Can't install the packages and can't ping IP address from Pfsense



  • Hi everyone,

    I have 2 Pfsenses. The primary is connected and working on 2.4.3_1 and the secondary one is the spare (It is not connected). I have two ISP, both set up as a failover group.
    I wanted to apply some changes to the firewall to test them and if they work I will apply them to the primary one.
    So I did the following steps:

    • I backed up the configuration of the primary Pfsense and restored it to the spare one.
    • The spare one was not connected to the internet since I thought that the packages will be loaded in the config file.
    • I received the error package reinstall process was aborted due to lack of internet connectivity
    • Connected the secondary ISP to the spare Pfsesnse
    • I was able to access the internet form a computer that is connected to it, however, I was not able to ping google from Pfsense
    • I restarted the Pfsense and restored the configuration while it is connected to the internet connection form the second ISP
    • It kept showing the same thing
    • I removed the IP address of the domain controller from the system > General setup and kept the 8.8.8.8, 8.8.4.4
    • Disabled the DNS resolver and Enabled the DNS forwarder with the option Query DNS servers sequentially
    • I was able to resolved google from Pfsesne Diagnostics menu, but I am still not able to ping it
    • I tried to reboot it, but it is still the same, however, I can access the internet from the computer that is connected to it.

    My goal is to clone the settings so I can do the changes, update the firmware and test it, in case it didn't work I can unplug the cables and move it back to the primary Pfsenes, but now I am not able to install the packages or update the system. Please help!



  • Is the secondary firewall an exact duplicate hardware-wise of the primary? Failover situations like that, especially where you want to say be able to restore a config and fire up a cold secondary box requires the boxes be identical including the same kind and number of NIC cards. Otherwise, when the configuration is restored, what you think is the LAN might now be the WAN and vice-versa if say the NICs are different types or even in different slots.



  • They are both Identical. I made sure that all interfaces are the same. I can't find a reason why the Pfsense can't ping google, but my computer can. I believe that this is a DNS issue or it might be something happened in the firmware when I tried to restore the configuration without internet access. Is there a way to troubleshoot that?



  • When you enabled the Forwarder did you make sure to disable the Resolver? Or are you trying to convert the Resolver over to forwarding? If you want to strictly forward, I would just use the Forwarder and disable the Resolver (which is unbound).

    What have you put in the DNS settings of the General Setup tab of pfSense under the SYSTEM menu?

    When you are trying to ping Google, are you actually using the 8.8.8.8 IP address, or are you trying this way?

    ping google.com
    

    Does this command work? (pinging the IP address itself)

    ping 8.8.8.8
    

    If not, then you have a physical connection problem of some type because DNS is completely out of the picture. If pinging by the IP address works, but pinging by domain name does not, then it is likely a DNS issue.



  • The resolver is disabled and forwarder is enabled. I enabled the forwarder because i thought that the issue is related to the resolver.
    The DNS settings are as showing here:

    DNS settings.PNG

    DNS lookup.PNG

    ping output.PNG

    ping the 8888.PNG

    DNS forwarder.PNG

    I would say it is a physical connection problem, but there is one computer ( test computer ) connected to this firewall and I can access the internet. I am using it now! The issue is only the internet connection inside the Pfsense. Is there a mistake in the DNS settings? I am new to Pfsense

    The big difference is that the primary Pfsense is in a domain environment and able to connect to all domain controllers, but the spare one is not and I tried to override the settings by switching it to google public DNS



  • Not clear about your connection. How is this "second" firewall connected to the Internet? Are you sure that it's IP address is not conflicting with another device?

    Could the other PC you're testing from have another pathway to the Internet? Perhaps through wireless or a second network port?

    DNS resolving or not, or forwarding or not, has zero to do with pinging a distinctly specified IP address. Not related at all.



  • The primary firewall has 2 ISPs connected to it. I took the secondary ISP and connected it to the spare firewall to give it internet access. The topology is

    ISP cable to the second firewall. My computer is connected to this firewall through a switch.

    The WIFI is disabled. My computer does have access to the internet from the second firewall only without issues. The firewall is not pinging. I do agree that not pinging has nothing to do with the DNS. Is there a way to confirm that there are no issues with the firewall firmware?

    bmeeks I appreciate your help



  • Is there nothing else connected to this switch except your computer you are testing from and the firewall? There needs to be just two cables plugged into that switch's ports. One of the cables should go to the LAN port of the firewall and the other cable to your PC. Nothing else should be connected to the switch.

    The point is to be 100% positive that PC has no other way to the Internet. It just makes zero sense that a device connected to pfSense can ping an IP through it, but pfSense itself, from the console, can't ping the same IP.

    Are all the subnet masks set correctly on the pfSense interfaces?



  • I was able to figure it out. You were correct. It is not a DNS issue. I turns out that the primary ISP was setup to be the default gateway. I changed the default gateway to be the secondary ISP. System > Routing > Gateways and it worked. Does this means if the primary ISP goes offline the only Pfsense won't have internet access and all users will have internet access ? I am not sure why the Failover group didn't work.

    please note that I have a failover group where primary ISP is tier 1 and secondary is tier 2



  • I don't fancy myself an expert on pfSense failover setups. I have configured them for Nokia firewall appliances and Checkpoint firewalls in the past, but never on pfSense.

    Normally in a cluster setup the firewalls can talk to each other and decide who will be "boss". Your test configuration interrupted that to a degree.


Log in to reply