bmeeks

@Bob-Dig said in Problems with flaky internet and pfSense:

@bmeeks It will not hurt anyway.

Just be sure to use the actual internal IP (or LAN gateway address) of your cable modem. Your model very well could use a different default internal IP from mine. You can find out by doing some Google research using the brand of your modem.

Bob.Dig

@bmeeks It is the same here. Although I am wondering how pfsense could still answer the echorequests. But again, it will not hurt to try that.

JKnott

@Bob-Dig said in Problems with flaky internet and pfSense:

@johnpoz Like I said before it is special. It looks like a NAT-IP, but at the same time it seems exposed, so I can open ports on my side etc. Don't ask me why they do it like that and I have some servers running like WP, Nextcloud etc..

What is your WAN IP address?

Bob.Dig

What is your WAN IP address?

It is different.

JKnott

@Bob-Dig said in Problems with flaky internet and pfSense:

What is your WAN IP address?

It is different.

Well, that tells me a lot. What do you mean by different?

Bob.Dig

@JKnott It is just a normal IPv4-address. I will not post it here unless "reasons". To be more precise I meant my actual WAN-IP. pfSense has a CG-NAT Address at WAN.

JKnott

@Bob-Dig said in Problems with flaky internet and pfSense:

To be more precise I meant my actual WAN-IP. pfSense has a CG-NAT Address at WAN

If it actually is a CG-NAT address, then you can announce it far and wide, as it's impossible for anyone to reach it from elsewhere.

Bob.Dig

@JKnott True but also pointless. I mean it is running now.

JKnott

@Bob-Dig said in Problems with flaky internet and pfSense:

@JKnott True but also pointless. I mean it is running now.

<sigh>

Go to www.grc.com and click on Services > ShieldsUp!. This will show you your "real" address, as seen by the rest of the world. You can then do a port scan to see what ports are open. Try opening some ports and see if they show up in the scan. If you don't see them, then the real address is not mapped to your CG-NAT address. In that case, ping will not reach your network from elsewhere.