Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can ping the internet but connections time out

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 260 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ispsi
      last edited by

      I am not sure where to post this exactly because I am not sure about the exact cause of my problem, so I guess I am looking for general trouble shooting advice. Also I have asked about my problem on superuser, but since it did not receive any activity I thought I might have better chances here - hope that is ok! The question on superuser has more details but I will include here also what I assume is essential.

      The end goal is a personal server setup that utilizes HAproxy in pfSense to route incoming HTTPS requests to the proper hosts on a virtual network, based on requested domain. I have build such a setup successfully before, although in a slightly different environment, but now I am struggling with the basics..

      This is a rough overview of the setup:
      Schema

      The problem is that there is some degree of connectivity to the internet from the vHosts attached to vmbr1, because pings reach the internet and come back, traceroute does to, DNS resolve works, but takes forever (1-3seconds usually) but anything beyond that just times out. So curl, apt-get update, etc. dont work. In OSI model terms, everything up to network layer (3) seems to be work, but transport layer (4) is not functional.

      To determine that the problem is very likely related to pfSense I verified that the problem goes away when vHosts are connected to vmbr2 or vmbr0.
      The reason is also not packetfiltering, otherwise it would go away when the global [] disable firewall switch is active in advanced settings, right?
      And if pings work then it shouldn't be a NAT problem either (right?)

      I have spent quite some time trying to figure this out and at this point I am probably blinded to what is going on here. If anyone has an idea what could be a cause or explanation for this, or how the problem can be narrowed down better, that would help a lot. Also happy to provide more info if needed.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        did you disable Hardware Checksum Offloading ? TSO LRO?
        can you share a screenshot of LAN interface and DHCP config ?
        did you try to lower mtu ?
        ICMP requests are rather small. If there's connectivity/mtu problem, the ping command won't likely find it
        DNS resolve works, but takes forever -> dns request are bigger and thus you start to see the problem
        dns request start with udp protocol but it change to tcp if udp does not work
        maybe with packet capture you will notice a lot of packet retransmission, you should try that
        cables are all good ?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 1
        • I
          ispsi
          last edited by

          did you disable Hardware Checksum Offloading ?

          Wow, just straight to the point. This was it. Thank you so much!! 😊

          btw, also interesting: This will take effect after a machine reboot or re-configure of each interface. the GUI says at this option, but it worked immediately when I hit save.

          Anyway, thanks for taking your time, I had already lost hope it would be so easy in the end 😉

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.