Can't ping from GUI, unstable game server connection, gateway monitoring does not work

stephenw10

That error is because of hardware checksum offloading in the NIC and is normal.

Just to be clear you are able to ping the gateway from a client behind pfSense in the LAN?

AlexanderOF

I can ping the gateway from a client on the LAN side, that's correct. Should i disable hardware checksum offloading?

AlexanderOF

As of this day, I can't find a solution to the ping problems I have:

As of the unstable game server connection, i managed to fix this by disconnecting a PC with a problematic NIC that was causing some problems.

Here is the Packet Capture results for anybody that knows and can help:

--------------------------------
Packet Capture On WAN
--------------------------------

11:15:34.921725 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 20094, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5427, length 9
11:15:34.922009 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45511, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5427, length 9 (wrong icmp cksum ffff (->e45a)!)
11:15:35.424477 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 52722, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5428, length 9
11:15:35.424801 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45512, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5428, length 9 (wrong icmp cksum ffff (->e459)!)
11:15:35.925787 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 48387, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 1650, seq 5429, length 9
11:15:35.926037 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 45513, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 1650, seq 5429, length 9 (wrong icmp cksum ffff (->e458)!)
11:15:36.426986 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 3152, offset 0, flags [none], proto ICMP (1), length 29)

----------------------------
Some more information
----------------------------

LAN --> PfSense --> Modem / Router (with DMZ for PfSense)

I send the ping from WAN and get no responce... Seems wierd. If i ping from LAN, still the same... If I Try to ping my Gateway (Modem/Router) from a computer on LAN, i get a responce... That's strange...

stephenw10

That pcap is on the WAN an those are the pfSense gateway monitoring pings? (the 0.5s interval looks like it is).
You should definitely try disabling checksum off loading as a test. Hard to imagine that being a problem on an i350 but...
That's in Sys > Adv > Networking.

Steve

AlexanderOF

Turned off checksum offloading, still the same issue

18:24:33.524284 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57871, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 883, length 9
18:24:33.524538 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31165, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 883, length 9 (wrong icmp cksum ffff (->5c9a)!)
18:24:34.026282 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57893, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 884, length 9
18:24:34.026550 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31166, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 884, length 9 (wrong icmp cksum ffff (->5c99)!)
18:24:34.527551 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 41793, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 885, length 9
18:24:34.527796 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31167, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 885, length 9 (wrong icmp cksum ffff (->5c98)!)
18:24:35.029281 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 5582, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 886, length 9
18:24:35.029547 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31168, offset 0, flags [none], proto ICMP (1), length 29)

I can provide the whole cap file if you wish. I just don't want to spam the forums with the pcap output

stephenw10

Is it actually disabled? What does ifconfig -vvvma show for the WAN?

AlexanderOF

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: Internet
options=8100b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>
capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:05:1e:a2
inet6 fe80::a236:9fff:fe05:1ea2%igb0 prefixlen 64 scopeid 0x1
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTP
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Here is the output of the command.

(Removed igb1 from the post, since you only asked for wan.)

stephenw10

Hmm, yeah that all looks fine.

If you ping the gateway from something else behind pfSense and capture those packets do they show a bad checksum?

Hard to explain what you're seeing there...

Steve

AlexanderOF

Seems like it doesn't

19:32:46.407862 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 60933, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 1, length 64
19:32:46.408197 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39305, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 1, length 64
19:32:47.421991 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61047, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 2, length 64
19:32:47.422265 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39306, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 2, length 64
19:32:48.445945 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61302, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 3, length 64
19:32:48.446194 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39307, offset 0, flags [none], proto ICMP (1), length 84)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 3, length 64

stephenw10

Hmm, well there is always the possibility that it is actually a bad checksum, though I've never seen that before. Except that the values it's showing imply it's not able to see a checksum at all:
wrong icmp cksum ffff

You tried swapping WAN to a different port?

AlexanderOF

I am currently away from my machine, but can try this again when I am there. I think that the last time I tried this it did not work but I will swap them just to make sure

AlexanderOF

By the way, is there any way I can fix a bad checksum on a card (if my card has a bad checksum)?

stephenw10

You can (somehow) end up with a bad firmware checksum on the card but that's not the same thing as being unable to read incoming packet checksums.
Hard to see what could cause that.

AlexanderOF

This post is deleted!

AlexanderOF

I changed the WAN port and i still have the same issue. The WAN port is now the onboard intel lan that my motherboard has.

11:10:52.483720 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 37908, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 42553, seq 654, length 9
11:10:52.484110 0c:b9:12:05:6b:80 > 70:85:c2:88:89:5f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 2509, offset 0, flags [none], proto ICMP (1), length 29)

stephenw10

Well it's not showing a checksum error there now. But the firewall still doesn't show ping replies?

Assuming that second packet is a reply, I think you missed the last line. Which might still show the error!

AlexanderOF

Seems like I missed a line...

18:39:02.151563 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 38915, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.2 > 192.168.100.1: ICMP echo request, id 42553, seq 54235, length 9
18:39:02.151878 0c:b9:12:05:6b:80 > 70:85:c2:88:89:5f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 56090, offset 0, flags [none], proto ICMP (1), length 29)
192.168.100.1 > 192.168.100.2: ICMP echo reply, id 42553, seq 54235, length 9 (wrong icmp cksum ffff (->85ea)!)
18:39:02.652615 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 12414, offset 0, flags [none], proto ICMP (1), length 29)

Sorry about that

stephenw10

Hmm, Ok so that's a completely different NIC, not on the expansion card?

And I assume ifconfig still shows checksum off-loading is disabled?

And you cannot ping out to anywhere from the firewall?

I'd probably re-install clean at that point just to be sure. A default install with an Intel NIC is close to guaranteed to work. It's hard to see what could be causing that.

Steve

AlexanderOF

Correct, that NIC is the onboard one, not a port from my i350

I tried a clean install before but it did not help with my issue..

I can ping from my computer but i cannot ping from PfSense itself...

Edit: Here is the config for em0

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: Internet
options=810098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
capabilities=953d9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP>
ether 70:85:c2:88:89:5f
inet6 fe80::7285:c2ff:fe88:895f%em0 prefixlen 64 scopeid 0x3
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
supported media:
media autoselect
media 1000baseT
media 1000baseT mediaopt full-duplex
media 100baseTX mediaopt full-duplex
media 100baseTX
media 10baseT/UTP mediaopt full-duplex
media 10baseT/UTP
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

stephenw10

I mean really we can only conclude that the checksum really is bad and whatever is sending it is for some reason breaking it's own replies but only to the next hop.

Try testing pfSense behind something else perhaps?

Steve