Weird Problem



  • Hello,

    First I just wanna say PfSense has served me well for nearly 5 years in my work enterprise !
    But right now, I'm facing this weird problem, it never happened to me before !
    This begun when we hooked a modem ADSL to PfSense !
    The network topology is straightforward:

    Internet –-> ADSL model --->  PfSense  --->  Switch --->  Clients

    The best part is the result: I can ping and access everything that is located in my country, that's right, every company, business and universities websites, which are hosted in my country
    Anything else … not reachable, for instance, pinging 8.8.8.8 would just fail !

    I should note that when I replace it with IPCop, everything works just fine !

    I've tried everything, none worked out, if anyone can point me the right direction to solve this problem !

    Thanks !



  • That sounds like an ISP/carrier issue.  If you can reach every (did you really reach every single one?  ;)) web site in your country, it's clear pfSense is doing it's job and sending traffic out to the Internet.



  • Yes, it does sound like an ISP issue, but replacing pfSense with IPCop solves the problem, that just doesn't seem right :/
    I just wanna know if pfSense has some compatibility issues with some hardware if any ?


  • Rebel Alliance Global Moderator

    you running pfblock and blocking countries?  Pfsense just sends traffic to your gateway (isp) if you can not get somewhere then that is on isp.. Simple sniff on pfsense wan will show you if its sending for example traffic to 8.8.8.8 to your isp.



  • Nope, just a basic fresh setup, no pfblock or any other custom rule in place !
    And, yes, pfSense does send the request out to the modem, which is really weird !


  • Rebel Alliance Global Moderator

    Well then you need to call your isp.. They may have you locked down.. Via the pfsense mac being different then when you run it with ipcop… Did you power cycle the modem when you connected the new device



  • @johnpoz:

    Well then you need to call your isp.. They may have you locked down.. Via the pfsense mac being different then when you run it with ipcop… Did you power cycle the modem when you connected the new device

    That can't be, because pfSense is connected to one of the LAN ports of the modem (modem is doing pppoe, not pfSense) !
    And to confuse you more, I've tried this setup:

    Internet  –->  Modem  --->  IPCop  --->  pfSense  --->  Clients

    It resulted in the same problem, being modem and IPCop can't reach 8.8.8.8 but can perfectly reach within country hosted servers !


  • Netgate

    There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.

    Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?

    You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.

    Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.

    If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.



  • @Derelict:

    There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.

    Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?

    You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.

    Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.

    If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.

    Here are some of the details:

    • The modem is configured with 8.8.8.8 as it's main DNS server

    • Can't reach anything on the Internet (not just 8.8.8.8 )

    • Local websites (within my country) works perfectly fine !

    • When I hook up pfSense, the disconnection problem appears, not just pfSense and clients, but even the modem loses Internet, there is a Diagnostic section in the modem which I can ping hosts, and pinging 8.8.8.8 yields nothing from the modem itself !

    • I remove pfSense from the network and replace it with IPCop, and everything goes back to normal !

    Can it be a routing loop ?

    I am not at work right now, so I don't have the chance to take packet capture, but will do that !



  • @Derelict:

    There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.

    Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?

    You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.

    Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.

    If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.

    can you please elaborate on this, as my guts are telling me the issue is coming from that


  • Netgate

    can you please elaborate on this, as my guts are telling me the issue is coming from that

    If that was the problem it would only affect the specific addresses you have /32 routes for, not "everything outside your country" as you assert.

    Post the output from Diagnostics > Command Prompt. Execute this: netstat -rn



  • @Derelict:

    can you please elaborate on this, as my guts are telling me the issue is coming from that

    If that was the problem it would only affect the specific addresses you have /32 routes for, not "everything outside your country" as you assert.

    Post the output from Diagnostics > Command Prompt. Execute this: netstat -rn

    Ok, will do tomorrow at work, thanks !



  • Hello, per your request, here is the result of netstat -rn

    [code]Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            192.168.1.1        UGS         re0
    127.0.0.1          link#3             UH          lo0
    172.17.10.0/24     link#2             U           rl0
    172.17.10.1        link#2             UHS         lo0
    192.168.1.0/24     link#1             U           re0
    192.168.1.50       link#1             UHS         lo0[/code]
    
    [i]172.17.10.0/24[/i] is the LAN's side and [i]192.168.1.0/24[/i] is the WAN's side hooked to the modem's LAN port !
    
    (no IPv6 in place)
    
    Thanks !
    

  • Netgate

    Nothing interesting there.