Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird Problem

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zoro_2009
      last edited by

      Hello,

      First I just wanna say PfSense has served me well for nearly 5 years in my work enterprise !
      But right now, I'm facing this weird problem, it never happened to me before !
      This begun when we hooked a modem ADSL to PfSense !
      The network topology is straightforward:

      Internet –-> ADSL model --->  PfSense  --->  Switch --->  Clients

      The best part is the result: I can ping and access everything that is located in my country, that's right, every company, business and universities websites, which are hosted in my country
      Anything else … not reachable, for instance, pinging 8.8.8.8 would just fail !

      I should note that when I replace it with IPCop, everything works just fine !

      I've tried everything, none worked out, if anyone can point me the right direction to solve this problem !

      Thanks !

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        That sounds like an ISP/carrier issue.  If you can reach every (did you really reach every single one?  ;)) web site in your country, it's clear pfSense is doing it's job and sending traffic out to the Internet.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • Z
          zoro_2009
          last edited by

          Yes, it does sound like an ISP issue, but replacing pfSense with IPCop solves the problem, that just doesn't seem right :/
          I just wanna know if pfSense has some compatibility issues with some hardware if any ?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            you running pfblock and blocking countries?  Pfsense just sends traffic to your gateway (isp) if you can not get somewhere then that is on isp.. Simple sniff on pfsense wan will show you if its sending for example traffic to 8.8.8.8 to your isp.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • Z
              zoro_2009
              last edited by

              Nope, just a basic fresh setup, no pfblock or any other custom rule in place !
              And, yes, pfSense does send the request out to the modem, which is really weird !

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well then you need to call your isp.. They may have you locked down.. Via the pfsense mac being different then when you run it with ipcop… Did you power cycle the modem when you connected the new device

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • Z
                  zoro_2009
                  last edited by

                  @johnpoz:

                  Well then you need to call your isp.. They may have you locked down.. Via the pfsense mac being different then when you run it with ipcop… Did you power cycle the modem when you connected the new device

                  That can't be, because pfSense is connected to one of the LAN ports of the modem (modem is doing pppoe, not pfSense) !
                  And to confuse you more, I've tried this setup:

                  Internet  –->  Modem  --->  IPCop  --->  pfSense  --->  Clients

                  It resulted in the same problem, being modem and IPCop can't reach 8.8.8.8 but can perfectly reach within country hosted servers !

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.

                    Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?

                    You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.

                    Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.

                    If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • Z
                      zoro_2009
                      last edited by

                      @Derelict:

                      There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.

                      Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?

                      You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.

                      Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.

                      If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.

                      Here are some of the details:

                      • The modem is configured with 8.8.8.8 as it's main DNS server

                      • Can't reach anything on the Internet (not just 8.8.8.8 )

                      • Local websites (within my country) works perfectly fine !

                      • When I hook up pfSense, the disconnection problem appears, not just pfSense and clients, but even the modem loses Internet, there is a Diagnostic section in the modem which I can ping hosts, and pinging 8.8.8.8 yields nothing from the modem itself !

                      • I remove pfSense from the network and replace it with IPCop, and everything goes back to normal !

                      Can it be a routing loop ?

                      I am not at work right now, so I don't have the chance to take packet capture, but will do that !

                      1 Reply Last reply Reply Quote 0
                      • Z
                        zoro_2009
                        last edited by

                        @Derelict:

                        There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.

                        Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?

                        You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.

                        Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.

                        If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.

                        can you please elaborate on this, as my guts are telling me the issue is coming from that

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          can you please elaborate on this, as my guts are telling me the issue is coming from that

                          If that was the problem it would only affect the specific addresses you have /32 routes for, not "everything outside your country" as you assert.

                          Post the output from Diagnostics > Command Prompt. Execute this: netstat -rn

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • Z
                            zoro_2009
                            last edited by

                            @Derelict:

                            can you please elaborate on this, as my guts are telling me the issue is coming from that

                            If that was the problem it would only affect the specific addresses you have /32 routes for, not "everything outside your country" as you assert.

                            Post the output from Diagnostics > Command Prompt. Execute this: netstat -rn

                            Ok, will do tomorrow at work, thanks !

                            1 Reply Last reply Reply Quote 0
                            • Z
                              zoro_2009
                              last edited by

                              Hello, per your request, here is the result of netstat -rn

                              [code]Routing tables
                              
                              Internet:
                              Destination        Gateway            Flags     Netif Expire
                              default            192.168.1.1        UGS         re0
                              127.0.0.1          link#3             UH          lo0
                              172.17.10.0/24     link#2             U           rl0
                              172.17.10.1        link#2             UHS         lo0
                              192.168.1.0/24     link#1             U           re0
                              192.168.1.50       link#1             UHS         lo0[/code]
                              
                              [i]172.17.10.0/24[/i] is the LAN's side and [i]192.168.1.0/24[/i] is the WAN's side hooked to the modem's LAN port !
                              
                              (no IPv6 in place)
                              
                              Thanks !
                              
                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Nothing interesting there.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.