Cannot Connect to the Internet, Unknown Rule on System Logs

Rob893 · Mar 22, 2023, 4:00 PM

Hello there,

First time Pfsense user here. I cannot connect to the internet using Pfsense.

I do not think it is the ISP router I have the Pfsense router hooked up to because my Unifi switch and access points work perfectly fine if I plug them directly into the ISP router.

Pfsense version: 2.6.0

The specifications for the router:
• Motherboard: Biostar J4125NHU with latest BIOS (February 2023)
• CPU: Intel Celeron J4125
• RAM: 2x4gb Corsair DDR4 memory
• SSD: Team Group 256 Gb M.2 Nvme
• NIC: Intel I350-T4

The Topography:
ISP Fiber router (Fiberhome Model HG6243C set to Bridge Mode) > PFsense router.
The Unifi switch and access points were supposed come after the Pfsense router, but since I have yet to figure out how to get Pfsense to work, I have them plugged into the ISP router.

I have consulted https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html and what was strange on my system is that upon checking system logs> firewall, I got two constant messages
• WAN Default deny rule IPv4 (1000000103)
• WAN Default deny rule IPv6 (1000000105)

Problem is, I checked the WAN Firewall Rule, and there were no rules set up yet (it’s a fresh install). No rule for floating, and on LAN, I have Action:Pass and Protocol:Any. So, I have no idea why these two messages keep popping up. And more importantly, why I can’t connect to the internet.

Any help would be appreciated. Thank you.

Jarhead · Mar 22, 2023, 4:29 PM

@rob893 Do you get an IP on the WAN?
Did you try to power cycle the ISP's router after connecting pfSense?
If it really is a router, are you getting a public IP or private?
Try to disable blocking rfc1918 on the WAN. Go to interfaces/WAN and scroll to the bottom.

SteveITS · Mar 22, 2023, 5:09 PM

@rob893 said in Cannot Connect to the Internet, Unknown Rule on System Logs:

checked the WAN Firewall Rule, and there were no rules set up yet

All interfaces have a hidden default deny rule, so traffic is blocked. LAN has an allow any rule for IPv4 and 6.

Normally I turn off the option to log the default block rules which avoids a lot of unnecessary log entries:

re: connectivity, can you ping by IP address? (ping 8.8.8.8)

Rob893 · Mar 22, 2023, 5:18 PM

@jarhead
The WAN IP is 192.168.1.1, status is online, other services are running too
Just tried power cycling the router like you suggested. Still no internet though
Router is giving me a public IP
Rfc1918 and Bogon have been disabled during the initial setup

SteveITS · Mar 22, 2023, 5:20 PM

@rob893 said in Cannot Connect to the Internet, Unknown Rule on System Logs:

Router is giving me a public IP

192.168.1.1 is a private/RFC1918 IP.

That shouldn't matter for connectivity out though. Try the ping 8.8.8.8 and if that works try nslookup/dig to see if DNS is working.

viragomann · Mar 22, 2023, 5:23 PM

@rob893 said in Cannot Connect to the Internet, Unknown Rule on System Logs:

The WAN IP is 192.168.1.1, status is online, other services are running too

Which WAN? The pfSense screen shows something different.

Router is giving me a public IP

Where? To which device??

Rob893 · Mar 22, 2023, 5:23 PM

@steveits Ah thanks for the tip! As for pinging 8.8.8.8, I was able to do it if I connect my laptop to the ISP router. But if I connect it to the Pfsense router, I get request time outs

viragomann · Mar 22, 2023, 5:26 PM

@rob893 said in Cannot Connect to the Internet, Unknown Rule on System Logs:

But if I connect it to the Pfsense router, I get request time outs

The question was if you can ping from pfSense itself.
Go to Diagnostic > Ping and try, please.

Rob893 · Mar 22, 2023, 5:52 PM

@viragomann @SteveITS Ah sorry, my mistake. But no, I was not able to ping 8.8.8.8

Rob893 · Mar 22, 2023, 5:54 PM

@jarhead I meant to say, these have been unchecked

viragomann · Mar 22, 2023, 5:59 PM

@rob893
If assume, you didn't touch the outbound NAT settings yet and it is still in automatic mode (Firewall > NAT > Outbound)?

If so at least the ping should work though.
Possibly your router requires to add new machines to a trusted device list to allow traffic?

Rob893 · Mar 22, 2023, 6:15 PM

@viragomann Yes, it is still on automatic. By that, do you man the ISP router or the Pfsense router?

viragomann · Mar 22, 2023, 6:17 PM

@rob893
The ISP router. Some have a whitelist, where devices must be added to pass traffic.

SteveITS · Mar 22, 2023, 6:19 PM

@rob893 Given the 192.168.1.1 WAN gateway is online that would mean pfSense can ping it. So it would seem your ISP router isn't passing traffic out.

If you Diagnostics/Traceroute to 8.8.8.8 does it get any farther than 192.168.1.1?

Rob893 · Mar 23, 2023, 1:55 AM

@steveits
It doesn't seem so. But I did try to run my ISP router normally (not in bridge mode), and it sort of did something.

Before, windows would show a no connection icon.
After the change, it shows the connected via ethernet icon

I am however, still unable to connect to the internet

SteveITS · Mar 23, 2023, 2:57 AM

@rob893 if your ISP router was in bridge mode I would expect pfSense to get a public IP address…

From the traceroute it seems the ISP router isn’t passing the packets on.

I would go back to your ISP next.

Rob893 · Mar 23, 2023, 3:25 AM

@steveits Alright, I'll see if I can do something about the ISP router. Thanks for the help!

Rob893 · Mar 27, 2023, 4:27 PM

Well, I finally got it working. From the online manual I found on the internet, my ISP router is an ONT, not a ONR. Someone pointed out that it being an ONT means that bridge mode was unnecessary. So, first thing I did was plug Pfsense in without bridge mode.
But that was not the end of it because I could ping 8.8.8.8 but was still unable to connect to the internet. Diving into the forums led me to this, which resolved the problem.
https://forum.netgate.com/topic/106121/fresh-install-does-not-give-internet-access-resolved?_=1679934258140