If Internet Down, Can't Get to pfSense Box?

areckethennu

I'm wondering if I've got a misconfiguration someplace or if this is normal, expected behavior. I just finished a two hour battle with the internet. It looked like I lost my internet connection. But, my cable box was happy and showing me all AOK lights. I tried navigating to my pfSense box at https://192.168.1.1, but couldn't reach it. Ditto for reaching my cable modem at 192.168.100.1. Finally, after multiple reboots of everything, replacing and putting back the cable modem, and direct connections to the internet, everything came back miraculously. My question, though, is why couldn't I access my pfSense box or cable modem even though they both have local IP addresses? I don't think those need to hit the internet for any kind of resolution.

If this isn't expected behavior, is there some configuration area I should examine for a misconfiguration?

SteveITS

@areckethennu Next time, check the pfSense console for information/errors. Is there anything useful in the system log at that time?

It's expected to have LAN or other interface access regardless of WAN status.

Gertjan

@areckethennu said in If Internet Down, Can't Get to pfSense Box?:

My question, though, is why couldn't I access my pfSense box or cable modem even though they both have local IP addresses? I don't think those need to hit the internet for any kind of resolution.

Think again.
This information isn't available locally :

Neither the state of the packages in this list (if they are upgrade-able, or not) :

According to the source of my NTP, this one :

is also not local.

This one :

is also checked before actually showing up.

Test for yourself :
When logging into pfSense, use a link like this :
http//192.168.1.1/status_interfaces.php
For this page to be generated, no external sources are needed, the page will show up right away after log in.

From that page you could should go to
http://192.168.1.1/status_logs.php
where you can see what going well / what's going bad.

The main index or dashboard page is nice .... when everything goes well ;)

@areckethennu said in If Internet Down, Can't Get to pfSense Box?:

the cable modem

These kind of devices work best when you power them up first.
Have them boot up, and give them largely the time to get a working connection.
Only after things have settled out, then power up pfSense.

And, yes, as @SteveITS mentioned : activate the SSH access, or use the console, look at it.
There is only important information there.

areckethennu

@gertjan Thanks for the info and the urls to try. It never occurred to me that the content of the pages being "live" would stop me from getting to the device, itself. I'll test those out.

Also, after fighting with the issue for a bit, my next step was to access the console. But, it all came back at that point.

EDIT: Unless it takes some time for the lack of an internet connection to propagate through the system, it looks like that's not the answer. I pulled the WAN cable out of the pfSense box and tried accessing it via the network. No problem. I got to the log-in page (which is what I couldn't even get to before), logged in and up popped the standard Dashboard showing the downed interface.

Browsing through my logs, the only thing out of the ordinary that leaps out at me (besides the entries saying, basically, the WAN was down) is this:

Mar 1 19:37:19 radvd 72652 our AdvManagedFlag on igb1 doesn't agree with fe80::d6ad:71ff:fe0c:3019

But, it's greek to me.

stephenw10

Yes, you should be able to access the webgui at the LAN IP if the WAN is disconnected.

Likely there was some sort of subnet conflict. Or possibly a interface assignment misconfig.

Yes, the console is where to check that if you can't access the webgui or ssh.

Steve

areckethennu

@stephenw10 We crossed paths. I just edited my previous post saying I could get to the pfSense box without trouble with the WAN cable disconnected. As you say, something must have been wrong on the pfSense box, itself. But, why multiple hard shutdowns (pull the power cord out of the back) didn't fix it, I don't know. I guess, next time, I'll have to START with the console instead of putting it off because I have to remember how to do it and hook things up (and that way, I could shut it down gracefully instead of dropping a bomb on it).

Gertjan

This :

@areckethennu said in If Internet Down, Can't Get to pfSense Box?:

But, why multiple hard shutdowns (pull the power cord out of the back) didn't fix it

is one of the best ways to kill a box.
Next best will be physical : sledgehammer etc.

IMHO : don't do this. Even when Netgate gives you a written statement that the ZFS file system (if you that) will never crash.
Because it will.

To power down a device : do like your PC : click with the mouse on the GUI button called 'shutdown'.

@areckethennu said in If Internet Down, Can't Get to pfSense Box?:

It never occurred to me that the content of the pages being "live" would stop me from getting to the device, itself.

The dashboard, as that is the page where you go after login, want to show info that it has to collect first.
If that doesn't work out, eventually - 30 seconds or so, the dashboard GUI will show up.

The console access also has an option to shut the system down.

areckethennu

@gertjan Well, the problem was that I couldn't even get to the login page, let alone actually log in or see the dashboard. But, if I had used the console, I could have avoided that.

That "our AdvManagedFlag on igb1 doesn't agree with fe80::d6ad:71ff:fe0c:3019" error seems like a promising indicator of the issue. It looks like it's a problem on the LAN interface, but I don't know if it's a symptom of the inability to connect or the cause of it.

stephenw10

If you could connect with the WAN disconnected I'd still be looking for a subnet conflict.

Perhaps when the WAN fails the modem creates an IP in the LAN subnet.

Steve

Gertjan

@stephenw10 said in If Internet Down, Can't Get to pfSense Box?:

Perhaps when the WAN fails the modem creates an IP in the LAN subnet.

His cable modem uses 192.168.100.1, and the pfSense LAN is the default 192.168.1.1, so that can't (shouldn't) be the issue.
If pfSense obtained an 192.168.100.x from the cable modem as a pfSense WAN IP, this would break 'internet' access. But this shouldn't stop indefinitely the access to the pfSense GUI. There will be a delay, though.

Also, when WAN connects, "all hell breaks loose".
I mean : when you use the console access, option 8 (command line) and we tail every log file on the system, like :

tail -f /var/etc/system.log /var/log/resolver.log /var/log/dhsp.log etc etc etc etc

me you everybody will know what I mean. Thousands of log lines will show up an this is 'normal'.

Even the GUI web server is restarted, as it wants to listens to WAN.
If there is a stupid modem upfront that takes it time, or the upstream ISP DHCP server is somewhat slow, the creation of a working WAN connection can be slow.
During all this time, pfSense tries also to update some data that it want to get from sources on the Internet, like the package info and the current time (etc), then a delay is easily explained.

But again, eventually, it should show up.

That's why I proposed to go directly (enter it in the URL line of your browser) to the - not dashboard page - but another page like
http://192.168.1.1/system_usermanager.php as that page only needs local resources to get build.