Weird Problem
-
Hello,
First I just wanna say PfSense has served me well for nearly 5 years in my work enterprise !
But right now, I'm facing this weird problem, it never happened to me before !
This begun when we hooked a modem ADSL to PfSense !
The network topology is straightforward:Internet –-> ADSL model ---> PfSense ---> Switch ---> Clients
The best part is the result: I can ping and access everything that is located in my country, that's right, every company, business and universities websites, which are hosted in my country
Anything else … not reachable, for instance, pinging 8.8.8.8 would just fail !I should note that when I replace it with IPCop, everything works just fine !
I've tried everything, none worked out, if anyone can point me the right direction to solve this problem !
Thanks !
-
That sounds like an ISP/carrier issue. If you can reach every (did you really reach every single one? ;)) web site in your country, it's clear pfSense is doing it's job and sending traffic out to the Internet.
-
Yes, it does sound like an ISP issue, but replacing pfSense with IPCop solves the problem, that just doesn't seem right :/
I just wanna know if pfSense has some compatibility issues with some hardware if any ? -
you running pfblock and blocking countries? Pfsense just sends traffic to your gateway (isp) if you can not get somewhere then that is on isp.. Simple sniff on pfsense wan will show you if its sending for example traffic to 8.8.8.8 to your isp.
-
Nope, just a basic fresh setup, no pfblock or any other custom rule in place !
And, yes, pfSense does send the request out to the modem, which is really weird ! -
Well then you need to call your isp.. They may have you locked down.. Via the pfsense mac being different then when you run it with ipcop… Did you power cycle the modem when you connected the new device
-
Well then you need to call your isp.. They may have you locked down.. Via the pfsense mac being different then when you run it with ipcop… Did you power cycle the modem when you connected the new device
That can't be, because pfSense is connected to one of the LAN ports of the modem (modem is doing pppoe, not pfSense) !
And to confuse you more, I've tried this setup:Internet –-> Modem ---> IPCop ---> pfSense ---> Clients
It resulted in the same problem, being modem and IPCop can't reach 8.8.8.8 but can perfectly reach within country hosted servers !
-
There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.
Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?
You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.
Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.
If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.
-
There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.
Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?
You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.
Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.
If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.
Here are some of the details:
-
The modem is configured with 8.8.8.8 as it's main DNS server
-
Can't reach anything on the Internet (not just 8.8.8.8 )
-
Local websites (within my country) works perfectly fine !
-
When I hook up pfSense, the disconnection problem appears, not just pfSense and clients, but even the modem loses Internet, there is a Diagnostic section in the modem which I can ping hosts, and pinging 8.8.8.8 yields nothing from the modem itself !
-
I remove pfSense from the network and replace it with IPCop, and everything goes back to normal !
Can it be a routing loop ?
I am not at work right now, so I don't have the chance to take packet capture, but will do that !
-
-
There is nothing in pfSense that will do that unless you install pfBlockerNG and filter by country, etc.
Is it just 8.8.8.8 giving you a problem or is it everything? Can you ping 9.9.9.9 for instance?
You might have 8.8.8.8 defined as a DNS server with a gateway set or something which creates a host route out that specific interface for that destination out that specific interface. Setting it as a monitor IP address on a gateway does the same.
Packet capture on your WAN for host 8.8.8.8 and ping it. Stop the capture and look. If you see echo requests and no reply, pfSense is sending it and not receiving a reply. Look upstream.
If you don't see the echo requests on that interface, you have configured them to be sent someplace else and you will need to figure that out.
can you please elaborate on this, as my guts are telling me the issue is coming from that
-
can you please elaborate on this, as my guts are telling me the issue is coming from that
If that was the problem it would only affect the specific addresses you have /32 routes for, not "everything outside your country" as you assert.
Post the output from Diagnostics > Command Prompt. Execute this: netstat -rn
-
can you please elaborate on this, as my guts are telling me the issue is coming from that
If that was the problem it would only affect the specific addresses you have /32 routes for, not "everything outside your country" as you assert.
Post the output from Diagnostics > Command Prompt. Execute this: netstat -rn
Ok, will do tomorrow at work, thanks !
-
Hello, per your request, here is the result of netstat -rn
[code]Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS re0 127.0.0.1 link#3 UH lo0 172.17.10.0/24 link#2 U rl0 172.17.10.1 link#2 UHS lo0 192.168.1.0/24 link#1 U re0 192.168.1.50 link#1 UHS lo0[/code] [i]172.17.10.0/24[/i] is the LAN's side and [i]192.168.1.0/24[/i] is the WAN's side hooked to the modem's LAN port ! (no IPv6 in place) Thanks ! -
Nothing interesting there.
