Pfsense brake completely enable DHCP

mullcom

Hello.

I am wondering how i can bring my Pfsense backup again. I have try so many ways now and can't get the loan Port to start sending package out from its own.

Story

I have fresh install Pfsense and when i enable DHCP it brake down. Can't get Webb UI to respond and when i ping Pfsense IP i don't get any respond back.

When i go to Pfsense with monitor i press 8 and ping My IP and i get respons back but when i ping outside from this network ports "rc1" i get : invikid command as respond. Really strange behavior! I have try to get this fixed as to do.

Get rc1 interface new IP address
Restart (Pfsense, switch, second router)
Shutdown the other DHCP.
Shutdown rc1 port and start it.

But nothing working. The only thing that is are to reinstall the system. But i think this is a bit extream to do. Must be a somting else i cam do to resetting the port so it can start to send package external again?

KOM

What are your LAN configuration details and DHCP server config? Screenshots would be helpful.

mullcom

It's not so much to tell.
I don't find any upload for IMG.

My Lan is static on 192.168.10.1

When i try to enable DHCP i select between 100 - 150 in same network.

After i enable it then i can't reach web UI or ping up from my computer but when i go to CLI Interface to check if system has Frozen i can see it has not and system is up and i can ping 192.168.10.1 but no other ip in network.

mullcom

@KOM said in Pfsense brake completely enable DHCP:

What are your LAN configuration details and DHCP server config? Screenshots would be helpful.

not so many option i have checked

KOM

When you reply, on the far right of the Edit bar is an icon titled Upload Image, right between Emoji and Upload File. Use that to post screenshots here.

Gertjan

@mullcom said in Pfsense brake completely enable DHCP:

@KOM said in Pfsense brake completely enable DHCP:

What are your LAN configuration details and DHCP server config? Screenshots would be helpful.

Probably one to much : image number 4 : Static ARP.

Only the machines listed below will be able to communicate with the firewall on this interface.

Do you understand what this implies ? Did you really add all the MAC's ?

mullcom

@Gertjan said in Pfsense brake completely enable DHCP:

@mullcom said in Pfsense brake completely enable DHCP:

@KOM said in Pfsense brake completely enable DHCP:

What are your LAN configuration details and DHCP server config? Screenshots would be helpful.

Probably one to much : image number 4 : Static ARP.
Only the machines listed below will be able to communicate with the firewall on this interface.
Do you understand what this implies ? Did you really add all the MAC's ?

I should read about this. But this should not make the web UI and nic-port brake totally?

I have done some backup new so I can go back to a working state if it's brake again. So I can test if this setting cursing this behavior.

mullcom

Update.

I have look around in Pfsense and find out that ntp servis is not working as it should! I have try to fix that but I get same issue and clock is not updating. This can be a direct issue with DHCP I think. So I need to solve this first.

Why so many failing points in this system at a clean installation? Screenshot_20190812-191722_Chrome Canary.jpg

KOM

@mullcom said in Pfsense brake completely enable DHCP:

Why so many failing points in this system at a clean installation?

Impossible to answer since we have no idea what you have done or how you have configured anything. I did ask for screenshots of your network details but you never got around to providing them.

Gertjan

@mullcom said in Pfsense brake completely enable DHCP:

@Gertjan said in Pfsense brake completely enable DHCP:
@mullcom said in Pfsense brake completely enable DHCP:

@KOM said in Pfsense brake completely enable DHCP:

What are your LAN configuration details and DHCP server config? Screenshots would be helpful.

Probably one to much : image number 4 : Static ARP.
Only the machines listed below will be able to communicate with the firewall on this interface.
Do you understand what this implies ? Did you really add all the MAC's ?
I should read about this. But this should not make the web UI and nic-port brake totally?

I have done some backup new so I can go back to a working state if it's brake again. So I can test if this setting cursing this behavior.

NTP ?
Here is mine :

Status :

time is set close to a 0.00 001 second.

Your status list : it found a list with IP address, but none is reachable;

You have severe upstream connection problem.

pfSense is as any other router : Out f the box, set up WAN (if it is DHCPclient, nothing to do, because this is default) : it connects and it's ready to go.
Any bad experiencing from this point : tell us your setup, and we tell you what's wrong.

Btw : use a 'normal' device to set it up. Phone-only seems not a good idea to me.

edit : ntp using IPv6 .... oh, well, why not :

mullcom

@Gertjan said in Pfsense brake completely enable DHCP:

@mullcom said in Pfsense brake completely enable DHCP:
@Gertjan said in Pfsense brake completely enable DHCP:
@mullcom said in Pfsense brake completely enable DHCP:

@KOM said in Pfsense brake completely enable DHCP:

What are your LAN configuration details and DHCP server config? Screenshots would be helpful.

Probably one to much : image number 4 : Static ARP.
Only the machines listed below will be able to communicate with the firewall on this interface.
Do you understand what this implies ? Did you really add all the MAC's ?
I should read about this. But this should not make the web UI and nic-port brake totally?

I have done some backup new so I can go back to a working state if it's brake again. So I can test if this setting cursing this behavior.
NTP ?
Here is mine :

Status :

time is set close to a 0.00 001 second.

Your status list : it found a list with IP address, but none is reachable;

You have severe upstream connection problem.

pfSense is as any other router : Out f the box, set up WAN (if it is DHCPclient, nothing to do, because this is default) : it connects and it's ready to go.
Any bad experiencing from this point : tell us your setup, and we tell you what's wrong.

Btw : use a 'normal' device to set it up. Phone-only seems not a good idea to me.

edit : ntp using IPv6 .... oh, well, why not :

Thx. I upload my settings. I have try so many ways now but right now I have this.

Still problem. :(
Screenshot_20190813-134824_Chrome Canary.jpg
Screenshot_20190813-135128_Chrome Canary.jpg Screenshot_20190813-134932_Chrome Canary.jpg Screenshot_20190813-134857_Chrome Canary.jpg Screenshot_20190813-140156_Chrome Canary.jpg

mullcom

Seams I geting better result but it still saying unreachable.
Screenshot_20190813-174636_Chrome Canary.jpg Screenshot_20190813-175004_Chrome Canary.jpg

johnpoz

If you can talk to them then your reach should be 377..

And your offsets are so large not going to adjust anyway.. Set the time on the pfsense box to be somewhere close to start with.

Your connectivity is just broken from those jitter values..

mullcom

@johnpoz Screenshot_20190813-183937_Chrome Canary.jpg

I try to sett time manually. But same problem and offset time is still big.

Gertjan

Is is possible to remove all your firewall and NAT rules - and put in place the default pass all rule on LAN ?

johnpoz

@mullcom said in Pfsense brake completely enable DHCP:

I try to sett time manually. But same problem and offset time is still big

Well your not really talking to them... So the reach will go up as you get back answers.. it tells you how many out of the last 8 queries you got answers for... Normal is 377.. 7 means HORRIBLE!!! You could do the math to match up which ones got an answer..

7 would mean only the last 3 have gotten an answer
00000111

377
11111111
would mean you got answers for the last 8 queries.

What are your reaches now? When they are 377 and stay there you have a stable connection to the ntp servers.

mullcom

This is a bit crazy...

No one in the list.

Screenshot_20190813-192808_Chrome Canary.jpg

mullcom

Finally. I delit pool and only use time.windows.com like all windows OS do.

I get that to pop-up.
Screenshot_20190813-194551_Chrome Canary.jpg

2.4.4-RELEASE][admin@pfSense.localdomain]/root: ntpdate -d time.windows.com
13 Aug 19:42:45 ntpdate[62579]: ntpdate 4.2.8p13@1.3847-o Fri May 10 20:05:40 UTC 2019 (1)
transmit(40.74.70.63)
receive(40.74.70.63)
transmit(40.74.70.63)
receive(40.74.70.63)
transmit(40.74.70.63)
receive(40.74.70.63)
transmit(40.74.70.63)
receive(40.74.70.63)

server 40.74.70.63, port 123
stratum 2, precision -23, leap 00, trust 000
refid [132.163.96.2], root delay 0.192383, root dispersion 0.014725
reference time: e0fd7778.aa4bf9d3 Tue, Aug 13 2019 19:52:56.665
originate timestamp: e0fd7795.26345eac Tue, Aug 13 2019 19:53:25.149
transmit timestamp: e0fd751b.ae457a08 Tue, Aug 13 2019 19:42:51.680
filter delay: 0.09448 0.09479 0.09439 0.09439
---- ---- ---- ----
filter offset: 615.057016 621.197134 627.284268 633.434036
---- ---- ---- ----
delay 0.09439, dispersion 6.89256, offset 627.284268

13 Aug 19:42:51 ntpdate[62579]: step time server 40.74.70.63 offset 627.284268 sec
[2.4.4-RELEASE][admin@pfSense.localdomain]/root:

johnpoz

well if you can not resolve - then no nobody would be in the list..

Not sure why you are worried about ntp.. Does the wan get an IP from your isp - is it public or rfc1918.. What does the quality graph show? Can pfsense ping say 8.8.8.8 from the diag, ping tool?

mullcom

@johnpoz

I am glad you all help me with this.

Pfsense deliver NTP as a funktion so. I think that should work when it come with the box. Time is important. If not correct time with your hardware to getting trubbel in the end with other. Like when you deliver active directory for one example. It seams DHCP is also in need of time. But the thing is that I want it to work and function correctly before I move on. Not like to have failing funktionalitet in the network. Btw I feel some responses loss in web GUI when time is not Correct. Sometime it frozen for a minute.

With that sad.

I call my ISP to get a IP adress that's are derectly to the internet. If I didn't do that I don't get a fake ip that's not directly to internet and gets some limitations.

I did some more testing in ssh when I update time manually.

[2.4.4-RELEASE][admin@pfSense.localdomain]/root: date 1342
date: can't reach time daemon, time set locally
Wed Aug 14 13:42:00 +02 2019
[2.4.4-RELEASE][admin@pfSense.localdomain]/root:

Can't reach time deamon it say

[2.4.4-RELEASE][admin@pfSense.localdomain]/root: time
0.006u 0.018s 29:48.45 0.0%     7908+1780k 4+0io 0pf+0w
[2.4.4-RELEASE][admin@pfSense.localdomain]/root:

Have no idea why it say like this.

I have sett correct location and that is Sweden Stockholm in web GUI. And when I ping 8.8.8.8

[2.4.4-RELEASE][admin@pfSense.localdomain]/root: ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=54 time=4.960 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=4.950 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=54 time=4.946 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=54 time=4.948 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=54 time=4.947 ms

And i get back all NTP servers in the list now. And that are 377 now. Start Frome 7 and get higher more I waited. But still saying unreachable
Screenshot_20190814-134900_Chrome Canary.jpg

I did remove all NAT rules and open up WAN for everything to see if it working better.

LAN is already open as defoult.
Screenshot_20190814-135449_Chrome Canary.jpg

Screenshot_20190814-135432_Chrome Canary.jpg Screenshot_20190814-135343_Chrome Canary.jpg

mullcom

When I enable Graf. where do i find it?

mullcom

I am trying to finding NTP.conf in she'll. But it seams that it has moved away form defoult location ?

[2.4.4-RELEASE][admin@pfSense.localdomain]/etc: cd ntp
[2.4.4-RELEASE][admin@pfSense.localdomain]/etc/ntp: ls
[2.4.4-RELEASE][admin@pfSense.localdomain]/etc/ntp:

johnpoz

Lets freaking forget ntp for the time being..

You show a block on your lan for dhcp that 0.0.0.0:68 are you not running dhcp server on your lan on pfsense?

If you enable dhcp server on pfsense lan - then there would be hidden rules to allow that traffic - since your seeing blocked, then you don't have it enabled?

There should be ZERO rules on your wan!!! unless you want a specific port forward..

Your ntp seems to be working from you latest screen shot, see the 377 reach. But your offset is still HUGE.. Do you have a timezone issue.. What do you have timezone set in the gui too? Make sure its correct and then reboot pfsense.

simple date cmd will show you time, date and zone

[2.4.4-RELEASE][admin@sg4860.local.lan]/: date
Wed Aug 14 08:15:23 CDT 2019
[2.4.4-RELEASE][admin@sg4860.local.lan]/:

Gertjan

@mullcom said in Pfsense brake completely enable DHCP:

moved away form defoult location

Default to what ? A Linux based system ? A pure FreeBSD install ? Maybe.
This is pfSense, based on the FreeBSD kernel OS.

Check /var/etc/ntpd.conf ^^

This file is build by pfSense (GUI settings) just before pfSense start the time demaon.

/usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid

#
# pfSense ntp configuration file
#

tinker panic 0
# Orphan mode stratum
tos orphan 12


# Upstream Servers
pool fr.pool.ntp.org iburst maxpoll 9


statsdir /var/log/ntp
logconfig =syncall +clockall +peerall +sysall
driftfile /var/db/ntpd.drift
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify notrap
interface ignore all
interface ignore wildcard
interface listen fxp0
interface listen sis0
interface listen ovpns1

( This is mine - with the interface and settings I use ).

mullcom

Weee. I have solved my issue. It's a kernel tune that needs to be done. I found out this on hardware forum that make this nice bords.

https://r.tapatalk.com/shareLink?url=https%3A%2F%2Fforum%2Eodroid%2Ecom%2Fviewtopic%2Ephp%3Ft%3D33911&share_tid=33911&share_fid=63351&share_type=t

Anyway I want to thx for all your help. It is very grateful.