My Installation Experience



  • My Background:

    approx. 25 years experience onsite technical support/Deployment (Wrkstn/Srv/UPS/Printer) windows environments
    approx. 20 years experience playing around with Linux starting RedHat2.0 -have used knoppix/debian/ubuntu and variations

    My Firewall System: Dell XPS 630i Core 2 Duo 3.0Ghz  4GB ram 1-onboard nvidia chipset nic / one-tplink realtek chipset nic

    OK I installed pfsense and all seemed to go well…no issues whatsoever
    The first thing I noticed was that the wan nic was not able to get an address via DHCP - everything else seemed to be working fine (I would mention that when plugged into my R6300 router the wan link worked flawlessly, I tested pfsense for a week in that configuration before re-installing for the WAN link)

    I was not sure what to do-never had a router NOT be able to grab a WAN interface IP via DHCP before. After a bit of reading I decided to reboot the cable modem and the pfsense box. shut down pfsense. reboot cable modem. Startup pfsense-same issue no wan IP. I tried this more than a few times.

    Contact my ISP and was told to connect the "router" (PFsense) to the cable modem just before bedtime, and leave the modem and the router powered on and connected. The theory was, the cable modem provided dhcp lease would expire overnight and issue another-at that point the pfsense box should retrieve the WAN IP. Did that (11.5hrs worth of waiting) - didn't work-still nothing on the WAN IP.

    Frustrated, I tried another software based UTM-I actually ended up downloading and installing 5 other software based UTM's. All except one had various issues ranging from no video display to only detecting one of my two nics.

    What finally worked for me is fine, Zentyal - Developer edition, but in one year I will have to either upgrade to a different developer version and all the possible challenges that entails or switch to another UTM - Developer version expires in 2017.

    -out of the box worked I mean. I installed Zentyal, configured it (what little configuration there was) and put it on the WAN interface with no issues whatsoever-it picked up an IP from my ISP immediately. I kinda like the fact it runs on top of Linux-it means all those Linux tools are available to me..I already installed and configured xrdp/ntop/bmon and a few others but I digress.

    Since I am in "get a UTM working mode" now I would like to know if Anyone could suggest ANYTHING that might help me get pfsense working on my current Dell XPS system hardware-so I can avoid having to do this all over again in a year.

    I would be willing to snapshot my current Zentyal and install pfsense and try any suggestions that make sense here...I can always re-image the drive if pfsense continues to give me issues.

    Thanks for whatever help you can provide ahead of time.



  • Just a guess, but this sounds exactly like the issues that I was having - try setting the WAN link speed to 100Mbs - see my post "WAN DHCP fails on reboot"



  • Since you said ANYTHING:

    I had the same if not similar symptoms. After pulling my hair out for a day it turned out to be the Cat6 cable going from the modem to the router. Replaced it with another cable and it instantly worked. I don't know why as that 'bad' cable works fine elsewhere.

    Anyway you asked for 'anything' :)



  • I thank you very much for your replies.

    @edmund…no <expletive>way!!!!! that's to easy and I never thought to try it

    @AR15USR .. I did purchase a brand new cat6 cable for the box but I can't for the life of me remember if I tried it on pfsense or if I purchased it and swap it out just before the install of the other five UTM;'s I tried....

    2 good suggestions, thanks. I'll try to give em a go this weekend and report back here...no promises though, I've put in 50hrs already this week and it doesn't look like it's going to end anytime soon...I might not get a chance to image the drive until next weekend.

    Thanks!

    Appreciate your efforts.</expletive>


  • Rebel Alliance Global Moderator

    "was told to connect the "router" (PFsense) to the cable modem just before bedtime, and leave the modem and the router powered on and connected. "

    So you have 25 years exp, and you followed those nonsense instructions??

    So did you think to sniff on and see what is happening without getting an IP?  Where you seeing dhcp offers comeback from your discover?

    If you have an actual "cable" modem then reboot it..  Wait til it gets sync then then boot up your pfsense box.  Those nics are not really fav nics with freebsd/pfsense - do you have a intel nic you can use?



  • I would have to agree. When I saw "25 years experience" I said to myself, it all depends on what things you have done, how deep you have gotten and how much learning you do on your own otherwise.

    Back to the subject, I have seen this 'sort of issue' time and time again in the forums.
    People simply cannot think logically when it comes to certain things. Perhaps because they have never done any (embedded) programming, or don't understand 100% how the network stack works at the physical (L2) and the logical levels (L3), plus the slight 'weird' behavior of certain devices.

    Here it is:
    When a cable modem boots, it will talk to the first ethernet (L2) device that it gets a requests from.
    After that, t will NOT talk/respond to ANY other device on the same network (WAN). Usually you only have 1 device on the WAN side, so it's OK, BUT…
    The issue comes up when you go and try to connect a DIFFERENT L2 device to the WAN.
    The cable modem remembers the MAC Address of that first device it talked to, and again, will NOT respond to anybody else.
    Why do they do this? Mostly historical reasons (before NAT routers, to only allow people to connect 1 PC/device).

    SOLUTION: REBOOT cable modem every time you change WAN devices!!!

    I get around this in my redundant CARP WAN setup, where both the Master and Backup pfsense use a 'specific' Mac Address on the WAN.
    In the Backup pfsense, I did write/implement a shell script that gets triggered when WAN Carp goes to Master (change WAN MAC to the 'specific' Mac Address) and another script that gets triggered when WAN Carp goes to Backup (change WAN MAC to the built-in Mac Address).

    This allows me to have 2 pfsense (virtual) machines acting as CARP Master/Backup for redundancy on the WAN WITH a Non-Static IP Address (DHCP from ISP).

    @johnpoz:

    "was told to connect the "router" (PFsense) to the cable modem just before bedtime, and leave the modem and the router powered on and connected. "

    So you have 25 years exp, and you followed those nonsense instructions??

    So did you think to sniff on and see what is happening without getting an IP?  Where you seeing dhcp offers comeback from your discover?

    If you have an actual "cable" modem then reboot it..  Wait til it gets sync then then boot up your pfsense box.  Those nics are not really fav nics with freebsd/pfsense - do you have a intel nic you can use?


  • Rebel Alliance Global Moderator

    ^ agreed..  The cable modem likes to bind to that mac of the device connected to it.  I do a somewhat sim trick when I want to run a different vm of pfsense or another router/firewall distro to test out by just using the same mac on that vm..  Shutdown the old vm, turn on the new vm with the same mac = no reboot of the cable modem.



  • I think that the "how a cable modem works" discussion (while educational and useful) is getting away from the root of the problem here - which is that the auto-negotiate interface speed function is not working well - to put it politely.

    I've seen pfSense, on multiple occasions, over the last week completely fail to auto-negotiate a reliable interface speed and lock me out of the system with "Bad Gateway" errors or simply hang up the system.  Just what is going on to make a 2GHz, 4 core machine become virtually unresponsive is a mystery but it can be fixed by setting the WAN interface to 100baseTX and ignoring the stern "WARNING: MUST be set to autoselect (automatically negotiate speed) unless the port this interface connects to has its speed and duplex forced." on the interface page.



  • @edmund:

    I think that the "how a cable modem works" discussion (while educational and useful) is getting away from the root of the problem here - which is that the auto-negotiate interface speed function is not working well - to put it politely.

    I've seen pfSense, on multiple occasions, over the last week completely fail to auto-negotiate a reliable interface speed and lock me out of the system with "Bad Gateway" errors or simply hang up the system.  Just what is going on to make a 2GHz, 4 core machine become virtually unresponsive is a mystery but it can be fixed by setting the WAN interface to 100baseTX and ignoring the stern "WARNING: MUST be set to autoselect (automatically negotiate speed) unless the port this interface connects to has its speed and duplex forced." on the interface page.

    Since you are using your personal experience as anecdotal evidence, I'll do the same. I have been using monowall first and then pfSense for years on a wide variety of hardware: embedded, run of the mill PCs, expesive servers and all kinds of VMs and I never had to set any ports to anything other than auto-negotiate.



  • @MaxPF:

    Since you are using your personal experience as anecdotal evidence, I'll do the same. I have been using monowall first and then pfSense for years on a wide variety of hardware: embedded, run of the mill PCs, expesive servers and all kinds of VMs and I never had to set any ports to anything other than auto-negotiate.

    That's been my experience too until this month, I've never seen this problem before.  I started with FreeBSD, moved to M0n0wall, and then pfSense about 10 years ago.  To be fair, at that time 100Mb was fast and 1000Mbs was too expensive to worry about and until recently all my firewalls used 10/100 NICs so auto-negotiate was simpler.

    I'm open to the possibility that this is could be a hardware issue, that NICs in the current firewall may not actually be real Intel NICs and that it could be a FreeBSD issue.  The thing is that if it's a real bug it's only going to show up when both ends of the cable are connected to 1000Mbs capable NICs and one of them refuses to auto-negotiate a 1000Mbs connection.  Under almost any other circumstances everything will work correctly.



  • @pppfsense:

    Here it is:
    When a cable modem boots, it will talk to the first ethernet (L2) device that it gets a requests from.
    After that, t will NOT talk/respond to ANY other device on the same network (WAN). Usually you only have 1 device on the WAN side, so it's OK, BUT…
    The issue comes up when you go and try to connect a DIFFERENT L2 device to the WAN.
    The cable modem remembers the MAC Address of that first device it talked to, and again, will NOT respond to anybody else.
    Why do they do this? Mostly historical reasons (before NAT routers, to only allow people to connect 1 PC/device).

    SOLUTION: REBOOT cable modem every time you change WAN devices!!!

    That's only correct,  when you get only 1 dynamic IP from your ISP,
    or you have used up all the available public IP's you get from your ISP.

    Per example, if you get 4 public IP's, and you have connected 4 devices, and you disconnect 1 of these 4 devices,
    the new device cannot get a IP, untill the lease for the disconnected device is ended.

    By rebooting the cable modem, you can end the actives leases instantly.
    After connecting a new device, this get a new IP and IP-lease is provided for the MAC-adress of the new device.

    This all depends on what type subscription you have from your ISP (1 IP or multiple IP's)
    Back in the old days (2000), here in Belgium you only get 1 public IP from the ISP, and for more computers/laptops,
    you had to pay extra for a subscription with 4 IP's.

    If today, and i plug in a switch with per example 16 ports right behind my cable modem (modem-only, no wifi), and i connect 16 different devices to this switch,
    all 16 devices get instantly a dynamic public IP from my ISP.
    With my subcription, i even got unlimited amount of public IP's available from my ISP.

    Grtz
    DeLorean


  • Rebel Alliance Global Moderator

    "i even got unlimited amount of public IP's available from my ISP."

    IPv6 sure why not… But I find it hard to believe they just give you unlimited public ipv4 addresses..



  • Aren't public IPs, statically assigned (i.e. NON DHCP)??

    in the US, and in Mexico and South America and UK (that I know), people only get 1 IP Address for residential service.

    Even in the US, for Commercial service, you only get 2 IPs and you don't get them with DHCP, they are static, so you set them yourself.

    Again, what you are saying is that in Germany, you can get up to 16 DHCP addresses from your ISP as a residential user?  (Is this Ip V6?)

    @DeLorean:

    @pppfsense:

    Here it is:
    When a cable modem boots, it will talk to the first ethernet (L2) device that it gets a requests from.
    After that, t will NOT talk/respond to ANY other device on the same network (WAN). Usually you only have 1 device on the WAN side, so it's OK, BUT…
    The issue comes up when you go and try to connect a DIFFERENT L2 device to the WAN.
    The cable modem remembers the MAC Address of that first device it talked to, and again, will NOT respond to anybody else.
    Why do they do this? Mostly historical reasons (before NAT routers, to only allow people to connect 1 PC/device).

    SOLUTION: REBOOT cable modem every time you change WAN devices!!!

    That's only correct,  when you get only 1 dynamic IP from your ISP,
    or you have used up all the available public IP's you get from your ISP.

    Per example, if you get 4 public IP's, and you have connected 4 devices, and you disconnect 1 of these 4 devices,
    the new device cannot get a IP, untill the lease for the disconnected device is ended.

    By rebooting the cable modem, you can end the actives leases instantly.
    After connecting a new device, this get a new IP and IP-lease is provided for the MAC-adress of the new device.

    This all depends on what type subscription you have from your ISP (1 IP or multiple IP's)
    Back in the old days (2000), here in Belgium you only get 1 public IP from the ISP, and for more computers/laptops,
    you had to pay extra for a subscription with 4 IP's.

    If today, and i plug in a switch with per example 16 ports right behind my cable modem (modem-only, no wifi), and i connect 16 different devices to this switch,
    all 16 devices get instantly a dynamic public IP from my ISP.
    With my subcription, i even got unlimited amount of public IP's available from my ISP.

    Grtz
    DeLorean



  • The ONLY 2 times I have seen an issue with auto negotiation, were hardware related, bad cable, bad connector or bad nic/port.

    When you understand that the speed negotiation is very hardware dependent, you go chasing those ghosts somewhere else…

    Here, I would say, try a different cable first, then a different NIC (all/most brands work, but Intel do have better quality and performance).

    @MaxPF:

    @edmund:

    I think that the "how a cable modem works" discussion (while educational and useful) is getting away from the root of the problem here - which is that the auto-negotiate interface speed function is not working well - to put it politely.

    I've seen pfSense, on multiple occasions, over the last week completely fail to auto-negotiate a reliable interface speed and lock me out of the system with "Bad Gateway" errors or simply hang up the system.  Just what is going on to make a 2GHz, 4 core machine become virtually unresponsive is a mystery but it can be fixed by setting the WAN interface to 100baseTX and ignoring the stern "WARNING: MUST be set to autoselect (automatically negotiate speed) unless the port this interface connects to has its speed and duplex forced." on the interface page.

    Since you are using your personal experience as anecdotal evidence, I'll do the same. I have been using monowall first and then pfSense for years on a wide variety of hardware: embedded, run of the mill PCs, expesive servers and all kinds of VMs and I never had to set any ports to anything other than auto-negotiate.



  • I now have to wonder, how/why/when I learned this logical/illogical quirk about cable-modems :-)

    I think I noticed that a reboot was needed when changing WAN devices, while playing with virtual servers (esxi), so then I went on chasing the WHY, and figured out the modem remembered the MAC address of the previous device….and I wanted a way to keep connectivity without the need for a lengthily cable-modem reboot...

    I have been using my virtual pfsense master/backup setup in 2 machines under ESXi, for the last 5 or 6 years and I could not be happier.

    @johnpoz:

    ^ agreed..  The cable modem likes to bind to that mac of the device connected to it.  I do a somewhat sim trick when I want to run a different vm of pfsense or another router/firewall distro to test out by just using the same mac on that vm..  Shutdown the old vm, turn on the new vm with the same mac = no reboot of the cable modem.



  • Ethernet autoneg is a function of the hardware, no?  The most the software does is reinit the phy, perhaps put in a configuration, but the hardware is where it actually happens (unless I'm misrembering my BroadComm specs).  Heck a lot of times "forcing" a configuration the software doesn't disable autoneg, it simply limits the configurations.  Speed and duplex are both functions of autoneg, not just speed (and that's part of the problem if one end is autoneg the other forced.  Duplex often fails to negotiate so what should be a 100/Full winds up at 100/Half on on end).

    And yes, different hardware can have problems talking with other hardware.  Lots of times it comes down to how the mfg interpreted a spec.



  • From the posts above it's clear that auto-negotiation is a somewhat murky subject dependent on many factors.

    What puzzled me with my installation was that pfSense was showing that the auto-negotiated WAN NIC status was up but that there was no data connection or IP address.  Yet  it would reliably detect that there was an upgrade available, download it and install it.  Upon rebooting it reported the NIC was up but pfSense continued to fail to pull an IP address from the cable modem until I manually set the interface to 100Mbs, disabling auto-negotiation.

    I would have thought that if pfSense shows the NIC is up at 1000Mbs then it means that auto-negotiation has detected and set the link speed correctly.  Apparently this is not the case.

    I would have thought that it pfSense shows no IP address for the WAN connection then I don't have a connection - apparently this is wrong too since pfSense detected that an update was available, downloaded it, and upgraded just fine each time even though it was showing that it had not received an IP address from the modem.

    Frankly, I found the symptoms and the diagnostic information confusing - and looking at the other message posted in this forum, I wonder if auto-negotiation issues might be a lot more common then people think.


  • Rebel Alliance Global Moderator

    "was no data connection or IP address.  Yet  it would reliably detect that there was an upgrade available, download it and install it. "

    Dude what are you on??  That is just not possible now is it…

    Kind of hard to talk on the internet without a IP address..

    Where were you seeing that it had no IP, did it show the gateway up with NO ip?  So your gui showed you what 0.0.0.0??  What did the console menu show that shows you interface IPs, what did ifconfig show??



  • The only relationship that autonegotiation has to an interface getting an IP address is that a link must be physically up for DHCP requests to go out and for responses to come back.

    Edmund, was your pfSense WAN connected directly to your cable modem or was there a switch in between?  Are you sure your cable modem was also set to autoneg?

    Auto neg has 2 parts:  speed and duplex.  If one end is forced the other not, speed will often be correct, but duplex is wrong.  Duplex wrong is one end thinks "full" the other thinks "half"  and you wind up with a lot of errors on the interface.



  • @johnpoz:

    "was no data connection or IP address.  Yet  it would reliably detect that there was an upgrade available, download it and install it. "

    Dude what are you on??  That is just not possible now is it…

    Kind of hard to talk on the internet without a IP address..

    Where were you seeing that it had no IP, did it show the gateway up with NO ip?  So your gui showed you what 0.0.0.0??  What did the console menu show that shows you interface IPs, what did ifconfig show??

    This was an installation from a USB drive to the system disk so I was working from the default pfSense stats/dashboard "interfaces" display - my feeling is that the dashboard display is not to be 100% trusted since, as you point out, there must have been a connection there for the upgrade to occur.  I don't remember the GUI showing any IP address although I had the green up arrow indicating the cable was plugged in.  Looking at the WAN interface it show that it was configured as expected but it would not pull an address if I tried manually - the overall performance of pfSense was very slow unless the WAN interface was disabled so clearly something was going on in the background - two of the cores were at 100%



  • @mer:

    The only relationship that autonegotiation has to an interface getting an IP address is that a link must be physically up for DHCP requests to go out and for responses to come back.

    Edmund, was your pfSense WAN connected directly to your cable modem or was there a switch in between?  Are you sure your cable modem was also set to autoneg?

    Auto neg has 2 parts:  speed and duplex.  If one end is forced the other not, speed will often be correct, but duplex is wrong.  Duplex wrong is one end thinks "full" the other thinks "half"  and you wind up with a lot of errors on the interface.

    The modem was directly connected to the WAN interface via a 6 foot length of CAT5 cable, no switch.  In the end I got it to work by replacing the 5 foot CAT5 cable with a 25 foot length of CAT6 cable - with the CAT6 cable it connected at 1000Mbs but refused make a connection at any speed with the CAT5 cable.

    The cable modem has no user accessible controls that I can find - I'll check on it's spec but I'd assumed that pfSense would auto-negotiate regardless - at least that's always been my experience in the past.  I've ordered a bunch of CAT6 cables to try and do a bit more research into this, I have a ton of CAT5 cables in the bin.


  • Rebel Alliance Global Moderator

    cat 5 or 5e?  How old are these cables?



  • UPDATE - working with 2.3.2-DEVELOPMENT (amd64) built on Tue Jul 12 18:12:02 CDT 2016 FreeBSD 10.3-RELEASE-p5

    I replaced the cable between the WAN i/f and the Cable modem (Motorola Surfboard SB6121) yesterday with a new, three foot long,  CAT6 cable.  I selected "autoselect" in the WAN interface and initially is showed a 1000Mbs connection - it worked just fine.

    This morning I updated to the current release and rebooted (I believe the problem following stem from the reboot) - upon rebooting the system came up and reported that the interface was up but that the IP was 0.0.0.0 - there was no internet connection (Capture1.PNG)

    After about a minute I refreshed the dashboard and it reported that the interface was done - note the CPU load at this point in Capture2.PNG.  The GUI was very slow, I pulled up the WAN interface to reset it to 100baseTX <full-duplex>- this took a couple of minutes - and then clicked Save.  After about 4-5 minutes the system reported 504 Bad Gateway and was completely unresponsive - basically it had hung up.  All the WAN and LAN lights on the firewall were flashing but the LAN interface that I was working on was effectively dead.

    I pulled the plug on the firewall and it rebooted - it came up with the interface set at 100baseTX <full-duplex>(so the save worked) and is now working fine  - Capture3.PNG - the CPU load has returned to normal and traffic is flowing.






    </full-duplex></full-duplex>



  • After you updated, you rebooted, a warm restart, not power cycle, yes?  If so, have you tried setting WAN back to autoneg (not forced to anything) and power cycling?  There could be an issue with incomplete reinitialization of an interface at the driver level that causes issues on a warm restart but on a power cycle everything comes up clean.  Reason for asking is that it was fine yesterday, you updated, warm reboot and it had problems.



  • @johnpoz:

    "i even got unlimited amount of public IP's available from my ISP."

    IPv6 sure why not… But I find it hard to believe they just give you unlimited public ipv4 addresses..

    @pppfsense:

    Aren't public IPs, statically assigned (i.e. NON DHCP)??

    in the US, and in Mexico and South America and UK (that I know), people only get 1 IP Address for residential service.

    Even in the US, for Commercial service, you only get 2 IPs and you don't get them with DHCP, they are static, so you set them yourself.

    Again, what you are saying is that in Germany, you can get up to 16 DHCP addresses from your ISP as a residential user?  (Is this Ip V6?)

    No not IPv6 , unlimited public IPv4 adresses. This is in Belgium.
    I didn't know this till a had a client who had problems with one 1 device that loses his IP-adress daily,
    only a reboot from the cablemodem fixed each time this problem.
    This device was connected to a simple 8 port gigabit switch, right behind the cablemodem.
    After this problem occured multiple times during few weeks, we did call the technical department from the ISP,
    and ask if there was possibility that we run out of available public IP-adresses.
    Untill that day, i tought that this client only received maximum 8 public IP-adresses, but the technical department confirmed,
    that we are getting practicle unlimited IP-adresses, and if we consumed too much public IP-adresses,
    that they first give a notice, before cutting down the amount of IP-adresses.
    Later we get a note that his problem with this 1 device was a problem with the DHCP server on ISP side.

    A few days later, i have personnaly tested it out, if it was true, that we get unlimited IP-adresses.
    At my home, i have identical cablemodem and ISP internet subcription like the client has,
    and this is a residential use (Belgium)
    I connected a laptop on the switch right behind the cablemodem, and when i got a public IP each time,
    i changed the MAC-adress each time 1 letter or 1 number,and write the used MAC-adress down on a paper,
    and got each time automatic a different public IP-adress.
    When i changed each time back to the used spoofed MAC-adresses, the IP-adress leases where still active for each public IP-adress that i
    early received.
    This lease was each time for e period of 1 hour.
    I have then released each IP-adress, by using the list of used MAC-adresses, because i didn't need al that different IP-adresses,
    and it was for testing purpose.
    I have that day tested it with more then 16 different MAC-adresses without any problem for getting a unique different IP-adresses.

    If i have used Torrent programs at home, and after stopping these, the torrent network users keep sniffing at the TCP listen port that was used by the Torrent programs.
    This give sometimes enormous logs full of blockactions in pfSense, if i want this to stop, i changed my MAC-adress of my WAN port in pfSense,
    and get a different public IP-adress, and the sniffing one the TCP listen port is gone.
    This changing from MAC-adress can i do multiple times when i want.

    Here in Belgium the ISP offer a few different approach of serving the IP-adresses.
    Normally for residential use, they provide a cablemodem with buildin router and Wifi.
    This cablemodem uses only 1 Public IP-adress, and assigned private IP-adresses behind this modem.
    This modem has a passtrough for connecting at Digibox or Digicorder (Digital TV), and these boxes get a private 10.x.x.x IP-adress assigned by the ISP
    for the interactive services.

    Then there is the option for getting a cablemodem without router and without build in wifi, so called "modem-only", what is prefered for
    office use, and will be installed by a ISP technician on costumer special needs.
    These modems supply the unlimited dynamic public-adresses, assigned by the DHCP server from the ISP.
    And last, there is same cablemodem, but with the option for use with static assigned IP-adresses for bussiness purpose,
    for assigning servers etc…

    I have here at home option 2 with the "modem-only" in combination with the possibility for unlimited Dynamic assigned IP-adresses by DHCP server from the ISP,
    because i was few years ago selfemployed in repair and selling ICT equipment, and didn't want the router and wifi provided by the ISP.
    Also for testing and other purposes i wanted multiple public-adresses.

    Grtz
    DeLorean



  • LOL–I see this has devolved into a discussion about the posters understanding of networks and the network stack...typical for holier than thou programmers (I married one.....sigh..and both my kids are also programmers...sigh....)and network specialists--I don't recall saying anything about being a programmer or a network specialist..so why you mentioned it it is completely beyond me?

    I understand perfectly how networks work from the level I need to understand them. Did I sniff" out the packets?..no of course not, I don't have the expertise to do that...nor do I wish to have that expertise or I would have it...did I write F******G scripts or programs to "do it for me" again no--because I simply don't have that expertise nor would I want it or I would have it. Sheesh.

    Ask for a little help and get crammed on. Even though I don't have the aforementioned expertise I DO have enough brains to reboot the goddam modem,,, even let it sit for a bit to clear all electricity from the device...and ffs I waited 12 goddam hours for the "lease" to expire. I didn't have to wait at all for Zentyal it just picked up an IP...

    To the two people who actually gave me constructive steps to try---I did set the wan interface to 100 FD and back to 1000FD. when on 100FD it again was "online" for approx. 2 minutes and I lost the connection again...and when I went back to 1000 FD it was the same symptoms/issue.

    I also have a shitload of brand new cat 5e/6 cables at my disposal and I tried a number of them (4 to be exact). I got fed up with re-installing Zentyal--which works perfectly I might add --and went out and purchased a 120GB sdd...so now in my box I have a mechanical drive (500GB) with Zentyal installed and configured (and working just fine thank you very much-did I say that already?) and a brand new sdd in which I have been trying to install a WORKING PFsense--which hasn't been working out to well tyvm even though the config is exactly the same as Zentyal.

    So, I am assuming that the default install of PFsense is doing something that my ISP is not liking and they are cutting me off (like serving out dhcp address on the wan interface-is this possible for a default , next, next,next reboot install? from what I read it wasn't but doesn't hurt to ask here) OR PFsense is NOT completely compatible with my hardware.

    All I know for sure is I boot up zentyal and it works fine and has since day one install. Shut down and disconnect Zentyal hdd and reconnect pfsense sdd and can't get an IP on the WAN interface and YES I am not just rebooting the cable modem between shutdowns of the firewall; I am shutting down the cable modem completely for 2 minutes at least and then starting it up again, then I reboot the firewall once the cable modem is online and pfsense STILL gets no WAN ip.

    So, I was under the impression that if you followed the default install you would end up with a working firewall when installing pfsense and many have already done this I am sure--but for me and my hardware it is NOT working out. How in the world leaving everything at default and installing the firewall could possibly be construed as "user error" is completely beyond me.

    BUT, since the community here at PFsense seems to be of the  "holier than thou you must be an idiot" crowd I will take myself on over to the Zentyal crowd and just re-install next years developer version. I mean you should see the support people are getting in the community user forums at Zentyal--true open source atmosphere.

    If it helps any, untangle wouldn't work (I forget why) nor did clear OS (wouldn't detect one of my nics), opnsense does the same thing pfsense does (huh imagine that!)...I would assume that the debian based Zentyal is simply "more" compatible with a larger pool of hardware than the freeBSD based pfsense and opnsense although my tiny non-programmer, non-network specialist brain is probably wrong about that to huh?

    Cheers people and thank you once more to the people who offered constructive suggestions instead of belittling my efforts and offering non-constructive criticisms.

    Have a nice life everyone.


  • Rebel Alliance Global Moderator

    "So, I am assuming that the default install of PFsense is doing something that my ISP is not liking"

    And where is the sniff??  Holier than thou?  How are you going to troubleshoot anything with just freaking guesses..

    There was a thread quite some time back where could not get a dhcp address..  Well it was it was because his dhcp server was over 16 hops away, and the dhcp client was setting ttl 16 hop limit..  So we recompiled and there you go he was getting an IP.

    What actual info have you provided here to help you?  Bumpkiss is what…  I connect pfsense and it doesn't get an IP...  Help me..



  • @yodabug:

    LOL–I see this has devolved into a discussion about the posters understanding of networks and the network stack..

    That wasn't a discussion, just a explanation how the ISP works here in Belgium

    @yodabug:

    BUT, since the community here at PFsense seems to be of the  "holier than thou you must be an idiot" crowd I will take myself on over to the Zentyal crowd and just re-install next years developer version. I mean you should see the support people are getting in the community user forums at Zentyal–true open source atmosphere.

    This is a forum for getting help for free, so you don't have to be rude because you run a little bit frustrated because pfSense
    doesn't work at the first time.
    And if you don't like the support here, go ahead and go to Zentyal if you feel better there.
    And last, we do not pretend to be holier, but who started with the first sentence "i have 25 years of experience…." ?
    Not we, but you, so if like to be a smartass and can't appreciate the help people are giving to you, then figured it out for yourself !!!