Can't ping from GUI, unstable game server connection, gateway monitoring does not work
-
Just tried pinging the gateway from LAN, still can't ping it. Should i upload the packet capture results here? I see a error in the packet capture: (wrong icmp cksum ffff (->a868)!)
The MAC Addresses are the correct ones
I am new to networking, sorry if I mention/ask anything stupid
-
That error is because of hardware checksum offloading in the NIC and is normal.
Just to be clear you are able to ping the gateway from a client behind pfSense in the LAN?
-
I can ping the gateway from a client on the LAN side, that's correct. Should i disable hardware checksum offloading?
-
As of this day, I can't find a solution to the ping problems I have:
As of the unstable game server connection, i managed to fix this by disconnecting a PC with a problematic NIC that was causing some problems.
Here is the Packet Capture results for anybody that knows and can help:
--------------------------------
Packet Capture On WAN
--------------------------------11:15:34.921725 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 20094, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5427, length 9
11:15:34.922009 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45511, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5427, length 9 (wrong icmp cksum ffff (->e45a)!)
11:15:35.424477 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 52722, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5428, length 9
11:15:35.424801 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45512, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5428, length 9 (wrong icmp cksum ffff (->e459)!)
11:15:35.925787 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 48387, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5429, length 9
11:15:35.926037 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45513, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5429, length 9 (wrong icmp cksum ffff (->e458)!)
11:15:36.426986 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 3152, offset 0, flags [none], proto ICMP (1), length 29)----------------------------
Some more information
----------------------------LAN --> PfSense --> Modem / Router (with DMZ for PfSense)
I send the ping from WAN and get no responce... Seems wierd. If i ping from LAN, still the same... If I Try to ping my Gateway (Modem/Router) from a computer on LAN, i get a responce... That's strange...
-
That pcap is on the WAN an those are the pfSense gateway monitoring pings? (the 0.5s interval looks like it is).
You should definitely try disabling checksum off loading as a test. Hard to imagine that being a problem on an i350 but...
That's in Sys > Adv > Networking.Steve
-
Turned off checksum offloading, still the same issue
18:24:33.524284 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57871, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 883, length 9
18:24:33.524538 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31165, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 883, length 9 (wrong icmp cksum ffff (->5c9a)!)
18:24:34.026282 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57893, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 884, length 9
18:24:34.026550 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31166, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 884, length 9 (wrong icmp cksum ffff (->5c99)!)
18:24:34.527551 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 41793, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 885, length 9
18:24:34.527796 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31167, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 885, length 9 (wrong icmp cksum ffff (->5c98)!)
18:24:35.029281 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 5582, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 886, length 9
18:24:35.029547 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31168, offset 0, flags [none], proto ICMP (1), length 29)I can provide the whole cap file if you wish. I just don't want to spam the forums with the pcap output
-
Is it actually disabled? What does
ifconfig -vvvma
show for the WAN? -
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: Internet
options=8100b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>
capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:05:1e:a2
inet6 fe80::a236:9fff:fe05:1ea2%igb0 prefixlen 64 scopeid 0x1
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTP
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>Here is the output of the command.
(Removed igb1 from the post, since you only asked for wan.)
-
Hmm, yeah that all looks fine.
If you ping the gateway from something else behind pfSense and capture those packets do they show a bad checksum?
Hard to explain what you're seeing there...
Steve
-
Seems like it doesn't
19:32:46.407862 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 60933, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 1, length 64
19:32:46.408197 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39305, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 1, length 64
19:32:47.421991 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61047, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 2, length 64
19:32:47.422265 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39306, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 2, length 64
19:32:48.445945 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61302, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 3, length 64
19:32:48.446194 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39307, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 3, length 64 -
Hmm, well there is always the possibility that it is actually a bad checksum, though I've never seen that before. Except that the values it's showing imply it's not able to see a checksum at all:
wrong icmp cksum ffff
You tried swapping WAN to a different port?
-
I am currently away from my machine, but can try this again when I am there. I think that the last time I tried this it did not work but I will swap them just to make sure
-
By the way, is there any way I can fix a bad checksum on a card (if my card has a bad checksum)?
-
You can (somehow) end up with a bad firmware checksum on the card but that's not the same thing as being unable to read incoming packet checksums.
Hard to see what could cause that. -
This post is deleted! -
I changed the WAN port and i still have the same issue. The WAN port is now the onboard intel lan that my motherboard has.
11:10:52.483720 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 37908, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 42553, seq 654, length 9
11:10:52.484110 0c:b9:12:05:6b:80 > 70:85:c2:88:89:5f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 2509, offset 0, flags [none], proto ICMP (1), length 29) -
Well it's not showing a checksum error there now. But the firewall still doesn't show ping replies?
Assuming that second packet is a reply, I think you missed the last line. Which might still show the error!
-
Seems like I missed a line...
18:39:02.151563 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 38915, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 42553, seq 54235, length 9
18:39:02.151878 0c:b9:12:05:6b:80 > 70:85:c2:88:89:5f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 56090, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 42553, seq 54235, length 9 (wrong icmp cksum ffff (->85ea)!)
18:39:02.652615 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 12414, offset 0, flags [none], proto ICMP (1), length 29)Sorry about that
-
Hmm, Ok so that's a completely different NIC, not on the expansion card?
And I assume ifconfig still shows checksum off-loading is disabled?
And you cannot ping out to anywhere from the firewall?
I'd probably re-install clean at that point just to be sure. A default install with an Intel NIC is close to guaranteed to work. It's hard to see what could be causing that.
Steve
-
Correct, that NIC is the onboard one, not a port from my i350
I tried a clean install before but it did not help with my issue..
I can ping from my computer but i cannot ping from PfSense itself...
Edit: Here is the config for em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: Internet
options=810098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
capabilities=953d9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP>
ether 70:85:c2:88:89:5f
inet6 fe80::7285:c2ff:fe88:895f%em0 prefixlen 64 scopeid 0x3
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTP
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>