Unable to browse the web



  • I just installed PFSense, but now i cannot browse the web, i just get a white page, i believe the firewall needs a rule to let the traffic get in, does anyone can suggest a solution?
    Thanks

    Also, when i try to do a search on this site, i see the topics coming in while i write in the search field, but when i click on them, nothing happen....


  • Rebel Alliance



  • Read the doc provided above.

    Pfsense comes default ready to go. You should easily be online in most cases.

    No the firewall does not need any rules to allow traffic in. Outbound connections open the return traffic automatically.



  • @ptt
    Thanks for the link, i am following the instructions and i am trying all the tests in the diagnostic part of this document, they have been all succesfull apart from this one, so i am trying to fix it with the info provided.

    "Test NAT: Try to ping 8.8.8.8 (Diagnostics > Ping) using LAN as the Source Address

        If this fails but the other tests work, then the problem is likely Outbound NAT (See the WAN/LAN gateway checks above)"


  • So far, the problem seems to be with the "Outbound NAT".
    I believe that it might be the default gateway, but i am not able to understand this scheme:

    IPv4 Routes
    Destination Gateway Flags Use Mtu Netif Expire
    default 192.168.1.1 UGS 622 1500 re1
    1.1.1.1 192.168.1.1 UGHS 20 1500 re1
    8.8.8.8 192.168.1.1 UGHS 36 1500 re1
    127.0.0.1 link#4 UH 104 16384 lo0
    172.16.1.0/24 link#1 U 4 1500 re0
    172.16.1.254 link#1 UHS 0 16384 lo0
    192.168.1.0/24 link#2 U 16946 1500 re1
    192.168.1.254 link#2 UHS 0 16384 lo0


  • Rebel Alliance

    Your WAN IP address is ?

    Your LAN IP address is ?

    pfSense's "default" (out of the box) outbound NAT config should/must work



  • @ptt
    WAN 192.168.1.254/24
    LAN 172.16.1.254/24
    Default Gateway 192.168.1.1



  • Go to- Firewall / NAT / Outbound

    Click "save".. see if that makes things work.


  • Galactic Empire

    Have you unticked Block private networks and loopback addresses on your WAN interface.


  • LAYER 8 Global Moderator

    block bogon and rfc1918 would have nothing to do with being behind a double nat. They only come into play when there are devices on your wan (the rfc1918 network) that would be wanting to access any port forwards you have setup.



  • @chpalmer said in Unable to browse the web:

    Go to- Firewall / NAT / Outbound

    Click "save".. see if that makes things work.

    Everytime i do that, PFSense stop working (basically i can no longer see the interface and a white page saying the connection is taking too long is displaied), so i click 8 (Shell) directly inside the pc where PFSense is installed, the DOS looking one, then "pfctl -d" and it restart working.

    NAT it's set on "automatic"

    Automatic Rules:
    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
    WAN 127.0.0.0/8 ::1/128 172.16.1.0/24 * * 500 WAN address * Auto created rule for ISAKMP
    WAN 127.0.0.0/8 ::1/128 172.16.1.0/24 * * * WAN address * Auto created rule



  • @NogBadTheBad said in Unable to browse the web:

    Have you unticked Block private networks and loopback addresses on your WAN interface.

    Yes, all unticked as suggested on the "connectivity troubleshooting" guide


  • LAYER 8 Global Moderator

    can pfsense ping its gateway? Can pfsense do dns lookups?



  • @johnpoz
    Yes i did try all the troubleshooting tests suggested on the guide, they were all succesfull apart from this:

    Test NAT: Try to ping 8.8.8.8 (Diagnostics > Ping) using LAN as the Source Address

        If this fails but the other tests work, then the problem is likely Outbound NAT (See the WAN/LAN gateway checks above)

  • LAYER 8 Global Moderator

    well if you turned off NAT, then not sure how you think clients are going to be working.. Since your upstream is not going to nat those - unless you set it up too.

    pfctl -d



  • Tom:

    Do a packet capture on your WAN using the diagnostic menu and then repeat the ping attempt from a LAN client.



  • @Tom8888 said in Unable to browse the web:

    NAT it's set on "automatic"

    Are you sure your upstream router is 192.168.1.1 ?



  • @chpalmer
    I did try to post here the results, but i get an error message telling me that Akismet flagged my content as spam.

    Yes the default gateway is definetely 192.168.1.1, but if you look at this, for the LAN the default gateway is set as " link#1 "

    IPv4 Routes
    Destination Gateway Flags Use Mtu Netif Expire
    default 192.168.1.1 UGS 622 1500 re1
    1.1.1.1 192.168.1.1 UGHS 20 1500 re1
    8.8.8.8 192.168.1.1 UGHS 36 1500 re1
    127.0.0.1 link#4 UH 104 16384 lo0
    172.16.1.0/24 link#1 U 4 1500 re0
    172.16.1.254 link#1 UHS 0 16384 lo0
    192.168.1.0/24 link#2 U 16946 1500 re1
    192.168.1.254 link#2 UHS 0 16384 lo0



  • @johnpoz said in Unable to browse the web:

    well if you turned off NAT, then not sure how you think clients are going to be working.. Since your upstream is not going to nat those - unless you set it up too.

    pfctl -d

    What should i do exactly? (sorry i am not an IT)


  • LAYER 8 Global Moderator

    you shouldn't be running that cmd, if you want pfsense to actually nat, that disable firewall and natting.

    That is not the default gateway for the lan, that is the interface in the lan address.. So yeah that is how it talks to that network.. You didn't set a gateway on the lan interface did you?



  • @chpalmer said in Unable to browse the web:

    Tom:

    Do a packet capture on your WAN using the diagnostic menu and then repeat the ping attempt from a LAN client.

    These are just a few lines taken out from the middle of the report, i hope is going to get posted and not flagged as a spam....

    16:04:53.151476 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 16249, length 8
    16:04:53.380004 IP 192.168.1.214.57189 > 192.168.1.254.80: tcp 1
    16:04:53.380038 IP 192.168.1.254.80 > 192.168.1.214.57189: tcp 0
    16:04:53.444004 ARP, Request who-has 192.168.1.254 tell 192.168.1.1, length 46
    16:04:53.444020 ARP, Reply 192.168.1.254 is-at 40:62:31:02:ac:c4, length 28
    16:04:53.682654 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 16250, length 8
    16:04:53.683323 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 16250, length 8


  • LAYER 8 Global Moderator

    yeah that pfsense pinging its gateway.

    Now do that sniff when you try and ping from the lan address to 8.8.8.8



  • @johnpoz
    No i did not set a default gateway on the LAN, as the guide suggested not to do it as well



  • PING 8.8.8.8 (8.8.8.8) from 172.16.1.254: 56 data bytes

    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss



  • Packet Capture from WAN while pinging 8.8.8.8

    16:37:23.724824 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 19996, length 8
    16:37:23.725314 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 19996, length 8
    16:37:23.796500 IP 192.168.1.214.59665 > 224.0.0.252.5355: UDP, length 33
    16:37:23.826400 IP 192.168.1.100.138 > 192.168.1.255.138: UDP, length 201
    16:37:24.206639 IP 192.168.1.254.123 > 80.211.82.90.123: UDP, length 48
    16:37:24.206996 IP 192.168.1.214.59665 > 224.0.0.252.5355: UDP, length 33
    16:37:24.231761 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 19997, length 8
    16:37:24.232228 IP 192.168.1.1 > 192.168.1.254: ICMP echo reply, id 18172, seq 19997, length 8
    16:37:24.262468 IP 80.211.82.90.123 > 192.168.1.254.123: UDP, length 48
    16:37:24.763824 IP 192.168.1.254 > 192.168.1.1: ICMP echo request, id 18172, seq 19998, length 8

    Doing the same test on LAN i just get a blank page (????)



  • Here is how my different machines are connected to each other:

    1. i have a main router from where the internet connection is coming from, with 4 LAN ports AND wifi
    2. a laptop is connected by wifi to this main router and i can control PFSense from this browser
    3. a LAN wire connect the main router to an old pc, which is hosting a local site not on the web
    4. a second LAN wire goes to a brand new (powerful) mini pc which has only the last version of PFSense installed
    5. from the PFSense machine, there is a second LAN wire which goes to an access point, broadcasting a second wifi connection not protected by password

    If i try to connect with my laptop to the other wifi coming from the AP of PFSense, i can still control PFSense from it, but NOT browse the web.
    When i enter this command (pfctl -e) into the PFSense Shell (option 8), i can no longer access the control panel of PFSense, but if i insert another command (pfctl -d), then i can again visualize the interface.
    In both cases i cannot browse the web, unless i connect directly to the main router.
    If i eliminate the PFSense box and connect the wire from the AP directly to the main router, then even this wifi connection works perfectly.

    Version 2.4.4-RELEASE-p3 (amd64)
    built on Wed May 15 18:53:44 EDT 2019
    FreeBSD 11.2-RELEASE-p10

    The system is on the latest version.
    Version information updated at Mon Aug 19 17:38:24 UTC 2019
    CPU Type Intel(R) Celeron(R) CPU J3160 @ 1.60GHz
    Current: 1600 MHz, Max: 1601 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    AES-NI CPU Crypto: Yes (inactive)
    Kernel PTI Enabled
    Uptime 00 Hour 43 Minutes 15 Seconds
    Current date/time
    Mon Aug 19 17:39:02 UTC 2019
    DNS server(s)

    127.0.0.1
    1.1.1.1
    8.8.8.8


  • @Tom8888

    For that setup you need a WAN rule from 192.168.1.0/24 to "WAN Address" in order to come in from the WAN side the way you are doing it.



  • The problem has been solved, i will post the details but not now as here is 1am, thanks all for your support.



  • So, basically, i hired someone on Fiverr.com which after a month of struggles, has been able to do half the job i hired him for, the resolution of this problem i posted here will likely lead us to the final step, which is redirecting all the clients accessing the free wifi to a locally hosted site.
    The problem was apparently a misconfiguration of the AP, so people could connect to the wifi, get an IP address but unable to navigate anywhere, as only a white page would display and say the connection was taking too long.


  • LAYER 8 Global Moderator

    So your AP was either running a captive portal, or it wasn't actually in AP mode and was trying to route, etc. which was prob the same network on both sides, etc. Its wan and its lan.. So yeah not going anywhere.


Log in to reply