Problems with flaky internet and pfSense

JKnott · Oct 25, 2019, 1:20 PM

@Bob-Dig said in Problems with flaky internet and pfSense:

@JKnott True but also pointless. I mean it is running now.

<sigh>

Go to www.grc.com and click on Services > ShieldsUp!. This will show you your "real" address, as seen by the rest of the world. You can then do a port scan to see what ports are open. Try opening some ports and see if they show up in the scan. If you don't see them, then the real address is not mapped to your CG-NAT address. In that case, ping will not reach your network from elsewhere.

Bob.Dig · Oct 25, 2019, 1:31 PM

@JKnott You are missing the point. I already told here that I run servers at home and can open ports etc.
I know this special NAT my ISP is doing is very interesting for you guys, I have to explain this all the time when I mention it here.

@Bob-Dig said in Problems with flaky internet and pfSense:

@johnpoz Like I said before it is special. It looks like a NAT-IP, but at the same time it seems exposed, so I can open ports on my side etc. Don't ask me why they do it like that and I have some servers running like WP, Nextcloud etc..

But please let us stay on topic, thank you.

Bob.Dig · Nov 13, 2019, 9:16 AM

So today, sadly, I just experienced it again. My connection came up several times after going down and in the end of this flakyness I had no internet on the clients, in between, the clients had internet... PfSense shows "online", I even had configured an external monitoring IP this time.
Renewing the dhcp-lease manually on WAN solved it instantly for the clients.

bmeeks · Nov 13, 2019, 7:49 PM

@Bob-Dig said in Problems with flaky internet and pfSense:

So today, sadly, I just experienced it again. My connection came up several times after going down and in the end of this flakyness I had no internet on the clients, in between, the clients had internet... PfSense shows "online", I even had configured an external monitoring IP this time.
Renewing the dhcp-lease manually on WAN solved it instantly for the clients.

Sounds like something weird going on between your ISP's DHCP server and the DHCP client inside pfSense for the WAN.

So before you did the manual lease renew, was your WAN showing the correct public IP address? And did that IP address change after you did the manual renew?

Bob.Dig · Nov 13, 2019, 8:19 PM

@bmeeks In my case it is an CG-NAT-Address, so I haven't watched it closely. My (external) WAN-IP-Address didn't changed and I think that pfSense had a connection... but didn't "shared" it.
Next time i will do some ping-tests within pfSense and watch those IPs more closely.

Btw your "trick" helped me anyways I think, I had peace for 20 days but this connection here is just...

bmeeks · Nov 13, 2019, 8:23 PM

@Bob-Dig said in Problems with flaky internet and pfSense:

@bmeeks In my case it is an CG-NAT-Address, so I haven't watched it closely. My (external) WAN-IP-Address didn't changed and I think that pfSense had a connection... but didn't "shared" it.
Next time i will do some ping-tests within pfSense and watch those IPs more closely.

Btw your "trick" helped me anyways I think, I had peace for 20 days but this connection here is just...

When I said "public IP" what I really mean is whatever the "normal and working" IP should be. Whether it is CG NAT or a true public IP would not matter. You would just be looking to see what it is when it is not working, and then compare that to what it is when the connection is working. That info might help with troubleshooting.

Bob.Dig · Nov 14, 2019, 4:12 PM

And here we go again...

I see no difference. Ping from within pfSense to a Website also failed. After renewing instant internet.

bmeeks · Nov 14, 2019, 4:18 PM

I see now that you appear to be running pfSense on a Hyper-V host (the hn0 NIC driver is a virtualized NIC for Hyper-V).

Some quick Google searching found a few posts about issues with that NIC driver and FreeBSD 11. That might be the root of your problem.

Maybe you mentioned it earlier in the thread and I missed it, but knowing that you have pfSense virtualized and on which platform is very valuable information. Virtualized hardware is NOT the same as physical hardware of course, and the drivers used are different.

bmeeks · Nov 14, 2019, 4:25 PM

Here are some of the links I found with a quick Google search:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229990
https://forum.netgate.com/topic/128384/pfsense-network-interface-sometimes-hangs-on-hyper-v
http://freebsd.1045724.x6.nabble.com/11-1-running-on-HyperV-hn-interface-hangs-td6207926.html

Not sure all of these apply, but they illustrate there can be potential issues with Hyper-V and FreeBSD guests (pfSense is essentially a FreeBSD guest).

If you want to virtualize pfSense, I strongly recommend using ESXi. Or else just buy physical hardware. The Netgate appliances cost less than a Windows Server license.

stephenw10 · Nov 15, 2019, 5:55 PM

I would check for a missing or bad default route when this happens. Diag > Routes

If there is no default route client traffic will not be able to get out. pfSense itself would not be able to ping out to arbitrary sites.

However the gateway monitoring will show onlint because that has a static route via the WAN gateway.

Do you have more than one gateway in System > Routing > Gateways?

If the default IPv4 gateway is set to automatic setting it to the WAN dhcp gateway instead should get you back a default route if that is what you're hitting.

Steve