[SOLVED] DNS & Ping work from LAN, but nothing else does



  • I've installed pfsense 2.3.2-RELEASE-p1 on an HP Mini netbook that I've upgraded with a 128GB SSD and 2GB RAM. The HP Mini has built-in Ethernet and wifi, but I'm not using the wifi. Instead, I added a USB-to-Ethernet adapter. pfSense detected it, and it's working. My test configuration looks like this:

    Internet
        |
        |
        V
    Actiontec DSL Modem (172.16.0.250)
        |
        |  (172.16.0.x\24)
        V
    pfSense (DHCP WAN; 172.207.26.10 LAN)*
        |
        |  (172.207.26.x\24)*
        V
    Windows 7 Client (DHCP, 172.207.26.150)*

    The pfSense is a fresh installation. I configured the network interfaces, and they work. The Windows client can access the pfSense webConfigurator, and I can log in. I updated pfSense, and ran through the webConfigurator Wizard from the Windows client machine, and that's it. I changed the default admin password, set the time zone, and gave the machine a name. Those are the only real customizations I used.

    I'm using DHCP for the WAN connection (pfSense detected the correct gateway). On the Windows client, I get DNS resolution for any domain, and I can ping pingable hosts anywhere. tracert from the client can successfully trace a route to a machine at the end of the Earth, but that's all that it can do.

    What it can't do is connect to the internet using any other ports from the client.

    Communication does not work over any other ports. pfSense is getting time from pool.ntp.org, but the client machine can't, so there's no pass-through for port 123. I can't view web pages over either port 80 or 443 from the client. There are no firewall rules other than the default rules that allow all outgoing traffic from LAN devices. I can't establish any kind of connection to any servers on the WAN other than for DNS and ping. And, most frustrating of all, there are no indications of relevant denials in the logs other than the denials one would hope to see for accesses from the WAN.

    I've gone through the Troubleshooting steps under "Connectivity Troubleshooting" in the wiki at https://doc.pfsense.org/index.php/Category:Troubleshooting. However, since I'm using the default settings, there were no settings that I could change that weren't already set as that article suggested. I'm not using a proxy, either.

    Now, yes, I know that a double NAT is an inefficient configuration, but that's all it is. I should be able to browse the web behind a zillion NATs (Okay, so maybe the latency behind a zillion NAT gateways would cause time outs, but you get my point.)

    I've searched this forum and reddit, but I can't find anything pertinent. I've tried this on two disjoint networks, although my other test went through a Microsoft Forefront TMG gateway, but both networks connect through CenturyLink. The Actiontech DSL modem has its internal firewall turned on, blocking anything coming in and some traffic going out. The TMG gateway has a few more outgoing restrictions, but other machines that are not behind pfSense have no problems accessing the internet.

    I should mention that the client machine has no trouble accessing anything on the internet if it is NOT behind pfSense.

    I have no other ideas. I'm frustrated that I can't get pfSense to work fresh out of the box. This is a simple setup. It should work. I'll be grateful for any ideas.

    –------------------------------------------

    *UPDATE #1: I've renumbered the LAN from the (more than slightly illegal) IP address range I was given to 172.17.4.x\24. The client still uses DHCP. I've restarted both machines after the change, and nothing has changed.



  • First off 172.207.26.10 is in public IP space.  You should probably not be using it as a LAN address.

    172.16.0.1  to 172.31.255.254 is the private space.



  • Yeah, I know, but the dork (who has since been fired) who set up the LAN I've got to get this working on didn't seem to know that, and I really don't want to renumber the entire domain. (He even used a .org domain name owned by someone else for the local Active Directory domain. I swear, if I ever meet him in person…) Is this a pfSense feature? I've tested a couple of other firewalls and didn't have any problems. But just for giggles, I'll renumber the test setup and see what happens.



  • @chpalmer:

    First off 172.207.26.10 is in public IP space.  You should probably not be using it as a LAN address.

    172.16.0.1  to 172.31.255.254 is the private space.

    Okay, I renumbered the test rig and restarted both machines. As before, the pfSense gateway is getting good time, has DNS resolution, and can check for updates without problems.  I also re-ran the ping, DNS, and tracert tests on the client from a command line. They all work. But there is still no access from the client over any other ports.



  • LAN interface…  any gateway set?

    LAN rules.  Post them here.

    DNS Resolver service running?

    just a few questions..



  • @chpalmer:

    LAN interface…  any gateway set?

    No, just the default obtained by DHCP on the WAN interface, which is the DSL modem. Routing works. I can ping Africa from New Mexico.

    LAN rules.  Post them here.

    Only the default rules are configured. I've checked them. There are no WAN rules, and only the three default LAN rules allowing everything. I haven't changed or added anything from the setup.

    DNS Resolver service running?

    Yes. As I said, I've got DNS resolution from both the pfSense gateway and the Windows 7 client.



  • Does no one have any ideas?


  • LAYER 8 Global Moderator

    If your saying you have the default lan rules of any any.. You sure your not using a proxy?

    You sure you Actiontec DSL Modem (172.16.0.250) is not blocking..

    Simple test.. sniff on pfsense wan.. Go to some website from your client behind pfsense.. Do you see the http traffic go out?  Do you see an answer?  If you do not see it go out, do you see it hit pfsense lan interface via packet capture on pfsense?

    Have you messed with the outbound nat?  If you had some public IP space on there before, and have changed it - pfsense outbound nat should be on auto and be natting your clients IP to its wan IP..



  • Thanks for your reply, johnpoz.

    @johnpoz:

    If your saying you have the default lan rules of any any.. You sure your not using a proxy?

    Yes, no proxy. I've tested this installation on two different networks. One is guarded by a Microsoft Forefront TMG firewall/gateway that I specifically configured to allow the pfsense machine to go through unproxied. The other network was a simple DSL connection managed by an Actiontec modem. Those things aren't proxies. I haven't installed a proxy on pfSense. Also, I disabled the firewall on the Actiontech modem and allowed all traffic from the pfSense machine on TMG.

    You sure you Actiontec DSL Modem (172.16.0.250) is not blocking..

    With the firewall disabled in the Actiontech modem, there's nothing. It wasn't configured to block any sites or to use scheduled access, either.

    Simple test.. sniff on pfsense wan.. Go to some website from your client behind pfsense.. Do you see the http traffic go out?  Do you see an answer?  If you do not see it go out, do you see it hit pfsense lan interface via packet capture on pfsense?

    I used the TMG logs to see if I could learn anything. When the client machine to pfSense requests access to a web site, TMG sees the traffic from pfSense (which is between the client and TMG), lets it through, and the corresponding replies are sent back to pfSense. I didn't see anything in pfSense logs indicating that anything was being blocked except for miscellaneous traffic from other machines the network pfSense is using for the WAN – traffic that one hopes would be blocked.

    I will, however, capture some traffic with Wireshark to see if I've missed something.

    Have you messed with the outbound nat?  If you had some public IP space on there before, and have changed it - pfsense outbound nat should be on auto and be natting your clients IP to its wan IP..

    I haven't changed anything in NAT. It's set to auto everything as it was before I changed the LAN's IP block.

    TBH, I'm thinking of switching careers and becoming a pastry chef. You can tell if a pastry will hurt you as soon as you open the box, and even then you might enjoy it.



  • Go to Advance Option and disable TCP Offloading, this is a common symptom for USB based ethernet cards you can ping and whatnot but nothing in everything else.



  • From  Interfaces:  WAN  look for this checkbox:
    Block private networks
    When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as
    well as loopback addresses (127/8).  You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.



  • @remlei:

    Go to Advance Option and disable TCP Offloading, this is a common symptom for USB based ethernet cards you can ping and whatnot but nothing in everything else.

    DING!DING!DING!DING!DING!

    You win today's cookie!

    The USB-to-Ethernet adapter I'm using is a Rocketfish RF-PCC132.

    I checked under System/Advanced/Networking. By default. both "Disable hardware TCP segmentation offload" and "Disable hardware large receive offload" were both checked (enabled), but "Disable hardware checksum offload was unchecked. As soon as I enabled it, I got web access from the client.

    THANK YOU VERY MUCH! You led me to the right place, and I am very grateful!



  • @jahonix:

    From  Interfaces:  WAN  look for this checkbox:
    Block private networks

    Thank you for trying, Chris. Both bogon and private networks/loopback addresses are allowed by default, and I hadn't changed those settings. The solution turned out to be to disable hardware checksum offloads, which is not disabled by default, in addition to the other two offloads which are disabled by default. Apparently, this is a common problem with USB-to-Ethernet adapters.



  • Hi, Iam on an KVM Virtualisation and your post Saved me :-)


Log in to reply