Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get Thinkpad to connect

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 772 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sdh9
      last edited by

      I have a pretty stock pfSense installation and I cannot get one device to connect. Only tweaks are I installed pfBlockerNG and changed the DNS Resolver to use DNS-over-TLS. I haven't added any firewall rules or anything like that yet. I disabled both pfBlockerNG and the DNS-over-TLS to see if it was the issue, and it is not.

      My network is ethernet from Fiber ONT -> pfSense (Qotom box) -> ASUS RT-AC86U in Access Point mode. Attached to the switch on the ASUS are some other devices and a MoCA adapter to bridge to another room.

      My household is mostly Macs and iPad (which all work fine) but a new Thinkpad appeared. It runs Windows 10 and I cannot connect to the network either over wireless or by plugging into a switch through ethernet. The output of 'ipconfig' on the Thinkpad looks normal to me (would love to copy and paste but that's not in the cards without a network).

      On the Thinkpad, I can ping the gateway and anything on the internal network but nothing outside (although I got one ping of 9.9.9.9, once, probably a fluke).

      While trying to ping out of the network, this is what I am receiving in pfTop, if that is helpful:

      pfTop: Up State 1-7/7 (441), View: default, Order: bytes
      PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
      udp       In  192.168.50.32:137             192.168.50.255:137             NO_TRAFFIC:SINGLE       00:00:50  00:00:00      129    10278
      udp       In  192.168.50.32:5353            224.0.0.251:5353               NO_TRAFFIC:SINGLE       00:00:49  00:00:00       85     4967
      udp       In  192.168.50.32:57409           239.255.255.250:1900           NO_TRAFFIC:SINGLE       00:00:50  00:00:22       23     3603
      udp       In  192.168.50.32:17500           255.255.255.255:17500          NO_TRAFFIC:SINGLE       00:00:53  00:00:07       10     1730
      udp       In  192.168.50.32:17500           192.168.50.255:17500           NO_TRAFFIC:SINGLE       00:00:53  00:00:07        2      346
      udp       In  192.168.50.32:57399           239.255.255.250:1900           NO_TRAFFIC:SINGLE       00:00:53  00:00:07        1      202
      udp       In  192.168.50.32:63639           192.168.50.1:53                    SINGLE:MULTIPLE     00:00:08  00:00:22        2      140
      
      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        So the Thinkpad pulls a dhcp lease correctly? You see in Status > DHCP leases in pfSense?

        And it has a valid IP, 192.168.50.32 there?

        And it can ping the pfSense LAN interface, 192.168.50.1?

        Can it open the pfSense webgui?

        You want to check the state table in Diag > States and filter by the Thinkpas IP while trying o ping something external.
        You should see the ping state on LAN and NAT'd on WAN.
        If you don't see either then the Thinkpad is probably using some other default route.

        Steve

        1 Reply Last reply Reply Quote 0
        • S Offline
          sdh9
          last edited by sdh9

          @stephenw10 said in Can't get Thinkpad to connect:

          So the Thinkpad pulls a dhcp lease correctly? You see in Status > DHCP leases in pfSense?

          Yes, I've tried with both static DHCP mappings and not.

          (Relevant parts from the ipconfig results)

          Connection-specific DNS Suffix  . : <my domain here>
          Link-local IPv6 Address . . . . . : fe80::31d1:ca81:6370:f0e4%14
          IPv4 Address. . . . . . . . . . . : 192.168.50.32
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . : fe80::1:1%14
                                              192.168.50.1
          

          (Output of route print)

          IPv4 Route Table
          
          Active Routes:
          Network Destination	Netmask			Gateway		Interface 		Metric
          0.0.0.0				0.0.0.0			192.168.50.1	192.168.50.32	35
          127.0.0.0				255.0.0.0		On-link		127.0.0.1			331
          127.0.0.1				255.255.255.255	On-link		127.0.0.1			331
          127.255.255.255		255.255.255.255	On-link		127.0.0.1			331
          192.168.50.0			255.255.255.0	On-link		192.168.50.32	291
          192.168.50.32		255.255.255.255	On-link		192.168.50.32	291
          192.168.50.255		255.255.255.255	On-link		192.168.50.32	291
          224.0.0.0			240.0.0.0		On-link		127.0.0.1			331
          224.0.0.0			240.0.0.0		On-link		192.168.50.32	291
          255.255.255.255		255.255.255.255	On-link		127.0.0.1			331
          255.255.255.255		255.255.255.255	On-link		192.168.50.32	291
          
          Persistent Routes:
          None
          
          IPv6 Route Table
          Active Routes:
          If 	Metric 	Network 	Destination			Gateway
          1	331		::1/128						On-link	
          14 	291 		fe80::/64						On-link
          14	291 		fe80::31d1:ca81:6370:f0e4/128	On-link
          1	331		ff00::/8						On-link
          14	291		ff00::/8						On-link
          
          Persistent Routes:
          None
          
          

          And it has a valid IP, 192.168.50.32 there?

          Yes

          And it can ping the pfSense LAN interface, 192.168.50.1?

          Yes

          Can it open the pfSense webgui?

          No... and I'm not sure why. I can pull up a non-SSL internal website, but not pfSense's webgui.

          You want to check the state table in Diag > States and filter by the Thinkpas IP while trying o ping something external.
          You should see the ping state on LAN and NAT'd on WAN.
          If you don't see either then the Thinkpad is probably using some other default route.

          This is what I see:

          States
          Interface	Protocol	Source (Original Source) -> Destination (Original Destination)	State	Packets	Bytes	
          LAN	udp	192.168.50.32:137 -> 192.168.50.255:137	NO_TRAFFIC:SINGLE	6 / 0	468 B / 0 B	
          LAN	udp	192.168.50.32:51859 -> 224.0.0.252:5355	NO_TRAFFIC:SINGLE	2 / 0	100 B / 0 B	
          LAN	udp	192.168.50.32:17500 -> 255.255.255.255:17500	NO_TRAFFIC:SINGLE	140 / 0	24 KiB / 0 B	
          LAN	udp	192.168.50.32:17500 -> 192.168.50.255:17500	NO_TRAFFIC:SINGLE	28 / 0	5 KiB / 0 B	
          LAN	udp	192.168.50.32:50145 -> 239.255.255.250:1900	NO_TRAFFIC:SINGLE	4 / 0	808 B / 0 B	
          LAN	udp	192.168.50.32:5353 -> 224.0.0.251:5353	NO_TRAFFIC:SINGLE	4 / 0	230 B / 0 B	
          LAN	udp	192.168.50.32:61604 -> 224.0.0.252:5355	NO_TRAFFIC:SINGLE	2 / 0	106 B / 0 B	
          
          

          Thanks for helping me figure this out.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Are you seeing the Thinkpad in the pfSense dhcp leases? It may be pulling a lease from some rogue dhcp server. That is not uncommon.

            What were you pinging when you checked the state table there?
            There are no ICMP states so either it's not sending that traffic to pfSense at all or blocked in the firewall. Check the firewall logs.

            Is that actually the LAN interface? If not check the firewall rules you have added are passing all protocols and not just UDP.

            Steve

            If you are pinging, say, 8.8.8.8 does the client show the pings as leaving but no response?

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              sdh9 @stephenw10
              last edited by

              @stephenw10 said in Can't get Thinkpad to connect:

              Are you seeing the Thinkpad in the pfSense dhcp leases? It may be pulling a lease from some rogue dhcp server. That is not uncommon.

              Yes, it shows online in the DHCP leases, and also I can see it in the DHCP logs.

              What were you pinging when you checked the state table there?

              9.9.9.9. I let it run for maybe 500 counts, and 499 failed and 1 got through.

              There are no ICMP states so either it's not sending that traffic to pfSense at all or blocked in the firewall. Check the firewall logs.

              The only things I see blocked for this client's IP are:

              Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:60943	  [ff02::c]:3702	UDP
              Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:64844	  [fec0:0:0:ffff::1]:53	TCP:S
              Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:56567	  [fec0:0:0:ffff::1]:53	UDP
              Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:59977	  [ff02::c]:3702	UDP
              Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:56567	  [fec0:0:0:ffff::2]:53	UDP
              Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:56567	  [fec0:0:0:ffff::3]:53	UDP
              

              My provider does not give me an IPv6 address, so I'm not sure what is happening here.

              Is that actually the LAN interface? If not check the firewall rules you have added are passing all protocols and not just UDP.
              These are my firewall rules:

              Screen Shot 2020-11-14 at 2.37.00 PM.png
              Screen Shot 2020-11-14 at 2.36.53 PM.png
              Screen Shot 2020-11-14 at 2.36.41 PM.png

              If you are pinging, say, 8.8.8.8 does the client show the pings as leaving but no response?

              Yes. Except one got a response out of 500. I don't know why.

              Thanks for the help.

              JKnottJ 1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Ok, so the default rule there should allow all traffic from the client.

                Even if outbound NAT was broken you should see the UCMP state on LAN for the client IP to 8.8.8.8 or 9.9.9.9.

                I would run a pcap on LAN filtered by host: 192.168.50.32 and protocl icmp. Run some pings. Make sure they are even arriving.

                Steve

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  sdh9 @stephenw10
                  last edited by

                  @stephenw10 Ok, I will try that over the next few days. I’m really stumped on this. I’m pretty networking savvy but new to pfSense. Glad to hear I didn’t bork anything with my config.

                  I have another Windows client in a VM. I fired that up and it works fine. So it is something specific to this laptop. I assumed a firewall or antivirus, but even with both apparently disabled there was no improvement.

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @sdh9
                    last edited by

                    @sdh9 said in Can't get Thinkpad to connect:

                    The only things I see blocked for this client's IP are:
                    Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:60943 [ff02::c]:3702 UDP
                    Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:64844 [fec0:0:0:ffff::1]:53 TCP:S
                    Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::1]:53 UDP
                    Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:59977 [ff02::c]:3702 UDP
                    Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::2]:53 UDP
                    Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::3]:53 UDP

                    My provider does not give me an IPv6 address, so I'm not sure what is happening here.

                    The fe80 addresses are link local. Every IPv6 capable device has one of those. The fec0 addresses are the deprecated site local addresses. I have no idea where they are coming from. Perhaps the MAC addresses will tell you.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.