New ISP issues

Seamus

I've run pfSense CE as a router and firewall behind an ISP router for a few years in my home in Ireland. Recently after changing ISP, pfSense is not working with the new IPS router. I've ended up taking out pfSense and connecting my switch directly to the new ISP router. I’m not happy with this setup but at least my devices have access to the Internet.
I've tried a few fixes and contacted my ISP but they were zero help. My guess is I'm overlooking something obvious. Here’s the short version of what I’ve tried so far.
The ISP router is a Vodafone Gigabox VOX30R1. I’ve turned off “Firewall”, “Denial-of-Services”. The router’s LAN is connected to pfsense WAN. I’ve reset pfSense to default and assigned LAN, WAN interfaces and IP addresses. I’ve created a PASS “any-to-any” firewall rule on WAN.
From a PC on pfSense LAN the webconfigurator shows that pfSense can successfully update and install packages. However, the same PC has no Internet access. Finally, my question is how can I troubleshoot what exactly is blocking this traffic? Any advice would be great.
Seamus

SteveITS

@seamus said in New ISP issues:

PASS “any-to-any” firewall rule on WAN

That would allow the Internet to get to devices on your LAN, probably not what you want? (IPv4 would be "protected" via NAT, but not IPv6)

What does a traceroute show from the PC on LAN?

Can you ping an IP like 8.8.4.4? (i.e., is it a DNS problem)

Seamus

@steveits Hi Steveits, I appreciate the help.
Agreed, the Pass any-to-any rule on WAN is not what I want - I will remove it.

Traceroute from my PC on LAN completed with no problems - 9 hops to reach 8.8.4.4 and no times over 6ms. Pinging 8.8.4.4 also report no lost packets.

viragomann

@seamus
So presumably your PC is not able to access the DNS server in its network configuration, but pfSense can.

Doesn't the PC use DHCP?
If not you have to configure DNS servers manually. So point it to pfSense LAN IP if you want to use the Resolver of pfSense.

Seamus

@viragomann
Hi viragomann,
Thanks for your help. The PC gets an IP from pfSense by DHCP and I've just confirmed that it's pointing at pfSense for DNS using "ipconfig". I temporarily changed the PC IP and DNS to static addresses to see if that made any difference, but it didn't. I have not changed any DNS Resolver settings on pfSense from the default. A pfSense "DNS lookup" reports "host could not be resolved" when I test the ISP router internal IP. As I mentioned, pinging this IP reports no loss of packets.

viragomann

@seamus said in New ISP issues:

A pfSense "DNS lookup" reports "host could not be resolved"

Which host name?
Try a lookup for dns.google or something common on pfSense.

Seamus

@viragomann
Sorry, my last reply was mistaken. Thanks again for your time.

pfSense LAN segment is 192.169.1.0/24. WAN is 10.3.3.0/24.

On the PC (192.168.1.100) "nslookup" successfully shows 192.168.1.1 (pfSense LAN IP and DNS).
On pfSense, DNS Lookup can't resolve 10.3.3.3, the ISP router internal IP.
A pfSense DNS Lookup of dns.google.com gives
Results:
8.8.8.8 A
8.8.4.4 A
Timings:
127.0.0.1 31ms
10.3.3.3 5ms
8.8.8.8 0ms

Seamus

@seamus said in New ISP issues:

pfSense LAN segment is 192.169.1.0/24. WAN is 10.3.3.0/24.

TYPO!
192.168.1.0/24

Seamus

@viragomann
Host 10.3.3.3

Seamus

@viragomann said in New ISP issues:

Which host name?

pfSense.home.arpa

stephenw10

@seamus said in New ISP issues:

On pfSense, DNS Lookup can't resolve 10.3.3.3

Um... what are you expecting that to 'resolve' to? It's a private IP address. Or do you mean resolve from?

Looks like it is responding in the lookup results for dns.google.com.

What error does the client report if you try to ping google.com?

Steve

Seamus

@stephenw10 said in New ISP issues:

What error does the client report if you try to ping google.com?

From the PC (connected to pfSense LAN) I can ping only the pfSense LAN IP. No packets are returned when pinging google.com, 8.8.4.4 or the ISP router (10.3.3.3).

From the pfSense diagnostic menu, I can successfully ping google.com, 8.8.4.4, the ISP router (10.3.3.3). However pinging the LAN PC (192.168.1.100) returns no packets.

I can't claim to understand what the DNS lookup results mean! Or why the LAN PC has no Internet access.

viragomann

You wrote this in your second post:
@seamus said in New ISP issues:

Traceroute from my PC on LAN completed with no problems - 9 hops to reach 8.8.4.4 and no times over 6ms. Pinging 8.8.4.4 also report no lost packets.

And this in your last:
@seamus said in New ISP issues:

However pinging the LAN PC (192.168.1.100) returns no packets.

Now what??
Can you ping the IP? If so can you ping dns.google.com?

It's hard to analyze a problem, when you provide contradictory information.

stephenw10

Yes, that statement is what made it look like a DNS issue initially but if that's no longer the case then look at the firewall rules on LAN and the outbound NAT rules.

Steve

Seamus

@viragomann said in New ISP issues:

It's hard to analyze a problem, when you provide contradictory information.

You may have a point viragomann, I don’t understand it myself. So I have just run through the setup wizard again on pfSense and I’ve done some more testing. This is what I’m getting.

Ping from PC (192.168.1.100) to pfSense LAN (192.168.1.1) is successful – 0% loss
Pinging PC (192.168.1.100) from pfSense fails – 100% loss
Is this abnormal?
I’ve also done a Traceroute from PC and I’ll add the results presently. I can’t say I understand what the results mean!

Seamus

@seamus said in New ISP issues:

Traceroute

Tracing route to 8.8.4.4 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms pfSense [192.168.1.1]
2 1 ms <1 ms <1 ms 10.3.3.3
3 5 ms 4 ms 4 ms 10.8.14.1
4 5 ms 4 ms 4 ms 89.19.64.10
5 * * * Request timed out.
6 5 ms 5 ms 5 ms 194.88.240.55
7 6 ms 5 ms 5 ms 74.125.244.1
8 5 ms 4 ms 5 ms 74.125.244.7
9 6 ms 5 ms 6 ms 142.250.232.81
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 5 ms 4 ms 4 ms 8.8.4.4
Traceroute complete.

netblues

@seamus said in New ISP issues:

@viragomann said in New ISP issues:

It's hard to analyze a problem, when you provide contradictory information.

You may have a point viragomann, I don’t understand it myself. So I have just run through the setup wizard again on pfSense and I’ve done some more testing. This is what I’m getting.

Ping from PC (192.168.1.100) to pfSense LAN (192.168.1.1) is successful – 0% loss
Pinging PC (192.168.1.100) from pfSense fails – 100% loss
Is this abnormal?
I’ve also done a Traceroute from PC and I’ll add the results presently. I can’t say I understand what the results mean!

Turn off firewall /allow icmp echo replies to your pc.
trace says connectivity to the Internet is ok
No issues in both statements.

stephenw10

Yeah seems OK so that starts to look like a DNS issue again. I assume DNS is failing on the client still?