Intermittent Problems Reaching Anything Beyond pfSense Firewall

TangoOversway

@Raffi_ said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

@TangoOversway If you go to System/Routing/Gateways, what do you have set as the monitor IP for the primary WAN gateway? By default this is blank and will monitor your modem IP. I would suggest putting in something like google DNS (8.8.8.8 or 8.8.4.4) as a monitoring IP. This would give you a better understanding of your internet connection in the monitoring graphs and logs.

Here's a screenshot of what I have in System/Routing/Gateways. Odd, but it still has the old firewall name there and I thought that was gone.

I have changed the Monitor IP for "WAN_DHCP (default)" to 8.8.8.8

Could you go more in depth on what you mean about monitoring? I see it mentioned in the docs, but not clearly explained. I would assume that pfSense pings the monitoring IP periodically to monitor the status of the connection and if it's working or down?

Raffi_

If you have anything under gateway you don't expect such as the old firewall you're mentioning, then it should probably be removed. Before changing anything though, save all your settings just in case. Go to Diagnostics/Backup & Restore, then hit the download configuration as xml button.

It may not be needed once you clean up the gateways, but I would still manually change the default IPV4 and IPV6 off of automatic and manually select the gateway you want being used. That removes any ambiguity with which gateway is being used.

Could you go more in depth on what you mean about monitoring? I see it mentioned in the docs, but not clearly explained. I would assume that pfSense pings the monitoring IP periodically to monitor the status of the connection and if it's working or down?

Yes, it pings the monitor ip twice a second by default. If the packet loss reaches a certain threshold (10% by default) it will mark the gateway as being down.

TangoOversway

@Raffi_ said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

@TangoOversway after you make the change to your monitor IP, keep an eye on your WAN gateway monitoring graphs when the problem comes up.

This is what those graphs looks like. A tiny bit of packet loss can be ignored like the ones seen in mine, but when you're see the issue, the packet loss would increase if your connection to the web is the issue.

I had no idea the interface could be monitored like that. Blame that on lack of knowledge, but I also thought I knew the old system pretty well. I don't know if all this has been added in the past decade, or if I was just always a lot more ignorant of all the things pfSense can do!

Here's my graph for 24 hours. And over this time, I figure it was about 21:00 last night when my wife and I were running all the tests and couldn't get her computer t pull up much of anything. I don't see much going on at that time. I do see spikes in delays at 5:00, when I was trying to install Linux on a system that had just recently got messed up. I had a lot of problems then, with the Debian installer not being able to download files and I had to restart stages in the install a number of times. Another notable set of peaks about 7:45, which is when I had trouble downloading several files to install Channels DVR. The install script uses curl and wget a number of times to get the files it needs.

I checked back, just now, in my bash history, and found that it was during that install session, around 5:00 this morning, when I could not ping Google by using the IP address.

Raffi_

The monitoring graph as it is currently doesn't tell us a whole lot other than pfSense was able to ping your modem without issues. Going forward though, since the monitoring IP has been changed to something out on the web it should be more useful.

TangoOversway

@Raffi_ said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

If you have anything under gateway you don't expect such as the old firewall you're mentioning, then it should probably be removed.

You're not talking physically, right? As in nearby or still hooked up, right? None of that. I did try to change the gateway name, but that's not allowed.

Before changing anything though, save all your settings just in case. Go to Diagnostics/Backup & Restore, then hit the download configuration as xml button.

I'm paranoid. I like backups! But thank you - I am spotty and there are things I know well, but I often miss basics.

It may not be needed once you clean up the gateways, but I would still manually change the default IPV4 and IPV6 off of automatic and manually select the gateway you want being used. That removes any ambiguity with which gateway is being used.

I'm assuming, by "clean up," you mean changing that name to what I'm using for everything else at this point (like the host name for the firewall) and changing the Monitor IP. But the system won't let me change the name of a gateway. I'm also not clear what you mean by changing them off automatic. Do you mean to specify to use one in particular (like not using DHCP6 at this point)?

Raffi_

I'm a little confused by that tiktok gateway. What is that? Is it an interface which provides web access?

TangoOversway

@Raffi_ said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

The monitoring graph as it is currently doesn't tell us a whole lot other than pfSense was able to ping your modem without issues.

Then is it having delays while I was downloading a lot of data normal, since the interface was in use at that point?

Going forward though, since the monitoring IP has been changed to something out on the web it should be more useful.

I'm hoping it gives me something good. I take it that if it shows the gateway as down, or packet losses, or anything like that, that will prove it's the internet router and not something I've done wrong in the firewall?

TangoOversway

@Raffi_ said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

I'm a little confused by that tiktok gateway. What is that? Is it an interface which provides web access?

tiktok was the host name of the old firewall. I may have typed that in, out of habit, when I set things up. (I used to have an Oz theme to all the names on my LAN, now it's Tolkien.) pfSense won't let me change it and says something about how it can't allow changing gateway names. It's to the LAN. I use the 172.16.7.xxx address space on my LAN. The 192.168.0.xxx space is the no-man's-land zone between the internet router and my firewall. What I don't get is that the router is 192.168.0.1 and serves as the DHCP for that zone (which is only the LAN side of the internet router and the WAN side of the firewall).

Just to clarify - Internet comes into the wireless router, then the router's LAN interface at 192.168.0.1, then to the firewall's WAN interface at 192.168.0.180, then on the LAN side of the firewall is 172.16.7.1.

Raffi_

Then is it having delays while I was downloading a lot of data normal, since the interface was in use at that point?

I wouldn't worry about that. Those numbers looked fine. If you look at my graph my peak standard deviation was around 4ms even higher than yours. That's not really telling us much. It's definitely not an issue and nothing to worry about.

I'm hoping it gives me something good. I take it that if it shows the gateway as down, or packet losses, or anything like that, that will prove it's the internet router and not something I've done wrong in the firewall?

We'll have to wait and see, but basically yes. If you can't ping past the modem then you're modem or something upstream is likely the issue.

tiktok was the host name of the old firewall. I may have typed that in, out of habit, when I set things up. (I used to have an Oz theme to all the names on my LAN, now it's Tolkien.) pfSense won't let me change it and says something about how it can't allow changing gateway names. It's to the LAN. I use the 172.16.7.xxx address space on my LAN. The 192.168.0.xxx space is the no-man's-land zone between the internet router and my firewall. What I don't get is that the router is 192.168.0.1 and serves as the DHCP for that zone (which is only the LAN side of the internet router and the WAN side of the firewall).

It sound to me like tiktok should not be a gateway at all. Don't try to rename it, delete it completely from that list. It sounds like that was something that might have been copied over from the old setup but shouldn't be there.

TangoOversway

@Raffi_

@Raffi_ said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

It sound to me like tiktok should not be a gateway at all. Don't try to rename it, delete it completely from that list. It sounds like that was something that might have been copied over from the old setup but shouldn't be there.

Quite possible. I don't remember timing, but at some point in the past, I was updating my old pfSense regularly. Then there was some change, I forgot what it was, but instead of just saving the config, then updating it through the web interface, there was more to do. I don't remember what, but I remember part of the issue was that I'd have to make a new image file (and use a serial cable - and mine had busted) and that the config file format had changed or something.

So when I installed this firewall, I didn't even bother to save the config and load it. Since there was some reason that wouldn't have worked 10 years ago, I didn't even try it now. I just took screenshots of everything and copied it all by hand. I could have just entered 'tiktok' accidentally somewhere without thinking it over.

TangoOversway

@Raffi_ :

Here's what I get when I pick related settings for the interfaces. It indicates tiktok is on the LAN interface. Did I set something up wrong or is it just the gateway from the firewall to the LAN?

Raffi_

172.16.7.1 is your LAN interface? If so, then tiktok should be deleted from Gateways.

TangoOversway

@Raffi_ said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

172.16.7.1 is your LAN interface? If so, then tiktok should be deleted from Gateways.

Could that be causing problems with stuff being routed incorrectly or something like that? (I'm deleting it - just wondering if it could be part of the issue.)

TangoOversway

I'm seeing better results now than before. I've also found out that the Google server I was pinging as my way to check on my internet router is not always returning data even when everything else is okay. (I tried pinging several different sites, by domain and IP address, including a different Google server and I found that even when I could ping everything else, sometimes that server I had been using to test was down.)

With @Raffi_'s help, I've been monitoring the connection with a Monitor IP address and when I have problems, I check the graph and see that there has been no packet loss at all during those times. That makes me think it is the firewall after all, and likely DNS issues, so I'm going to start another thread, since that's an entirely different topic.

Raffi_

Could that be causing problems with stuff being routed incorrectly or something like that? (I'm deleting it - just wondering if it could be part of the issue.)

It could have been part of your problem. Maybe not the source of your problem, but it was definitely a configuration error which needed to be corrected.

If you're suspecting the issue is a firewall configuration problem, then you might be better off setting up pfSense from scratch using the wizard. The settings right out of the box should work fine. Ask yourself, what specific settings did you copy over from the old firewall that are actually important. Then reconfigure them later if needed. Manually copying settings from a 9 year old firewall could have very well been your problem all along.

Edit:
You could still be having issues with that IPV6 gateway if that's not configured right. Why don't you try removing that as well. It might solve your problem.

TangoOversway

@Raffi_ : I figured that issue out and am having good internet access now. The problem I'm still running into is getting DNS to work on my LAN with the DHCP. I must have copied something wrong from the original firewall when I changed over. Anyway, it comes down to things working well when I stopped using the DNS Resolver. (That's why I think I must have copied something wrong or set it up wrong when I activated DNS on pfSense.)

So I've posted a new thread here that starts with the DNS issues, overall, and mentions that now the DNS just doesn't seem to want to behave.

stephenw10

@TangoOversway said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

172.16.7.1 is your LAN interface? If so, then tiktok should be deleted from Gateways.

Could that be causing problems with stuff being routed incorrectly or something like that? (I'm deleting it - just wondering if it could be part of the issue.)

In 2.4.X the system default gateway is set to automatic by default, yours is in the screenshot there. If you have more than one IPv4 gateway and the main WAN fails it will failover to any others available. Here you have the LAN interface itself set as a gateway, if the system sets that as default you will end up with no connectivity.
You should set the system IPv4 default gateway to WAN_DHCP to avoid that ever happening.

The only reason you might have a gateway set as the LAN interface is to route traffic over IPSec. This:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

If you were/are not doing that it's probably an invalid gateway.

Steve

TangoOversway

@stephenw10 said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

@TangoOversway said in Intermittent Problems Reaching Anything Beyond pfSense Firewall:

172.16.7.1 is your LAN interface? If so, then tiktok should be deleted from Gateways.

Could that be causing problems with stuff being routed incorrectly or something like that? (I'm deleting it - just wondering if it could be part of the issue.)

In 2.4.X the system default gateway is set to automatic by default, yours is in the screenshot there. If you have more than one IPv4 gateway and the main WAN fails it will failover to any others available. Here you have the LAN interface itself set as a gateway, if the system sets that as default you will end up with no connectivity.

Could that have resulted in some kind of intermittent non-connectivity? If so, that might explain a lot. But I don't see how I could have created that gateway accidentally!

You should set the system IPv4 default gateway to WAN_DHCP to avoid that ever happening.

I reset to factory defaults and that fixed that and some other issues. But it helps to know what was going wrong, since it was such a puzzle and so frustrating!

The only reason you might have a gateway set as the LAN interface is to route traffic over IPSec. This:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

I didn't set that up and know I wouldn't have done that at all until I had the basic system working first, so I'm figuring that extra gateway was because I checked a box I didn't mean to or something like that.

If you were/are not doing that it's probably an invalid gateway.

If it cause the problems, then it would be nice to know the culprit was found.

stephenw10

The most common way people add a LAN gateway by mistake is if they add a new internal interface in the webgui or they set a new IP address on the existing LAN from the console menu. In both those situations you are presented with an option to add a gateway. There is text guidance explaining that only 'WAN' type interfaces should have a gateway but it's easy to think you are entering the gateway clients should use and add the LAN IP as a gateway. That's incorrect but we see a lot of people do that.
Only WAN interfaces should have a gateway defined on them directly. That is adding a gateway for the firewall itself not a gateway for clients to use. pfSense uses the presence of a gateway on an interface to identify it as a WAN and will add automatic outbound NAT rules to it.

Steve