No Internet Access from LAN
-
Suddenly, my production network, I have no Internet access from LAN. When I check LAN, I got this message below and when I check RA, I got the message below that. The thing is IPv6 had never been configured on this network, so why suddenly this is prevent network access? I can ping out from the box but not from LAN despite laptop connects directly to LAN port. How did this happened? Can I disable RA from the console? Then, LAN becomes unresponsive, cannot access the webgui and only SSH is available.
-
You can disable it by editing the config directly. Otherwise enable v6 on the LAN temporarily so you can disable RA in the GUI.
-
@stephenw10 said in No Internet Access from LAN:
You can disable it by editing the config directly. Otherwise enable v6 on the LAN temporarily so you can disable RA in the GUI.
Which config file exactly and command? I don't want to enable v6, not even temporarily because my ISP grossly bad method of implementing v6 that never intended to be a true implementation and there is no benefit to a router/firewall behind their modem. Most important is how it somehow just automatically happened.
-
The main config file /conf/config.xml
If you do it in the gui it doesn't have to be a real IP. Set the LAN to
2001:db8:1000::1/64for example. Then disable RA then remove the v6 IP again. -
@stephenw10 said in No Internet Access from LAN:
The main config file /conf/config.xml
If you do it in the gui it doesn't have to be a real IP. Set the LAN to
2001:db8:1000::1/64for example. Then disable RA then remove the v6 IP again.Looked there, just never scrolled down enough. Steve, I would never thought of using a fake IPv6
So, I edited the file but still no Internet from LAN
<dhcpdv6>
<lan>
<range>
<from>::1000</from>
<to>::2000</to>
</range>
<ramode>disabled</ramode>
<rapriority>medium</rapriority>
<prefixrange>
<from></from>
<to></to>
<prefixlength>48</prefixlength>
</prefixrange>
<defaultleasetime></defaultleasetime>
<maxleasetime></maxleasetime>
<netmask></netmask>
<dhcp6c-dns>disabled</dhcp6c-dns>
<domain></domain>
<domainsearchlist></domainsearchlist>
<ddnsdomain></ddnsdomain>
<ddnsdomainprimary></ddnsdomainprimary>
<ddnsdomainsecondary></ddnsdomainsecondary>
<ddnsdomainkeyname></ddnsdomainkeyname>
<ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm>
<ddnsdomainkey></ddnsdomainkey>
<ddnsclientupdates>allow</ddnsclientupdates>
<tftp></tftp>
<ldap></ldap>
<bootfile_url></bootfile_url>
<dhcpv6leaseinlocaltime></dhcpv6leaseinlocaltime>
<numberoptions></numberoptions>
</lan> -
Ok, yeah, having no v6 IP on LAN should not prevemt IPv4 working.
So, how is it failing?
Can clients ping? Anything?
Is DNS working?
-
@stephenw10 said in No Internet Access from LAN:
So, how is it failing?
The thing is it's not failing...it's like its acting like a firewall. I can ping apple.com from the box itself but not from clients...clients cannot ping the firewall. This happened last night around 9pm. the traffic graphs shows normal activity and DNS works on the box itself since I pinged apple.com as well as google.com, but not from the clients
So, I am learning that, that router advertising is too powerful...I have two separate networks with separate IP address and it appeared the router advertising jump across the other network and reconfigured it without admin's permission...that's my only explanation...that' seems to imply why I have the issue at 1:30 - 3:00am with dpinger sento error 50...the other thing is I cannot disable IPv6 LAN firewall rule...as soon as I disabled it, it generates another firewall rule.
-
That still wouldn't affect IPv4 on the local subnet.
Can you ping client IPv4 addresses on the LAN from pfSense?
-
@stephenw10 said in No Internet Access from LAN:
Can you ping client IPv4 addresses on the LAN from pfSense?
No and I just deleted/removed IPv6 firewall rule...still no luck...this is a weird issue...luckily I am communicating through the private-cloud box.
I had seen several other had similar complaints and from what I have seen there is no solid explanation...
-
@NollipfSense said in No Internet Access from LAN:
I had seen several other had similar complaints
where? I am on here all the time, and don't recall any flood of such complaints..
So you have a box on your network.. Doesn't really matter if lan or some opt you created.. Is a tagged vlan or native?
What are the rules on the interface?
So what is the IP on pfsense? What is the IP on the client? Did the client get an IP from dhcp?
Look at the arp table on the client.. Does its show an mac address for pfsense IP address? What does pfsense arp table show for the client IP.. Are these mac addresses correct?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Yeah if you can't ping either way across the LAN this has to be something low level. Check the basics.
-
@stephenw10 said in No Internet Access from LAN:
Yeah if you can't ping either way across the LAN this has to be something low level. Check the basics.
Well, it turned out that the reason I could not ping the laptop that was directly connected to LAN was the laptop had firewall on and when disabled, it could ping it. However, the laptop could not surf the Internet.
Also, I attached the WIFI directly to LAN and I can ping the WIFI but clients to the WIFI could not ping the firewall.
I may have a spare NIC to dig out of storage to try...to look for it... -
@NollipfSense again you need to look at basics.. What are the firewall rules on the pfsense interface? Many users will create a tcp only rule.. This is normally not very workable because ping doesn't work a simple connectivity test, and dns fails, etc. because dns is almost always just udp..
If devices can not ping each other, and your sure firewall rules allow be it pfsense or some host device your trying to ping from pfsense.. You need to validate they see the mac addresses.. Firewall rules not going to come into play with seeing the mac address or not..
And they are on the same network with the correct mask.. If not seeing mac you got something wrong in your network that not to do with pfsense or your host.
Have seen users setup static arp, and then wonder why doesn't work when the mac address changed for the IP that is not in line with the static arp setting..
-
@johnpoz Here, despite these are old however, I have seen at least three recently and before I post that comment, I didn't check the date, just the search results...
@johnpoz said in No Internet Access from LAN:
native?
Yes@johnpoz said in No Internet Access from LAN:
o what is the IP on pfsense? What is the IP on the client? Did the client get an IP from dhcp?
Pfsense - 192.168.1.1, client, a Mikrotik - 192.168.1.100
yes, from Mikrotik...everything was work fine for years and most of the day yesterday until about 9pm last night when suddenly no Internet access.
No, there're not on the same network and mask is good...pfSense LAN is Mikrotik WAN.
-
@NollipfSense why would you have bogon on your lan side network.. If pfsense didn't pull out rfc1918 that would prevent everything from working..
https://team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
There is zero reason to ever put that on a lan side interface..
And you have no rule there that would allow pinging pfsense IP on the lan..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
So it could be a pfBlocker update that pulled in a list with a local IP for example.
What's in the privileged ports alias?
-
@stephenw10 said in No Internet Access from LAN:
What's in the privileged ports alias?
TCP ports 1 - 1024....so, I am not sure why I didn't think of it earlier but I restored my last good, workable backups...all is back as normal.
That implied that somehow my configuration got corrupted with that IPv6 RA, since despite the separation, both networks are connected to the same modem.
-
@johnpoz said in No Internet Access from LAN:
why would you have bogon on your lan side network.. If pfsense didn't pull out rfc1918 that would prevent everything from working..
I had just switch that on before I took that picture trying to diagnose but appreciate the link for knowledge as I was not as well-informed on that.
pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud. -
Nothing some other RA are sending could change the config in pfSense. Nor would it affect anything for IPv4. It could potentially redirect clients using IPv6 to a different router.
-
@NollipfSense yeah with Steve - there is nothing your RA could do that would have any affect on IPv4 traffic..
Now a non functioning IPv6 network that the client thinks should be working can cause problems when the client doesn't like to switch over to Ipv4, or is delayed in switching..
To be honest, unless you are fully ready for all the changes that IPv6 brings - it really is just easier not to use it.. There are many things that change with IPv6 compared to IPv4, and then the dual stack that is required to actually use the internet brings its own problems..
I have been using IPv6 for prob going on 13 years.. And I feel I am fairly up to speed on its use and even troubleshooting it, etc. But to be honest I have not found a actual valid need for it.. So as anyone should do in running a network - KISS.. Over complicating your network for no or little benefit is never a good choice..
If you want to learn and experiment with IPv6 - great all for it.. But I would limit it to your lab network, or one segment where you play.. Trying to use it for your production/every day use devices - can and will bring its own pain.
