Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange WAN connectivity issue

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 731 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dweimer
      last edited by

      I have a weird issue on a pfSense 2.6.0 CE installation. The pfSense system cannot talk to its WAN but does accept connections. As in I can ping the pfSense from gateway, but it can't ping gateway. I can even connect to https and login to management from a remote location but the pfSense can't talk to that remote location. To make it even weirder if I SSH to pfSense and start a ping to the gateway which returns no result leave ping running and then disable WAN interface. At this point the ping starts returning "sendto: No route to host" which makes sense. Then enable the interface, at which point the ping process starts returning a reply from gateway, and will continue as long as you leave that ping process running. However if you go to the web interface and ping the same gateway it will fail to get a response. If you use CTRL+c on the ping process and then restart it there is no response.
      This was a working setup, the pfSense is running as backup for another one I don't know when it started failing. After noticing this issue I rebuilt on new hardware and problem still exists. I didn't restore configuration I re entered all the interface definitions from screenshots and allowed remaining configuration to sync from primary HA node.
      I have tried disabling CARP I turned off pfsync so states are not syncing, problem still persists. Even rebooted switch, I have 4 defined interfaces on a two port LAGG using VLANs all the others which have CARP defined are working correctly

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Sounds like what you might see if you have outbound NAT overmatching. If you have just configured it to NAT everything outbound to the CARP VIP then that will also include traffic from the firewall itself and that will fail when the VIP is running as backup.
        OBN rules on an HA pair should only match traffic from subnets behind the firewall so that traffic from the firewall itself still uses the real WAN IP directly.

        Steve

        D 1 Reply Last reply Reply Quote 1
        • D
          dweimer @stephenw10
          last edited by

          @stephenw10
          I think you hit the nail on the head, I had recently made NAT changes on the Primary side as part of a setup for testing wireguard and went from automatic to hybrid and broke it by creating a NAT to the CARP address that synced to the Backup. Thanks for pointing me in the right direction.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.