Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't ping from GUI, unstable game server connection, gateway monitoring does not work

    Scheduled Pinned Locked Moved General pfSense Questions
    36 Posts 2 Posters 3.6k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      That pcap is on the WAN an those are the pfSense gateway monitoring pings? (the 0.5s interval looks like it is).
      You should definitely try disabling checksum off loading as a test. Hard to imagine that being a problem on an i350 but...
      That's in Sys > Adv > Networking.

      Steve

      AlexanderOFA 1 Reply Last reply Reply Quote 0
      • AlexanderOFA Offline
        AlexanderOF @stephenw10
        last edited by

        Turned off checksum offloading, still the same issue

        18:24:33.524284 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57871, offset 0, flags [none], proto ICMP (1), length 29)
        192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 883, length 9
        18:24:33.524538 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31165, offset 0, flags [none], proto ICMP (1), length 29)
        192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 883, length 9 (wrong icmp cksum ffff (->5c9a)!)
        18:24:34.026282 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 57893, offset 0, flags [none], proto ICMP (1), length 29)
        192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 884, length 9
        18:24:34.026550 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31166, offset 0, flags [none], proto ICMP (1), length 29)
        192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 884, length 9 (wrong icmp cksum ffff (->5c99)!)
        18:24:34.527551 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 41793, offset 0, flags [none], proto ICMP (1), length 29)
        192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 885, length 9
        18:24:34.527796 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31167, offset 0, flags [none], proto ICMP (1), length 29)
        192.168.100.1 > 192.168.100.2: ICMP echo reply, id 40946, seq 885, length 9 (wrong icmp cksum ffff (->5c98)!)
        18:24:35.029281 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 5582, offset 0, flags [none], proto ICMP (1), length 29)
        192.168.100.2 > 192.168.100.1: ICMP echo request, id 40946, seq 886, length 9
        18:24:35.029547 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31168, offset 0, flags [none], proto ICMP (1), length 29)

        I can provide the whole cap file if you wish. I just don't want to spam the forums with the pcap output

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Is it actually disabled? What does ifconfig -vvvma show for the WAN?

          AlexanderOFA 1 Reply Last reply Reply Quote 0
          • AlexanderOFA Offline
            AlexanderOF @stephenw10
            last edited by AlexanderOF

            igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
            description: Internet
            options=8100b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>
            capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
            ether a0:36:9f:05:1e:a2
            inet6 fe80::a236:9fff:fe05:1ea2%igb0 prefixlen 64 scopeid 0x1
            inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
            media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            supported media:
            media autoselect
            media 1000baseT
            media 1000baseT mediaopt full-duplex
            media 100baseTX mediaopt full-duplex
            media 100baseTX
            media 10baseT/UTP mediaopt full-duplex
            media 10baseT/UTP
            nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

            Here is the output of the command.

            (Removed igb1 from the post, since you only asked for wan.)

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Hmm, yeah that all looks fine.

              If you ping the gateway from something else behind pfSense and capture those packets do they show a bad checksum?

              Hard to explain what you're seeing there...

              Steve

              AlexanderOFA 1 Reply Last reply Reply Quote 0
              • AlexanderOFA Offline
                AlexanderOF @stephenw10
                last edited by

                Seems like it doesn't

                19:32:46.407862 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 60933, offset 0, flags [DF], proto ICMP (1), length 84)
                192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 1, length 64
                19:32:46.408197 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39305, offset 0, flags [none], proto ICMP (1), length 84)
                192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 1, length 64
                19:32:47.421991 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61047, offset 0, flags [DF], proto ICMP (1), length 84)
                192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 2, length 64
                19:32:47.422265 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39306, offset 0, flags [none], proto ICMP (1), length 84)
                192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 2, length 64
                19:32:48.445945 a0:36:9f:05:1e:a2 > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 61302, offset 0, flags [DF], proto ICMP (1), length 84)
                192.168.100.2 > 192.168.100.1: ICMP echo request, id 64834, seq 3, length 64
                19:32:48.446194 0c:b9:12:05:6b:80 > a0:36:9f:05:1e:a2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39307, offset 0, flags [none], proto ICMP (1), length 84)
                192.168.100.1 > 192.168.100.2: ICMP echo reply, id 64834, seq 3, length 64

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Hmm, well there is always the possibility that it is actually a bad checksum, though I've never seen that before. Except that the values it's showing imply it's not able to see a checksum at all:
                  wrong icmp cksum ffff

                  You tried swapping WAN to a different port?

                  AlexanderOFA 1 Reply Last reply Reply Quote 0
                  • AlexanderOFA Offline
                    AlexanderOF @stephenw10
                    last edited by

                    I am currently away from my machine, but can try this again when I am there. I think that the last time I tried this it did not work but I will swap them just to make sure

                    AlexanderOFA 1 Reply Last reply Reply Quote 0
                    • AlexanderOFA Offline
                      AlexanderOF @AlexanderOF
                      last edited by

                      By the way, is there any way I can fix a bad checksum on a card (if my card has a bad checksum)?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        You can (somehow) end up with a bad firmware checksum on the card but that's not the same thing as being unable to read incoming packet checksums.
                        Hard to see what could cause that.

                        AlexanderOFA 2 Replies Last reply Reply Quote 0
                        • AlexanderOFA Offline
                          AlexanderOF @stephenw10
                          last edited by AlexanderOF

                          This post is deleted!
                          1 Reply Last reply Reply Quote 0
                          • AlexanderOFA Offline
                            AlexanderOF @stephenw10
                            last edited by

                            I changed the WAN port and i still have the same issue. The WAN port is now the onboard intel lan that my motherboard has.

                            11:10:52.483720 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 37908, offset 0, flags [none], proto ICMP (1), length 29)
                            192.168.100.2 > 192.168.100.1: ICMP echo request, id 42553, seq 654, length 9
                            11:10:52.484110 0c:b9:12:05:6b:80 > 70:85:c2:88:89:5f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 2509, offset 0, flags [none], proto ICMP (1), length 29)

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by stephenw10

                              Well it's not showing a checksum error there now. But the firewall still doesn't show ping replies?

                              Assuming that second packet is a reply, I think you missed the last line. Which might still show the error!

                              AlexanderOFA 1 Reply Last reply Reply Quote 0
                              • AlexanderOFA Offline
                                AlexanderOF @stephenw10
                                last edited by

                                Seems like I missed a line...

                                18:39:02.151563 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 38915, offset 0, flags [none], proto ICMP (1), length 29)
                                192.168.100.2 > 192.168.100.1: ICMP echo request, id 42553, seq 54235, length 9
                                18:39:02.151878 0c:b9:12:05:6b:80 > 70:85:c2:88:89:5f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 56090, offset 0, flags [none], proto ICMP (1), length 29)
                                192.168.100.1 > 192.168.100.2: ICMP echo reply, id 42553, seq 54235, length 9 (wrong icmp cksum ffff (->85ea)!)
                                18:39:02.652615 70:85:c2:88:89:5f > 0c:b9:12:05:6b:80, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 12414, offset 0, flags [none], proto ICMP (1), length 29)

                                Sorry about that

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Hmm, Ok so that's a completely different NIC, not on the expansion card?

                                  And I assume ifconfig still shows checksum off-loading is disabled?

                                  And you cannot ping out to anywhere from the firewall?

                                  I'd probably re-install clean at that point just to be sure. A default install with an Intel NIC is close to guaranteed to work. It's hard to see what could be causing that.

                                  Steve

                                  AlexanderOFA 1 Reply Last reply Reply Quote 0
                                  • AlexanderOFA Offline
                                    AlexanderOF @stephenw10
                                    last edited by AlexanderOF

                                    Correct, that NIC is the onboard one, not a port from my i350

                                    I tried a clean install before but it did not help with my issue..

                                    I can ping from my computer but i cannot ping from PfSense itself...

                                    Edit: Here is the config for em0

                                    em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
                                    description: Internet
                                    options=810098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
                                    capabilities=953d9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP>
                                    ether 70:85:c2:88:89:5f
                                    inet6 fe80::7285:c2ff:fe88:895f%em0 prefixlen 64 scopeid 0x3
                                    inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
                                    media: Ethernet autoselect (1000baseT <full-duplex>)
                                    status: active
                                    supported media:
                                    media autoselect
                                    media 1000baseT
                                    media 1000baseT mediaopt full-duplex
                                    media 100baseTX mediaopt full-duplex
                                    media 100baseTX
                                    media 10baseT/UTP mediaopt full-duplex
                                    media 10baseT/UTP
                                    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      I mean really we can only conclude that the checksum really is bad and whatever is sending it is for some reason breaking it's own replies but only to the next hop.

                                      Try testing pfSense behind something else perhaps?

                                      Steve

                                      AlexanderOFA 1 Reply Last reply Reply Quote 0
                                      • AlexanderOFA Offline
                                        AlexanderOF @stephenw10
                                        last edited by

                                        If i am correct, i should try testing PfSense with a different router (Instead of my provider's modem/router) ?

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Yes, if you can. Or better, without the ISP's router at all.

                                          AlexanderOFA 1 Reply Last reply Reply Quote 0
                                          • AlexanderOFA Offline
                                            AlexanderOF @stephenw10
                                            last edited by

                                            So, now I am using a TP-Link Archer D2 as my gateway. Unfortunatelly, my ISP won't let me change modem. I can ping the gateway but cannot ping anything behind it... Oh god....

                                            For example, I cannot ping 1.1.1.1... What a mess....

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.