Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED]Can not connect to low number IP addresses, ARP request fails

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    5
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Takaratiki
      last edited by

      How's that for a title?

      I am attempting to bring our school's firewall over to 2.0 from 1.2.3. I am using 2.0-RC3 amd64. Our WAN interface is an em0, LAN bge0. I've installed the system three times and am stopped by the exact same issue: once a request, ping, anything is sent to an IP address that starts lower than 200, the packets disappear utterly. I can ping Yahoo's 209.191.122.70 IP, but it fails on 69.147.125.65 consistently with a Destination Host Unreachable message. This behavior seems consistent when accessing multiple sites.
      I thought this may have been related to the mbufs issue http://forum.pfsense.org/index.php/topic,37754.0.html but netstat -m shows everything well within tolerances and nothing on the "mbufs denied" front. The MBUF counter on the splash page looked high (2267/2947). A dump during a failed connection shows:

      21:26:27.088893 ARP, Request who-has 69.160.32.100 tell 66.xxx.xxx.xxx, length 28
      21:26:28.090243 ARP, Request who-has 69.160.32.100 tell 66.xxx.xxx.xxx, length 28

      and then nothing. This seems to be the main point of failure, but I am unsure as to the remedy.

      If I am a fool and have missed something basic, please let me know. The installs are untweaked apart from altering the admin password and the firewall is simply a WAN/LAN config. Please let me know if more info is needed and I will provide.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Wrong WAN (or some interface) subnet mask somewhere? Sounds like what you would see if you had a /1 mask on WAN (which would imply half the Internet was locally reachable, which it of course isn't).

        1 Reply Last reply Reply Quote 0
        • W
          wallabybob
          last edited by

          Further to cmb's reply

          21:26:27.088893 ARP, Request who-has 69.160.32.100 tell 66.xxx.xxx.xxx, length 28
          21:26:28.090243 ARP, Request who-has 69.160.32.100 tell 66.xxx.xxx.xxx, length 28

          suggests something thinks 66.xxx.xxx.xxx and 69.160.32.100 are on the same subnet which is most unlikely. A network mask most likely doesn't have enough bits.

          1 Reply Last reply Reply Quote 0
          • T
            Takaratiki
            last edited by

            Thank you for the replies. I will double check the settings tonight and report back when I have something.

            1 Reply Last reply Reply Quote 0
            • T
              Takaratiki
              last edited by

              Hand meet head. The WAN default subnet was 32. Switched it to 24, life is pure again. Thanks for the help, will attempt to not overlook the basics in the future. And drink more coffee…

              1 Reply Last reply Reply Quote 0
              • First post
                Last post