Windows shows "No Internet Access", but internet is working fine ?!

Herman

Hi Folks,

Since I have installed the last update of pfSense2.4.5-RELEASE and pfBlockerNG-devel 2.2.5_32 all my Windows machines are showing “No Internet Access” at the network connection icon in the taskbar. Despite this notification, internet on all Windows machines is working just fine…

Does anyone also experience this strange behavior?

Please let me know your thoughts about this…

Kind regards,
Herman F.

NollipfSense

@Herman It sounds as if you're running pfSense in a virtual environment ... are you?

Herman

@NollipfSense, thank you for your fast reply.

Yes that is correct. Running pfSense on a Windows Server 2019 Hyper-V host.
The VM is hosting 3 virtual switches. 2 LAN connections and 1 WAN connection.

Hope this helps...

Regards Herman F.

NollipfSense

@Herman You might need the set the virtual machine in bridge mode.

Herman

@NollipfSense can you explain this to me in detail? What is changed that this suddenly occurs? Never had problems with the 2.4.4 version.

Kind regards,
Herman

NollipfSense

@Herman Well, I don't know what to say especially since you had the way you wanted under v2.4.4. So, I'll link Steve with hope he might be to offer an explanation @stephenw10

RonpfS

Do you have DNSBL enabled? Inspect the Reports/Alerts tab, maybe you have some microsoft.com site being blocked.

NollipfSense

@RonpfS He said "all my Windows machines are showing “No Internet Access” at the network connection icon in the taskbar." So, his Windows OS is not showing connection and not that he was say downloading update or that his machines were calling home. Or, are you saying when the machines cannot call home, he'll get no Internet connections! Everything was working under v2.4.4; so, it seems he had pfBlockerNG installed. I hardly use Windows.

RonpfS

Well my Window 7 calls home every time it boots. When it doesn't reach it's server, it display the “No Internet Access” warning.
I don't remember which domain was used at the time but logging.windows.microsoft.com and watson.microsoft.com are in my DNSBL whitelist.

Herman can disable DNSBL, reboot a Window machine and see if the issue is still present. If the issue is still present, disabling pfblockerng and reboot a Windows to rule out and IP being blocked.

Maybe things were running fine under 2.4.4, but on a new installation, file are created from scratch and what if some whitelisting gone missing.

Herman

@NollipfSense, @RonpfS Thanks to both of you. Appreciate all your effort helping me.

When disable DNSBL and reboot the machine(s) the problem does not occur. So there must be something blocked I assume. By the way I didn’t know that Microsoft checks online if the machine has internet connection yes or no?

Thanks to both of you. Appreciate all your effort helping me.
When disabling DNSBL and reboot the machine the problem does not occur. So there must be something blocked I assume. By the way I didn’t know that MS checks online if the machine has internet connection yes or no?

Hope this helps,
Herman

Gertjan

@Herman said in Windows shows "No Internet Access", but internet is working fine ?!:

By the way I didn’t know that Microsoft checks online if the machine has internet connection

Like a phone, you have to pick it up, and hear a dail tone. That somewhat gives a proof that the local network, from the phone to the operators trunk, is operational. Not the entire world wide phone network.
To really make sure "it" actually work, you have to compose some (random) number and see if they answer.
Seems logic, right ?!

Spearfoot

Sounds like you're blocking Microsoft's NCIS (Network Connectivity Status Indicator) subsystem. Windows systems -- or at least some of them -- query website www (dot) msftncsi (dot) com to verify connectivity. Details here:

https://blog.superuser.com/2011/05/16/windows-7-network-awareness/

riften

On my Windows 10 machines, they are probing for www.msftconnecttest.com
and ipv6.msftconnecttest.com. And at least one of my DNSBL lists was blocking them so I put them in the white list. Problem solved. Don't need some family member complaining "there's no internet!".

DaddyGo

I don't think the status of the icon is a big problem, as opposed to MicroSoft collecting possible data with ping responses from www.msftncsi.com

this telemetry is not in vain on the ban list.....!
Create a batch file (ping.bat) that will ping from your Windows-based machine after boot to a few known DNS providers, such as 8.8.8.8, 1.1.1.1.
The icon changes state after a short time - to internet status is ON :-)

Like:

riften

I'm sure there are so many back doors that an obvious 'front door' like these MS 'internet test' sites just aren't a big deal to me. How many of us have a you-know-where made cellphone on our person, sending telemetry to you-know-who country. They know more about us than we know. I don't worry much about MS knowing where I am. I am sure that they don't need this 'connection test' to tell them.

DaddyGo

I actually agree with you, but if I think about it better, then not.
In case, if we always let them to observe us and let's say it still fits, it will only be catastrophic this situacion.
The people you're talking about on flower language, we gave them all the technology to make them for us afterwards.
They’re just smoothly seizing the opportunity and have grown bigger ever since.
Maybe it’s basically our fault for getting here.
So I destroy down telemetry as much as possible.