Able to ping, nslookup and curl in pfSense box but curl failed in clients

mltobing · Oct 9, 2022, 7:50 AM

Hi,

I just installed pfSense 2.6.0 in my Intel Atom computer. In the PfSense box I can ping, nslookup dan curl google.com.
But in clients I can ping and nslookup but cannot curl google.com. Because of this I cannot browsing the internet from clients.
Any idea how to fix this please?

viragomann · Oct 9, 2022, 6:44 PM

@mltobing
How did you set up the network?
Has pfSense a separate WAN and LAN network with outbound NAT on WAN and the client connected to the LAN?

rcoleman-netgate · Oct 9, 2022, 6:56 PM

@mltobing
Is the 31.x network on a new adapter on your install? Do you have 443/TCP blessed on the firewall interface rules?

You can always call to the firewall, but you need rules on the interface to pass data through -- outside of the initial LAN interface pfSense blocks all traffic (in and out) on an interface.

mltobing · Oct 9, 2022, 8:45 PM

@viragomann @rcoleman-netgate
This is initial setup. After installation completed and rebooted. I just setup 2 interfaces, for LAN (192.168.1.1) and WAN (DHCP from ISP modem 192.168.10.x). No VLAN setup.

For WAN I am using internal NIC and for LAN I am using USB Gigabit NIC.

If not mistake around 6-7 years ago I installed pfSense and worked just after I set configuration like above. I have mikrotik and openwrt devices which worked out of the box before any custom rules setup.

Two days ago I decided to try pfSense again. After initial setup the clients unable to ping google.com but ping to ip is ok. This issue fixed after I disabled DNSSEC support.

The remaining issue client devices cannot access the internet. Ping and nslookup to google.com working in both pfsense box and clients. But these commands working in pfsense box only

curl https://google.com
telnet google.com 80
telnet mypersonalvps.com 22

I also think need to add rule(s) to allow the traffic but I don't know which rule and what kind of NAT configuration I need for this. Any idea what rules and NAT configuration I need for this ?

viragomann · Oct 9, 2022, 8:47 PM

@mltobing said in Able to ping, nslookup and curl in pfSense box but curl failed in clients:

I just setup 2 interfaces, for LAN (192.168.1.1) and WAN (DHCP from ISP modem 192.168.10.x).

So as @rcoleman-netgate already requested above, I'm also wondering, which device is 192.168.31.1 which is responding DNS requests.
Obviously there is an additional subnet.

mltobing · Oct 9, 2022, 9:33 PM

@viragomann My current setup like picture below

rcoleman-netgate · Oct 9, 2022, 9:47 PM

@mltobing So... remove OpenWRT and plug the Laptop into the LAN port. Does the issue resolve? Then it's OpenWRT, not pfSense.

mltobing · Oct 9, 2022, 10:44 PM

@rcoleman-netgate I tried that already. Same result

This is the trace route from my laptop connected directly to pfSense LAN NIC.
I cannot see 192.168.10.x (This should be pfSense not OpenWRT)

rcoleman-netgate · Oct 9, 2022, 11:40 PM

@mltobing What do the firewall logs say, then? All blocked traffic is logged by default unless you explicitly make a rule to deny that (which you haven't done).

Status->System Logs .... Firewall tab. Look for, or filter by, your system's IP.

rcoleman-netgate · Oct 9, 2022, 11:42 PM

@mltobing said in Able to ping, nslookup and curl in pfSense box but curl failed in clients:

I also think need to add rule(s) to allow the traffic but I don't know which rule and what kind of NAT configuration I need for this. Any idea what rules and NAT configuration I need for this ?

On the LAN interface all traffic is passed by default unless you remove that rule or block the traffic.

AHA!

The default rule says LAN NET for the source... I suspect 31.0/24 is being blocked because it is not 1.0/24

change that to Any source (did you change this?) and it should be good to go.

mltobing · Oct 10, 2022, 1:20 AM

@rcoleman-netgate When you mentioned something wrong with OpenWRT, I removed OpenWRT and my laptop connected directly to pfSense LAN NIC so my laptop using 192.168.1.x.

I followed your instruction to update LAN Net to any. But still same.

From Firewall logs I found only ICMPv6 blocked (because I just disabled IPv6) and then the first record because I tracerouted from WAN to LAN IP Address. There is no other traffic blocked. Please check this picture.

rcoleman-netgate · Oct 10, 2022, 1:39 AM

@mltobing Telnet over 443? Hmm.

Run a packet capture on the WAN interface with 443 as the port and the IP address you are checking as the host.

Does it see the traffic?

mltobing · Oct 10, 2022, 2:17 AM

@rcoleman-netgate This is the result of packet capture (time in pfsense box slightly different with my laptop)

rcoleman-netgate · Oct 10, 2022, 2:21 AM

@mltobing What's between your pfSense and the world?
This suggests the issue does not lie in your pfSense but on the next step out - it goes in the pfSense and out the WAN port but nothing is coming back.

mltobing · Oct 10, 2022, 2:29 AM

@rcoleman-netgate That really strange. There is ISP modem after pfSense box. I removed pfSense box and change it with OpenWRT AP all working fine.

If you think like that, now I am not sure if this issue related to Intel Atom box or the NICs

rcoleman-netgate · Oct 10, 2022, 2:41 AM

@mltobing Are you running any type of VPN?

mltobing · Oct 10, 2022, 2:58 AM

@rcoleman-netgate I am not running any type of VPN

I forgot if we cannot curl, because of that we didn't get any reply. But we have no issue with ping, so I tried to capture and we got reply.

Strange. Why pfSense box allowed ICMP and nslookup but blocked other traffic. On my laptop I checked the network status "internet access" but I cannot browsing the internet.

Thanks for your fast response. I will go out and reply you later

mltobing · Oct 10, 2022, 2:56 PM

@rcoleman-netgate I tried this scenario to get packets from OpenWRT. I ran curl on my laptop first then pfsense box

pfSense WAN captured packets from both of them but didn't forward requests from my laptop to OpenWRT. We can see OpenWRT captured packets after 20:55:48 only. Do you know why pfSense WAN didn't forward packets from my laptop?

stephenw10 · Oct 10, 2022, 3:44 PM

It's not that pfSense is not forwarding the responses it's that it never gets any responses to forward. For some reason.

There must be some difference between the packets from the client and those from pfSense. The TTL would be different for example.

The pcap on openwrt doesn't show any of the traffic from the laptop behind pfSense. Was is started after that had failed?

Steve

stephenw10 · Oct 10, 2022, 3:50 PM

My number one suspect here would be the USB NIC you're using except you have that as LAN and it appears to be passing inbound there.
What is the WAN NIC in that device? What hardware off-loading do you have enabled?

Steve