Can't get Thinkpad to connect

sdh9

I have a pretty stock pfSense installation and I cannot get one device to connect. Only tweaks are I installed pfBlockerNG and changed the DNS Resolver to use DNS-over-TLS. I haven't added any firewall rules or anything like that yet. I disabled both pfBlockerNG and the DNS-over-TLS to see if it was the issue, and it is not.

My network is ethernet from Fiber ONT -> pfSense (Qotom box) -> ASUS RT-AC86U in Access Point mode. Attached to the switch on the ASUS are some other devices and a MoCA adapter to bridge to another room.

My household is mostly Macs and iPad (which all work fine) but a new Thinkpad appeared. It runs Windows 10 and I cannot connect to the network either over wireless or by plugging into a switch through ethernet. The output of 'ipconfig' on the Thinkpad looks normal to me (would love to copy and paste but that's not in the cards without a network).

On the Thinkpad, I can ping the gateway and anything on the internal network but nothing outside (although I got one ping of 9.9.9.9, once, probably a fluke).

While trying to ping out of the network, this is what I am receiving in pfTop, if that is helpful:

pfTop: Up State 1-7/7 (441), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
udp       In  192.168.50.32:137             192.168.50.255:137             NO_TRAFFIC:SINGLE       00:00:50  00:00:00      129    10278
udp       In  192.168.50.32:5353            224.0.0.251:5353               NO_TRAFFIC:SINGLE       00:00:49  00:00:00       85     4967
udp       In  192.168.50.32:57409           239.255.255.250:1900           NO_TRAFFIC:SINGLE       00:00:50  00:00:22       23     3603
udp       In  192.168.50.32:17500           255.255.255.255:17500          NO_TRAFFIC:SINGLE       00:00:53  00:00:07       10     1730
udp       In  192.168.50.32:17500           192.168.50.255:17500           NO_TRAFFIC:SINGLE       00:00:53  00:00:07        2      346
udp       In  192.168.50.32:57399           239.255.255.250:1900           NO_TRAFFIC:SINGLE       00:00:53  00:00:07        1      202
udp       In  192.168.50.32:63639           192.168.50.1:53                    SINGLE:MULTIPLE     00:00:08  00:00:22        2      140

stephenw10

So the Thinkpad pulls a dhcp lease correctly? You see in Status > DHCP leases in pfSense?

And it has a valid IP, 192.168.50.32 there?

And it can ping the pfSense LAN interface, 192.168.50.1?

Can it open the pfSense webgui?

You want to check the state table in Diag > States and filter by the Thinkpas IP while trying o ping something external.
You should see the ping state on LAN and NAT'd on WAN.
If you don't see either then the Thinkpad is probably using some other default route.

Steve

sdh9

@stephenw10 said in Can't get Thinkpad to connect:

So the Thinkpad pulls a dhcp lease correctly? You see in Status > DHCP leases in pfSense?

Yes, I've tried with both static DHCP mappings and not.

(Relevant parts from the ipconfig results)

Connection-specific DNS Suffix  . : <my domain here>
Link-local IPv6 Address . . . . . : fe80::31d1:ca81:6370:f0e4%14
IPv4 Address. . . . . . . . . . . : 192.168.50.32
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::1:1%14
                                    192.168.50.1

(Output of route print)

IPv4 Route Table

Active Routes:
Network Destination	Netmask			Gateway		Interface 		Metric
0.0.0.0				0.0.0.0			192.168.50.1	192.168.50.32	35
127.0.0.0				255.0.0.0		On-link		127.0.0.1			331
127.0.0.1				255.255.255.255	On-link		127.0.0.1			331
127.255.255.255		255.255.255.255	On-link		127.0.0.1			331
192.168.50.0			255.255.255.0	On-link		192.168.50.32	291
192.168.50.32		255.255.255.255	On-link		192.168.50.32	291
192.168.50.255		255.255.255.255	On-link		192.168.50.32	291
224.0.0.0			240.0.0.0		On-link		127.0.0.1			331
224.0.0.0			240.0.0.0		On-link		192.168.50.32	291
255.255.255.255		255.255.255.255	On-link		127.0.0.1			331
255.255.255.255		255.255.255.255	On-link		192.168.50.32	291

Persistent Routes:
None

IPv6 Route Table
Active Routes:
If 	Metric 	Network 	Destination			Gateway
1	331		::1/128						On-link	
14 	291 		fe80::/64						On-link
14	291 		fe80::31d1:ca81:6370:f0e4/128	On-link
1	331		ff00::/8						On-link
14	291		ff00::/8						On-link

Persistent Routes:
None

And it has a valid IP, 192.168.50.32 there?

Yes

And it can ping the pfSense LAN interface, 192.168.50.1?

Yes

Can it open the pfSense webgui?

No... and I'm not sure why. I can pull up a non-SSL internal website, but not pfSense's webgui.

You want to check the state table in Diag > States and filter by the Thinkpas IP while trying o ping something external.
You should see the ping state on LAN and NAT'd on WAN.
If you don't see either then the Thinkpad is probably using some other default route.

This is what I see:

States
Interface	Protocol	Source (Original Source) -> Destination (Original Destination)	State	Packets	Bytes	
LAN	udp	192.168.50.32:137 -> 192.168.50.255:137	NO_TRAFFIC:SINGLE	6 / 0	468 B / 0 B	
LAN	udp	192.168.50.32:51859 -> 224.0.0.252:5355	NO_TRAFFIC:SINGLE	2 / 0	100 B / 0 B	
LAN	udp	192.168.50.32:17500 -> 255.255.255.255:17500	NO_TRAFFIC:SINGLE	140 / 0	24 KiB / 0 B	
LAN	udp	192.168.50.32:17500 -> 192.168.50.255:17500	NO_TRAFFIC:SINGLE	28 / 0	5 KiB / 0 B	
LAN	udp	192.168.50.32:50145 -> 239.255.255.250:1900	NO_TRAFFIC:SINGLE	4 / 0	808 B / 0 B	
LAN	udp	192.168.50.32:5353 -> 224.0.0.251:5353	NO_TRAFFIC:SINGLE	4 / 0	230 B / 0 B	
LAN	udp	192.168.50.32:61604 -> 224.0.0.252:5355	NO_TRAFFIC:SINGLE	2 / 0	106 B / 0 B	

Thanks for helping me figure this out.

stephenw10

Are you seeing the Thinkpad in the pfSense dhcp leases? It may be pulling a lease from some rogue dhcp server. That is not uncommon.

What were you pinging when you checked the state table there?
There are no ICMP states so either it's not sending that traffic to pfSense at all or blocked in the firewall. Check the firewall logs.

Is that actually the LAN interface? If not check the firewall rules you have added are passing all protocols and not just UDP.

Steve

If you are pinging, say, 8.8.8.8 does the client show the pings as leaving but no response?

sdh9

@stephenw10 said in Can't get Thinkpad to connect:

Are you seeing the Thinkpad in the pfSense dhcp leases? It may be pulling a lease from some rogue dhcp server. That is not uncommon.

Yes, it shows online in the DHCP leases, and also I can see it in the DHCP logs.

What were you pinging when you checked the state table there?

9.9.9.9. I let it run for maybe 500 counts, and 499 failed and 1 got through.

There are no ICMP states so either it's not sending that traffic to pfSense at all or blocked in the firewall. Check the firewall logs.

The only things I see blocked for this client's IP are:

Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:60943	  [ff02::c]:3702	UDP
Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:64844	  [fec0:0:0:ffff::1]:53	TCP:S
Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:56567	  [fec0:0:0:ffff::1]:53	UDP
Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:59977	  [ff02::c]:3702	UDP
Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:56567	  [fec0:0:0:ffff::2]:53	UDP
Nov 14 14:48:30	LAN	Default deny rule IPv6 (1000000105)	  [fe80::31d1:ca81:6370:f0e4]:56567	  [fec0:0:0:ffff::3]:53	UDP

My provider does not give me an IPv6 address, so I'm not sure what is happening here.

Is that actually the LAN interface? If not check the firewall rules you have added are passing all protocols and not just UDP.
These are my firewall rules:

If you are pinging, say, 8.8.8.8 does the client show the pings as leaving but no response?

Yes. Except one got a response out of 500. I don't know why.

Thanks for the help.

stephenw10

Ok, so the default rule there should allow all traffic from the client.

Even if outbound NAT was broken you should see the UCMP state on LAN for the client IP to 8.8.8.8 or 9.9.9.9.

I would run a pcap on LAN filtered by host: 192.168.50.32 and protocl icmp. Run some pings. Make sure they are even arriving.

Steve

sdh9

@stephenw10 Ok, I will try that over the next few days. I’m really stumped on this. I’m pretty networking savvy but new to pfSense. Glad to hear I didn’t bork anything with my config.

I have another Windows client in a VM. I fired that up and it works fine. So it is something specific to this laptop. I assumed a firewall or antivirus, but even with both apparently disabled there was no improvement.

JKnott

@sdh9 said in Can't get Thinkpad to connect:

The only things I see blocked for this client's IP are:
Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:60943 [ff02::c]:3702 UDP
Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:64844 [fec0:0:0:ffff::1]:53 TCP:S
Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::1]:53 UDP
Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:59977 [ff02::c]:3702 UDP
Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::2]:53 UDP
Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::3]:53 UDP

My provider does not give me an IPv6 address, so I'm not sure what is happening here.

The fe80 addresses are link local. Every IPv6 capable device has one of those. The fec0 addresses are the deprecated site local addresses. I have no idea where they are coming from. Perhaps the MAC addresses will tell you.