• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Strange connectivity problem with 1.2.3-RC2 embedded

Scheduled Pinned Locked Moved 1.2.3-PRERELEASE-TESTING snapshots - RETIRED
22 Posts 5 Posters 7.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Sostris
    last edited by Jul 30, 2009, 7:02 PM Jul 30, 2009, 6:59 PM

    I'm running the above version on a miniwall. It works fine except for one thing: I can't access the Google cache servers through the router. I can load the Google search page in a browser, but if I run a query and then click on a link to a cached page, the connection attempt just times out. I can't ping or traceroute the servers, either. This has been going on since I installed the router about a week ago. The firewall log shows nothing to or from Google being blocked. If I bypass the router and connect directly to my cable modem, with the same external IP address, there's no problem. It's definitely the router. My old router was a ZyWall, and it didn't have this behavior.

    I have no problem with any other website; just the nameless Google cache servers. I have no idea how to go about solving this. Thanks for any suggestions.

    1 Reply Last reply Reply Quote 0
    • T
      tommyboy180
      last edited by Jul 30, 2009, 7:01 PM

      Are all the PCs behind pfsense having the same issue?
      Are you running any addons?

      -Tom Schaefer
      SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

      Please support pfBlocker | File Browser | Strikeback

      1 Reply Last reply Reply Quote 0
      • S
        Sostris
        last edited by Jul 30, 2009, 7:04 PM

        @tommyboy180:

        Are all the PCs behind pfsense having the same issue?
        Are you running any addons?

        Yes, and no.

        1 Reply Last reply Reply Quote 0
        • T
          tommyboy180
          last edited by Jul 30, 2009, 7:13 PM

          http://74.125.95.132/search?q=cache:S9XHtkEncW8J:www.test.com/+test&cd=1&hl=en&ct=clnk&gl=us
          http://74.125.95.133/search?q=cache:S9XHtkEncW8J:www.test.com/+test&cd=1&hl=en&ct=clnk&gl=us

          Can you get to any of those links?

          -Tom Schaefer
          SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

          Please support pfBlocker | File Browser | Strikeback

          1 Reply Last reply Reply Quote 0
          • S
            Sostris
            last edited by Jul 30, 2009, 7:25 PM

            @tommyboy180:

            Can you get to any of those links?

            No, neither.

            1 Reply Last reply Reply Quote 0
            • T
              tommyboy180
              last edited by Jul 30, 2009, 7:28 PM

              I'm really curious,
              Can you get to http://74.125.95.133/?

              -Tom Schaefer
              SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

              Please support pfBlocker | File Browser | Strikeback

              1 Reply Last reply Reply Quote 0
              • S
                Sostris
                last edited by Jul 30, 2009, 7:32 PM

                @tommyboy180:

                I'm really curious,
                Can you get to http://74.125.95.133/?

                Times out.

                1 Reply Last reply Reply Quote 0
                • T
                  tommyboy180
                  last edited by Jul 30, 2009, 7:34 PM Jul 30, 2009, 7:33 PM

                  Can you get to any address without DNS?
                  such as http://209.85.225.147/

                  -Tom Schaefer
                  SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                  Please support pfBlocker | File Browser | Strikeback

                  1 Reply Last reply Reply Quote 0
                  • S
                    Sostris
                    last edited by Jul 30, 2009, 7:37 PM

                    Yes, e.g. http://209.131.36.158/ == yahoo.com. Yours too.

                    1 Reply Last reply Reply Quote 0
                    • T
                      tommyboy180
                      last edited by Jul 30, 2009, 7:42 PM

                      Its almost like your pfsense box just doen't like the google cache server address.

                      What do you have for firewall rules? Can we rule those out? I am at a loss of what it can be.

                      -Tom Schaefer
                      SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                      Please support pfBlocker | File Browser | Strikeback

                      1 Reply Last reply Reply Quote 0
                      • S
                        Sostris
                        last edited by Jul 30, 2009, 7:51 PM Jul 30, 2009, 7:50 PM

                        @tommyboy180:

                        What do you have for firewall rules? Can we rule those out? I am at a loss of what it can be.

                        Besides the default rule, I block only incoming multicast IGMP which comes from my ISP. I hesitated to post this problem here because it makes no sense, but it is real. I assumed Google itself was blocking me for some reason, but it isn't.

                        1 Reply Last reply Reply Quote 0
                        • T
                          tommyboy180
                          last edited by Jul 30, 2009, 7:53 PM

                          Yeah. We can rule out Google and we can rule out your ISP. I have no clue, I am waiting to see if a Hero member can shed some light.

                          Your right it doesn't make sense.

                          -Tom Schaefer
                          SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                          Please support pfBlocker | File Browser | Strikeback

                          1 Reply Last reply Reply Quote 0
                          • K
                            ktims
                            last edited by Jul 30, 2009, 8:43 PM

                            Maybe do a tcpdump on your wan side and see if any of the packets are making it out or back. Comparing with what you see on the lan side tcpdump may shed more light.

                            1 Reply Last reply Reply Quote 0
                            • S
                              Sostris
                              last edited by Jul 30, 2009, 9:23 PM

                              On the WAN, nothing. On the LAN, a lot of this:

                              arp who-has px-in-f132.google.com tell 10.0.9.1
                              IP myhost.64801 > px-in-f132.google.com.http: S 2290598658:2290598658(0) win 65535 
                              

                              This is interesting because 10.0.9.1 is not my LAN. I'm on 192.168.1.0/24. 10.0.9.0/24 is the address pool of one of my two OpenVPN tunnels, which are bridged to the LAN using instructions I found around here somewhere. So the ARP packets are being directed to the wrong place. That seems to be a bug either in pfSense or in the BSD subsystem, but I still don't understand why it only happens with Google cache servers.

                              1 Reply Last reply Reply Quote 0
                              • K
                                ktims
                                last edited by Jul 30, 2009, 9:31 PM

                                That is indeed very strange, since arp requests should only be generated on subnets you're connected to at layer 2, and that's obviously not the case here. I wonder if the way you've got the openvpn tunnel set up has pfsense thinking that subnet is connected to the vpn.

                                What's ifconfig -a look like?

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Sostris
                                  last edited by Jul 30, 2009, 10:23 PM

                                  @ktims:

                                  What's ifconfig -a look like?

                                  #  ifconfig -a
                                  vr0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                                  	options=280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic>ether 00:0d:b9:17:67:88
                                  	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
                                  	inet6 fe80::20d:b9ff:fe17:6788%vr0 prefixlen 64 scopeid 0x1 
                                  	media: Ethernet autoselect (100baseTX <full-duplex>)
                                  	status: active
                                  vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                                  	options=280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic>ether 00:0d:b9:17:67:89
                                  	inet6 fe80::20d:b9ff:fe17:6789%vr1 prefixlen 64 scopeid 0x2 
                                  	inet 76.174.118.225 netmask 0xfffff800 broadcast 255.255.255.255
                                  	media: Ethernet autoselect (100baseTX <full-duplex>)
                                  	status: active
                                  vr2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                                  	options=280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic>ether 00:0d:b9:17:67:8a
                                  	inet6 fe80::20d:b9ff:fe17:678a%vr2 prefixlen 64 scopeid 0x3 
                                  	media: Ethernet autoselect (100baseTX <full-duplex>)
                                  	status: active
                                  enc0: flags=0<> metric 0 mtu 1536
                                  lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
                                  	inet 127.0.0.1 netmask 0xff000000 
                                  	inet6 ::1 prefixlen 128 
                                  	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
                                  pflog0: flags=100 <promisc>metric 0 mtu 33204
                                  pfsync0: flags=41 <up,running>metric 0 mtu 1460
                                  	pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
                                  bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                                  	ether ce:c8:e6:f7:f4:35
                                  	id 00:0d:b9:17:67:88 priority 32768 hellotime 2 fwddelay 15
                                  	maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
                                  	root id 00:0d:b9:17:67:88 priority 32768 ifcost 0 port 0
                                  	member: tap1 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 10 priority 128 path cost 2000000
                                  	member: tap0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 9 priority 128 path cost 2000000
                                  	member: vr0 flags=1e7 <learning,discover,stp,edge,autoedge,ptp,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 200000 proto rstp
                                  	        role designated state forwarding
                                  	member: vr2 flags=1e7 <learning,discover,stp,edge,autoedge,ptp,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 200000 proto rstp
                                  	        role designated state forwarding
                                  tap0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                                  	ether 00:bd:49:0c:00:00
                                  	inet6 fe80::2bd:49ff:fe0c:0%tap0 prefixlen 64 scopeid 0x9 
                                  	inet 10.0.8.1 netmask 0xa000802 broadcast 255.255.255.253
                                  	Opened by PID 494
                                  tap1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
                                  	ether 00:bd:cb:0d:00:01
                                  	inet6 fe80::2bd:cbff:fe0d:1%tap1 prefixlen 64 scopeid 0xa 
                                  	inet 10.0.9.1 netmask 0xa000902 broadcast 255.255.255.253
                                  	Opened by PID 522</up,broadcast,running,promisc,simplex,multicast></up,broadcast,running,promisc,simplex,multicast></learning,discover,stp,edge,autoedge,ptp,autoptp></learning,discover,stp,edge,autoedge,ptp,autoptp></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></up,running></promisc></up,loopback,running,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic></up,broadcast,running,promisc,simplex,multicast>
                                  

                                  vr0 is the LAN interface, vr1 is the WAN, and vr2 is the third Ethernet port bridge to vr0.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    ktims
                                    last edited by Jul 30, 2009, 11:43 PM Jul 30, 2009, 11:41 PM

                                    Aha:

                                    inet 10.0.8.1 netmask 0xa000802 broadcast 255.255.255.253
                                    inet 10.0.9.1 netmask 0xa000902 broadcast 255.255.255.253

                                    This means the subnet masks in use on the VPN interfaces are 160.0.9.2 and 160.0.8.2, which is…wrong and will match a huge swath of Internet address space (and at a glance the Google address mentioned is included in this set). It should probably be 0xffffff00 or something similar, at the very least it should be all 1s followed by all 0s and no lower than 0xff000000, not a random binary number. I don't use OpenVPN myself though, so I'm not sure how you might fix this.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Sostris
                                      last edited by Jul 31, 2009, 3:06 AM Jul 31, 2009, 12:41 AM

                                      OK, I fixed this by changing the address pools of the VPN tunnels to a subnet closer to the LAN.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        cmb
                                        last edited by Aug 8, 2009, 2:36 AM

                                        Indeed, this is a consequence of the bridging hack howto that someone posted to the doc site. The instructions leave you with a crazy mask on your tap interface that consumes a chunk of the Internet. There isn't any way around it right now, it's something I'm looking at accommodating in some fashion before 1.2.3-release.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Sostris
                                          last edited by Aug 9, 2009, 11:14 PM

                                          Thanks, that will be a big improvement.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            [[user:consent.lead]]
                                            [[user:consent.not_received]]