Main PFS box works, WAN doesn't work on aux PFS box w/ same config

RunLikeHeck

I have a couple of older HP PCs that I use for pfSense; a main and an auxiliary. Both have an onboard NIC for WAN and both have a PCI-bus quad NIC for LAN.

Both machines have community pfSense 2.6.0. Ordinarily the main box is in service and its WAN NIC is connected straight to a Comcast Business cable modem. The WAN NIC is configured to hold my assigned static IP. Using the web configurator, I downloaded a config backup file from the main box and wrote it to an SD card as described in the manual. I of course have to change the names of the NIC in the config.xml file. I inserted the SD card into the auxiliary box, let it boot, and everything comes up like it should - the onboard WAN NIC shows as up - but the box can't see Internet. Its IP address and mask are correct (the settings came from the main box which worked). I even stuffed another single-port NIC in it to use as the WAN NIC and no difference. And yet I was able to install pfSense up on a third machine and boot using the SD card, and it worked once its two interfaces were set up. Third box in question is a Dell tower server that is way, way overkill so I'd really like to use the auxiliary box I'd intended to use if at all possible. Any ideas about what I could look at?

stephenw10

How did you test the connectivity?

What NIC types are used in either of those boxes? What drivers?

It's possible you're not actually connecting the WAN to the NIC you expect. Since you're using a static IP it would not be obvious.
Try disconnecting the WAN and make sure the interface status reflects that.

Steve

RunLikeHeck

@stephenw10 Perfectly reasonable questions because I know how easy it is to get this wrong. :)

The machine's onboard NIC shows up to lspci as an nVidia MCP51, rev a1 and it registers to pfSense as nfe0. The single-port card I installed as a test is an Intel 82557/8/9/0/1 (Pro 100). The quad-port Intel card (no problems here) is an 82557 Gig-E and those ports register as em0 through em3. The 1. option on the console clearly showed the expected connected ports were in state "up" and I confirmed by eyeball that the cable from the WAN interface was connected straight to the cable modem. I also have an RTL8169 10/100/1000 PCI card that I can test with.

stephenw10

So both systems use nfe0 as WAN, the same on-board NIC?

And both have a 4 port Intel expansion card, both using em0-3?

If that's the case I would not expect to have to reassign the NICs in the config before importing it.

Do you see the gateway appear in the ARP table on the backup box when it's connected?

RunLikeHeck

@RunLikeHeck Update: the RTL8169 card didn't show up in pfSense at all.

stephenw10

Like not shown as a PCI device in pciconf -lv? Or just no driver attaches? That's a pretty old card I would expect re(4) to support it.

bingo600

@RunLikeHeck

I had that issue with my "Backup box" too , no or strange internet connection on WAN.
I have a "static wan ip" , and apparently it is locked to the MAC address of my Box ... "Primary box"
Solution for me was in "Primary box" to enter the Mac address of the WAN Interface , in the Mac address field on the WAN interface definitions.

Pict just for showing where to enter mac , this is a "work box".

This seems kind of redundant to do , but it ensures that my "Primary Box - WAN MAC" is used on whatever box i restore the config.
And now - Any box i use as a substitute, sees normal Internet with my ISP assigned static IP.

Edit: Only do this on a "Cold spare setup" , not some HA/CARP stuff

/Bingo

RunLikeHeck

It looks like the problem wound up being one of name resolution. Once I gave pfSense the DNS IP addresses that Comcast gave me, things started working. The weird thing was, it wasn't set on the main pfSense box either and it was working. Now, one thing that changed in the middle of all this was that the Comcast cable modem was replaced; there was a lightning strike nearby that apparently fried the one of four functionally identical Ethernet ports on the back of the modem (with cable plugged in, pfSense reported "down" for that jack but "up" for any of the others) and screwed it up in other ways so that even plugged into a working jack in the modem pfSense wasn't getting out. So I'm good for now (am continuing to run on the aux box) and have a process for moving configs from one box to the other. Now I need to build out the config more so that I've got externally-reachable boxes on one of the other quad NIC ports.