Can't ping from GUI, unstable game server connection, gateway monitoring does not work

AlexanderOF

I have installed PfSense 2.5.2 on a custom pc build with a Intel i350-t2, 8GB of ram and a G5400 dual-core cpu.

My problem is that PfSense can't ping IPs (from Cloudflare, Google etc.) from the web GUI ping utility but I can ping them from LAN from a PC. I have created a floating rule which allows ICMP traffic, but that did not fix my issue. Also, PfSense can't ping the default gateway (My ISPs Modem/Router). There are 2 errors that were logged by PfSense when trying to ping the default gateway:

sendto error: 50 (The most common one)
sendto error: 65 (This is common too)

Also, I am hosting a Minecraft server and for some reason after switching to PfSense i have weird issues where players get disconnected at random times. I don't think I have the wrong settings on NAT, because I believe that otherwise we would not be able to connect at all

I have searched everything, tried re-installing PfSense, nothing worked.

Sorry if this post is a mess (it's also my first time posting on a forum for help). I tried everything and i am confused and also frustrated. Hope i find a solution!

(EDIT) Tried capturing the ICPM Packets send from the GUI Ping Utility:

1 0.000000 192.168.100.2 192.168.100.1 ICMP 43 Echo (ping) request id=0xc231, seq=13221/42291, ttl=64 (no response found!)
2 0.000288 192.168.100.1 192.168.100.2 ICMP 60 Echo (ping) reply id=0xc231, seq=13221/42291, ttl=64
3 0.501233 192.168.100.2 192.168.100.1 ICMP 43 Echo (ping) request id=0xc231, seq=13222/42547, ttl=64 (no response found!)
4 0.501523 192.168.100.1 192.168.100.2 ICMP 60 Echo (ping) reply id=0xc231, seq=13222/42547, ttl=64
5 1.019231 192.168.100.2 192.168.100.1 ICMP 43 Echo (ping) request id=0xc231, seq=13223/42803, ttl=64 (no response found!)

Here are the packet capture results ^

stephenw10

Where was that capture run?

If it was on the WAN have you swapped out the IPs or is it behind some other NAT device?

What are the MAC addresses on those pings?
The fact is shows 'no response found' but the reply appears to be there implies something low level like an IP or MAC address conflict.

Steve

AlexanderOF

I run this capture with the built in Packet Capture tool on Pfsense with WAN chosen. I reinstalled PfSsense, now with a static ip instead of it taking a lease from my modem's DHCP server. (Don't really know how this is going to affect it.) I dont know how to check the MAC Addresses on those pings. Should I run a packet capture again?

I can ping my modem from my pc (and any other ip, like cloudflare), but I cannot ping it from PfSense.

stephenw10

You can probably just view the capture already there. Just set the 'level of detail' higher to see the MACs. Or you can download it and view in, for example, wireshark but that's probably not necessary.

Can you ping the modem from pfSense if you set the source as LAN?

Steve

AlexanderOF

Just tried pinging the gateway from LAN, still can't ping it. Should i upload the packet capture results here? I see a error in the packet capture: (wrong icmp cksum ffff (->a868)!)

The MAC Addresses are the correct ones

I am new to networking, sorry if I mention/ask anything stupid

stephenw10

That error is because of hardware checksum offloading in the NIC and is normal.

Just to be clear you are able to ping the gateway from a client behind pfSense in the LAN?

AlexanderOF

I can ping the gateway from a client on the LAN side, that's correct. Should i disable hardware checksum offloading?

AlexanderOF

As of this day, I can't find a solution to the ping problems I have:

As of the unstable game server connection, i managed to fix this by disconnecting a PC with a problematic NIC that was causing some problems.

Here is the Packet Capture results for anybody that knows and can help:

--------------------------------
Packet Capture On WAN
--------------------------------

11:15:34.921725 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 20094, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5427, length 9
11:15:34.922009 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45511, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5427, length 9 (wrong icmp cksum ffff (->e45a)!)
11:15:35.424477 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 52722, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5428, length 9
11:15:35.424801 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45512, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5428, length 9 (wrong icmp cksum ffff (->e459)!)
11:15:35.925787 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 48387, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5429, length 9
11:15:35.926037 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45513, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5429, length 9 (wrong icmp cksum ffff (->e458)!)
11:15:36.426986 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 3152, offset 0, flags [none], proto ICMP (1), length 29)

----------------------------
Some more information
----------------------------

LAN --> PfSense --> Modem / Router (with DMZ for PfSense)

I send the ping from WAN and get no responce... Seems wierd. If i ping from LAN, still the same... If I Try to ping my Gateway (Modem/Router) from a computer on LAN, i get a responce... That's strange...

stephenw10

That pcap is on the WAN an those are the pfSense gateway monitoring pings? (the 0.5s interval looks like it is).
You should definitely try disabling checksum off loading as a test. Hard to imagine that being a problem on an i350 but...
That's in Sys > Adv > Networking.

Steve

AlexanderOF

Turned off checksum offloading, still the same issue

18:24:33.524284 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57871, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 883, length 9
18:24:33.524538 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31165, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 883, length 9 (wrong icmp cksum ffff (->5c9a)!)
18:24:34.026282 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57893, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 884, length 9
18:24:34.026550 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31166, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 884, length 9 (wrong icmp cksum ffff (->5c99)!)
18:24:34.527551 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 41793, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 885, length 9
18:24:34.527796 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31167, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 885, length 9 (wrong icmp cksum ffff (->5c98)!)
18:24:35.029281 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 5582, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 886, length 9
18:24:35.029547 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31168, offset 0, flags [none], proto ICMP (1), length 29)

I can provide the whole cap file if you wish. I just don't want to spam the forums with the pcap output

stephenw10

Is it actually disabled? What does ifconfig -vvvma show for the WAN?

AlexanderOF

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: Internet
options=8100b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>
capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:05:1e:a2
inet6 fe80::a236:9fff:fe05:1ea2%igb0 prefixlen 64 scopeid 0x1
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTP
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Here is the output of the command.

(Removed igb1 from the post, since you only asked for wan.)

stephenw10

Hmm, yeah that all looks fine.

If you ping the gateway from something else behind pfSense and capture those packets do they show a bad checksum?

Hard to explain what you're seeing there...

Steve

AlexanderOF

Seems like it doesn't

19:32:46.407862 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 60933, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 1, length 64
19:32:46.408197 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39305, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 1, length 64
19:32:47.421991 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61047, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 2, length 64
19:32:47.422265 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39306, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 2, length 64
19:32:48.445945 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61302, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 3, length 64
19:32:48.446194 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39307, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 3, length 64

stephenw10

Hmm, well there is always the possibility that it is actually a bad checksum, though I've never seen that before. Except that the values it's showing imply it's not able to see a checksum at all:
wrong icmp cksum ffff

You tried swapping WAN to a different port?

AlexanderOF

I am currently away from my machine, but can try this again when I am there. I think that the last time I tried this it did not work but I will swap them just to make sure

AlexanderOF

By the way, is there any way I can fix a bad checksum on a card (if my card has a bad checksum)?

stephenw10

You can (somehow) end up with a bad firmware checksum on the card but that's not the same thing as being unable to read incoming packet checksums.
Hard to see what could cause that.

AlexanderOF

This post is deleted!

AlexanderOF

I changed the WAN port and i still have the same issue. The WAN port is now the onboard intel lan that my motherboard has.

11:10:52.483720 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 37908, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 42553, seq 654, length 9
11:10:52.484110 0c:b9:12:05:6b:80 > 70:85:c2:88:89:5f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 2509, offset 0, flags [none], proto ICMP (1), length 29)