Unable to Browse Internet
-
Network Configuration = ISP (ATT) --- pfSense ---- Unifi Switch ---- Clients via Ethernet or Wifi APs
I am not able to browse the internet via a browser or use Amazon Fire for Netflix, Amazon Prime or get to XBOX live.
Something happened on Tuesday night where all of a sudden, I was no longer able to connect to the internet. Prior to that date, pfSense has never had an issue running gaming consoles, a couple of servers, IoT for Home Automation, etc for over a year.
Since then I have tried restoring from the backup configs I have taken over time after each update was made to the config (e.g. updated the config to get plex to work, updates for getting XBOX live to work, etc). I have tried reinstalling pfSense and using a default setup. I have purchased a new switch thinking a power surge messed up the switch (Cisco SG1 10-16HP was the original switch). I went back through the bridge mode setup to validate maybe ATT pushed out a software/firmware update that messed up the setup. None of these helped me to hit an external site such as google.com on a browser.
Configuration information:
WAN rules are default with blocking private networks and block bogon networks
LAN has the anti-lockout rule, default allow LAN to any rule, and Default allow LAN IPv6 to any rule
DNS Resolver is enabled while DNS forwarder is notIn addition, below is some additional information that I found when testing:
- I can reach internal servers on the network
- On my phone with mobile service turned off I am able to get to LinkedIn, Netflix, and YouTube.
- I'm not able to access these same sites on my laptop either through WiFi or Ethernet.
- I'm able to ping 8.8.8.8 and google.com from my laptop
- I'm able to download packages via pfSense such as ntop
- Amazon Fire Cube isn't able to connect to Netflix or Amazon Prime
- I have reinstalled pfSense twice, reset to the factory settings a few times, and reloaded from a good backup config file that worked for a year.
Extremely frustrating that I have not to figure this out either reviewing the different posts with similar problems or just by following the instructions I created for the entire install / configuration process.
Some additional information:
Ping for linuxmint.com
Ping for xkcd.com
I don't believe I have a gateway on the LAN side setup as this was a common issue when searching posts
Below is a screen shot from System โ Routing โ Gateways in case I messed something up
Below is the current status by going to Status โ Gateways
I have automatic outbound NAT enabled/selected
While I mentioned the firewall rules I have set on the WAN and LAN, I thought I better show them in case my noobness screwed something up
Floating โ N/A
WAN
LAN
I would be extremely appreciative for any help as we are going into day 4 with this weird connectivity issue (kids and wife are not happy and I'm not happy because I can't figure it out).
Thanks in advance all!
-
@wiinc1 said in Unable to Browse Internet:
Amazon Fire Cube isn't able to connect to Netflix or Amazon Prime
Not sure why you think pfsense would do anything different for your firecube than your other devices resolving an pinging stuff.. Your stuff seems pretty default out of the box..
So you need to figure out what is different with your firecube.. Can it get to other stuff? Does it have a internet test menu item or anything.
so you say your laptop can not get to them either - so does it resolve the name.. What error do you get in the browser?
Your laptop is pointing to pfsense for dns right? so what happens when you trying to go to netflix.com, what does your laptop top show for pinging netflix.com? Or nslookup or dig..
$ dig netflix.com ; <<>> DiG 9.14.4 <<>> netflix.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58182 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;netflix.com. IN A ;; ANSWER SECTION: netflix.com. 3583 IN A 107.23.104.215 netflix.com. 3583 IN A 54.87.188.169 netflix.com. 3583 IN A 34.233.159.233 netflix.com. 3583 IN A 52.3.169.18 netflix.com. 3583 IN A 35.169.45.33 netflix.com. 3583 IN A 54.208.168.102 netflix.com. 3583 IN A 54.208.233.73 netflix.com. 3583 IN A 35.153.58.124 ;; Query time: 2 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Sun Aug 11 08:05:23 Central Daylight Time 2019 ;; MSG SIZE rcvd: 168Your laptop can go to other sites right?
-
@johnpoz said in Unable to Browse Internet:
Not sure why you think pfsense would do anything different for your firecube than your other devices resolving an pinging stuff.. Your stuff seems pretty default out of the box..
This was just one of several examples listed to give an idea that it is occurring in other areas beyond the browser on a computer.
No, I'm not able to get to any of the different services via Firecube.
The error message received via the browser when attempting to go to netflix.com or getfedora.org is:
No, I'm not able to get to any internet sites.
Thanks in advance for the help
-
But they actually resolve.. See my dig, you could use nslookup as well. But you want something other than ping, which could be just using your local hosts cache.
Are you using proxy on pfsense, any other packages? IPS for example?
-
Really appreciate the responses @johnpoz
Below are the dig results:
Are you using proxy on pfsense, any other packages? IPS for example?
The only package I have installed is ntopng.
-
@wiinc1 have you looked at the pfSense logs? The easy way is to go to a screen in config that applies, then click the logs icon at the top right of that screen.
Try to test with ip addresses first, and hostnames after ips are ok.
If you changed nothing, has your isp? You can always call them, as you are a paying customer
Just some thoughts.
-
Well seems to be resolving just fine.. ntop should not be causing any issues..
You sure its not an ISP related problem..
do a simple traceroute.. do you get past pfsense?
$ tracert -d netflix.com Tracing route to netflix.com [107.23.104.215] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.9.253 2 10 ms 19 ms 10 ms 50.4.132.1 3 18 ms 10 ms 9 ms 76.73.191.106 4 9 ms 12 ms 11 ms 76.73.164.121So clearly getting past pfsense there with the 2nd hop.. So do a sniff on pfsense wan when try and open the website.. Your browser says the connection was closed
What does pfsense show for the quality of your connection - is it having a lot of packet loss, etc. Your shot of your gateway sure doesn't show any.. and freaking screaming great connect.. under 1 ms to your isp device.. That is pretty freaking good..
-
@johnpoz - below is the results of the traceroute. Doesn't look good , but I know very little about networking.
How do I do a sniff in pfSense?
@johnpoz @BogusException
I went back through the instructions I created to get pfSense to work originally around putting my PACE modem into bridge mode so I didn't think it was the ISP. Any time I have called ATT (or even comcast) in the past, I have been asked if I can get to the internet while connected via Ethernet... if I can get to the internet they offer little to no help (which I can get to the internet plugging in the laptop to the modem via Ethernet). I don't want to yell at ATT, but I'm getting beyond frustrated (more because I can't figure this out).Appreciate your help and patience with this noob (me).
-
@johnpoz said in Unable to Browse Internet:
under 1 ms to your isp device.. That is pretty freaking good..
Suspiciously so. It's monitoring something very close which will not show packet loss upstream of that.
You might want to change the monitoring target to some other public IP that responds to ping. 8.8.8.8 is a common choice.Steve
-
@stephenw10 said in Unable to Browse Internet:
You might want to change the monitoring target to some other public IP that responds to ping. 8.8.8.8 is a common choice.
Where you I change the monitoring target?
Now one of the gateways shows "pending" - not sure if this is indicative of an issue or not.
-
You can set a custom target by editing the gateway in System > Routing.
The v6 gateway was monitoring the link local address so that was not showing anything upstream. It should still be doing so though unless you disabled IPv6 somewhere.
Steve
-
See all those hops with 10.x.x.x those are odd as shit... That is rfc1918 space, and doesn't route on the internet - the only way you would see such address that many hops in if you were on a really bad carrier grade nat, etc.
And why is your first hop 192.168.43??? Thought pfsense was 192.168.100.1 ?
-
@stephenw10
IPv6 Gateway Setup - To me it looks like it is the default. Let me know if you see something that doesn't look right.
The change after inputing 8.8.8.8 for the gateways:
@johnpoz - The only thing I can think of is that the ATT Fiber modem (PACE) is the older version. I have never came close to the 1GB speeds, not even half that since I have been on the service.
I have no idea why the first hop is to any other IP besides 192.168.100.1. since this is the setup at this moment. I'd trust your opinion over mine though.
-
I appreciate the help and suggestions.
I'll be honest, the pfSense logs don't to alot for me as I'm not sure what I am looking for.
I'm not able to make heads or tails of the following logs:
I probably will call ATT, but trying to make sure I don't yell at a customer service / technical support rep as they didn't create the problem :)
-
Dude if your first hop is not 192.168.100.1, then your NOT talking to pfsense. You sure your not connected to someone else.
You show us your pfsense IP of 192.168.100.1, then a trace showing your hitting 192.168.43. - and then a bunch of 10.x address... Not sure what that has to do with pfsense...
-
Yeah, you have something weird there. You might not necessarily see 192.168.100.1 in the traceroute but if you do it will be the first hop.
Unless maybe you are behind another router? Maybe acting as an access point but still NATing?
That still wouldn't explain the string if private IPs in the output.
Seems more likely you are connecting over a VPN or maybe a 3G/4G device somehow.How does that compare with the sane traceroute run from the pfSense CLI?
Steve
-
@johnpoz & @stephenw10 - Based on your comments and feedback, I went back and did the following:
-
Walked through the steps / video to put the PACE 5268AC modem into bridge mode.
-
After that, I ran the tracert -d netflix.com again.
Below are the results (the first hop was to what you expect - 192.169.100.1)
Even with something that you would expect, I'm not able to pull up sites like youtube.com, linuxmint.com, or getfedora.org via the browser on a laptop connected to the switch via Ethernet.
Does this traceroute look better?
-
-
You could of turned the modem off, that would have zero to do with clients talking to pfsense... What is on your wan has ZERO to do with what pfsense lan IP, and its dhcp clients.
How exactly do you have all this stuff connected together?
That is not a modem, that is a gateway, and runs wireless.. Are you clients connecting to it for wireless?
So see 2nd hop, your past pfsense - stuff not working once that has happened has zero to do with pfsense.. Call your isp.
-
Netflix is not a great target for traceroute though. It times out for me too.
At least you're seeing what looks like the correct route. It seems highly suspicious that you were seeing a different gateway device previously. I'd suggest you have a rogue DHCP server or some unknown connection somewhere.
Steve
-
Doesn't matter about the rest of the traceroute.. What matters is showing past pfsense.. Its rare these days to be able to get a clean trace all the way to the dest without some timeouts, freaking idiots not answering them along the way.
If he having issues getting somewhere and pfsense passes on the traffic - and stuff isn't working he needs to call his isp..
A sniff on pfsense might give you more insight.. With his client saying connection was "closed" maybe RST are being sent back from the ISP.. No idea - but if he routes past pfsense to his isp, and stuff not working its not pfsense issue... Which makes sense since he says he didn't change anything with pfsense..
