Pfsense has connection, connected machines don't



  • Running pfsense 2.0RC3, using the basic settings provided by default(with the exception of the DHCP range).

    I have followed the setup instructions provided in the Pfsense Guide book and computers connected obtain a DHCP license and know the gateway to use….but have no usable internet connection. When attempting a ping out the IP will be found but all the attempts to ping will time out. The router install itself has full access(I tested pinging as well as package installation to verify).

    Any help appreciated, I am new to pfsense so if there is a particular log I should be including, please let me know what to post



  • You probably shouldn't have a gateway on your LAN interface and even if you think you should, the gateway IP address shouldn't be the IP address of the LAN interface.



  • So what should the gateway be? This was the default when clicking in to create a gateway and seemed to be what is indicated in the guide. What IP should be in use here?



  • Use none, pfsense will send the correct one
    and don't send your public ip's to others to view



  • I set it to blank(dynamic) and it's sending the same gateway as I had chosen - 192.168.0.1

    So am I missing something here? I have the same problem as before, with pfsense having net and nobody else having access. Are there any other areas I should look at?



  • Is your pfSense machine connected between the ISP and the other computers? Is it the only DHCP server on your LAN? Do you have different IP subnets for the LAN and WAN interfaces?



  • Yes, my modem is connected to the pfsense machine(the pfsense machine has full ability to get on the net, I can download packages and ping quite happily from it). There is no other DHCP server on the network and when testing my computer gets it's DHCP license from the pfsense install.

    As for the ip subnets, the LAN connection has a subnet mask of 255.255.255.0(IP range is 192.168.0.X) and the WAN connection has a mask of 255.255.255.224.



  • When it gets the lease I assume the default gateway is the LAN IP of the pfSense host? What are your LAN interface rules (screenshot please)?



  • @Cry:

    When it gets the lease I assume the default gateway is the LAN IP of the pfSense host? What are your LAN interface rules (screenshot please)?

    Correct.

    Here are the rules(just what comes default with pfSense)



  • Can you provide the output of the following commands, run on a client, please:

    netstat -nr
    ipconfig/all (Windows)
    ifconfig (Linux)



  • Linux machine is my roommates(he's asleep) so here are the other two for now:

    Of course, pfsense now seems to be failing at having an internet connection(can't fetch packages anymore) so I'm really not sure what to do with that…I'm really on the verge of just entirely giving up on this, it seems like pfsense is just way too fraught with difficulties to be a reliable and workable solution.

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : Haven
      Primary Dns Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : localdomain

    Ethernet adapter Hamachi:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Hamachi Network Interface
      Physical Address. . . . . . . . . : 7A-79-05-AD-26-C8
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IPv6 Address. . . . . . . . . . . : 2620:9b::5ad:26c8(Preferred)
      Link-local IPv6 Address . . . . . : fe80::dc58:7679:2740:c607%17(Preferred)
      IPv4 Address. . . . . . . . . . . : 5.173.38.200(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.0.0.0
      Lease Obtained. . . . . . . . . . : Sunday, August 21, 2011 11:05:28 PM
      Lease Expires . . . . . . . . . . : Tuesday, August 28, 2012 12:00:37 PM
      Default Gateway . . . . . . . . . : 5.0.0.1
      DHCP Server . . . . . . . . . . . : 5.0.0.1
      DHCPv6 IAID . . . . . . . . . . . : 461011280
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1E-AA-09-00-E0-4D-30-6E-C5
      DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter LAN:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20) #2
      Physical Address. . . . . . . . . : 00-22-68-52-60-30
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::8d5b:aa78:b99b:a5d8%14(Preferred)
      Autoconfiguration IPv4 Address. . : 169.254.165.216(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.0.0
      Default Gateway . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 369107560
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1E-AA-09-00-E0-4D-30-6E-C5
      DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Main LAN:

    Connection-specific DNS Suffix  . : localdomain
      Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
      Physical Address. . . . . . . . . : 00-22-68-52-60-31
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::49b5:87db:9135:c98c%12(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.0.12(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Sunday, September 11, 2011 5:03:02 PM
      Lease Expires . . . . . . . . . . : Sunday, September 11, 2011 7:03:02 PM
      Default Gateway . . . . . . . . . : 192.168.0.1
      DHCP Server . . . . . . . . . . . : 192.168.0.1
      DHCPv6 IAID . . . . . . . . . . . : 301998696
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1E-AA-09-00-E0-4D-30-6E-C5
      DNS Servers . . . . . . . . . . . : 192.168.0.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{081DC9D6-E9E6-4B17-9CF9-B34A2A44C4E1}:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{8B40E108-B359-4CA9-8759-DC29D76BD9BE}:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.localdomain:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . : localdomain
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1054:3e6c:3f57:fff3(Preferred)
      Link-local IPv6 Address . . . . . : fe80::1054:3e6c:3f57:fff3%16(Preferred)
      Default Gateway . . . . . . . . . :
      NetBIOS over Tcpip. . . . . . . . : Disabled

    And netstat:

    ===========================================================================
    Interface List
    17…7a 79 05 ad 26 c8 ......Hamachi Network Interface
    12...00 22 68 52 60 31 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
      1...........................Software Loopback Interface 1
    11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0          5.0.0.1    5.173.38.200  9256
              0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.12    10
              5.0.0.0        255.0.0.0        On-link      5.173.38.200  9256
        5.173.38.200  255.255.255.255        On-link      5.173.38.200  9256
        5.255.255.255  255.255.255.255        On-link      5.173.38.200  9256
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.0.0    255.255.255.0        On-link      192.168.0.12    266
        192.168.0.12  255.255.255.255        On-link      192.168.0.12    266
        192.168.0.255  255.255.255.255        On-link      192.168.0.12    266
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      192.168.0.12    266
            224.0.0.0        240.0.0.0        On-link      5.173.38.200  9256
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      192.168.0.12    266
      255.255.255.255  255.255.255.255        On-link      5.173.38.200  9256

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0          5.0.0.1  Default

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
    16    58 2001::/32                On-link
    16    306 2001:0:4137:9e76:870:c3d:3f57:fff3/128
                                        On-link
    17    276 2620:9b::/96            On-link
    17    276 2620:9b::5ad:26c8/128    On-link
    12    266 fe80::/64                On-link
    17    276 fe80::/64                On-link
    16    306 fe80::/64                On-link
    16    306 fe80::870:c3d:3f57:fff3/128
                                        On-link
    12    266 fe80::49b5:87db:9135:c98c/128
                                        On-link
    17    276 fe80::dc58:7679:2740:c607/128
                                        On-link
      1    306 ff00::/8                On-link
    16    306 ff00::/8                On-link
    12    266 ff00::/8                On-link
    17    276 ff00::/8                On-link

    Persistent Routes:
    If Metric Network Destination      Gateway
      0 4294967295 2620:9b::/96            On-link



  • You've got 2 default gateways there - your LAN and Hamachi. Try disabling Hamachi and try again.



  • @No1451:

    Of course, pfsense now seems to be failing at having an internet connection(can't fetch packages anymore) so I'm really not sure what to do with that…I'm really on the verge of just entirely giving up on this,

    Please provide more details of the package fetch failure: what package? What was reported? etc There has been some discussion in the forums in the last few weeks about problems downloading packages.

    Lots of people have found pfSense a very effective firewall. If you want to use it effectively you need to make some investment in learning to use it, especially when you connect equipment with "non standard" configurations.



  • @wallabybob:

    @No1451:

    Of course, pfsense now seems to be failing at having an internet connection(can't fetch packages anymore) so I'm really not sure what to do with that…I'm really on the verge of just entirely giving up on this,

    Please provide more details of the package fetch failure: what package? What was reported? etc There has been some discussion in the forums in the last few weeks about problems downloading packages.

    Lots of people have found pfSense a very effective firewall. If you want to use it effectively you need to make some investment in learning to use it, especially when you connect equipment with "non standard" configurations.

    I've attempted to learn it, I have done everything to the letter of the pfsense book….and yet it doesn't work. There is nothing non-standard about my self, I have a few machines connected and trying to hit the internet through pfsense, that seems like a fairly basic setup. My aim was to do the bare minimum with it before trying to add extra flash on top.

    I've removed the Hamachi connection, my machine can still do DNS lookups but can't ping or load webpages.



  • Please, again, provide the output of netstat -rn



  • ===========================================================================
    Interface List
    12…00 22 68 52 60 31 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
      1...........................Software Loopback Interface 1
    11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.10    10
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.0.0    255.255.255.0        On-link      192.168.0.10    266
        192.168.0.10  255.255.255.255        On-link      192.168.0.10    266
        192.168.0.255  255.255.255.255        On-link      192.168.0.10    266
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      192.168.0.10    266
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      192.168.0.10    266

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0          5.0.0.1  Default

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
    16    58 ::/0                    On-link
      1    306 ::1/128                  On-link
    16    58 2001::/32                On-link
    16    306 2001:0:4137:9e76:2043:34f1:3f57:fff5/128
                                        On-link
    12    266 fe80::/64                On-link
    16    306 fe80::/64                On-link
    16    306 fe80::2043:34f1:3f57:fff5/128
                                        On-link
    12    266 fe80::49b5:87db:9135:c98c/128
                                        On-link
      1    306 ff00::/8                On-link
    16    306 ff00::/8                On-link
    12    266 ff00::/8                On-link

    Persistent Routes:
    If Metric Network Destination      Gateway
      0 4294967295 2620:9b::/96            On-link



  • You still have a persistent route left that you need to remove. As Administrator you need to run:

    route delete 0.0.0.0 mask 0.0.0.0 5.0.0.1



  • Worked, no dice



  • netstat -rn again please



  • ===========================================================================
    Interface List
    12…00 22 68 52 60 31 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
      1...........................Software Loopback Interface 1
    11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.10    10
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
          192.168.0.0    255.255.255.0        On-link      192.168.0.10    266
        192.168.0.10  255.255.255.255        On-link      192.168.0.10    266
        192.168.0.255  255.255.255.255        On-link      192.168.0.10    266
            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      192.168.0.10    266
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      192.168.0.10    266

    Persistent Routes:
      None

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
    16    58 ::/0                    On-link
      1    306 ::1/128                  On-link
    16    58 2001::/32                On-link
    16    306 2001:0:4137:9e76:3813:1f87:3f57:fff5/128
                                        On-link
    12    266 fe80::/64                On-link
    16    306 fe80::/64                On-link
    16    306 fe80::3813:1f87:3f57:fff5/128
                                        On-link
    12    266 fe80::49b5:87db:9135:c98c/128
                                        On-link
      1    306 ff00::/8                On-link
    16    306 ff00::/8                On-link
    12    266 ff00::/8                On-link

    Persistent Routes:
    If Metric Network Destination      Gateway
      0 4294967295 2620:9b::/96            On-link



  • From a computer inside the network please post the output of:

    tracert -d 8.8.8.8 (Windows)
        traceroute -n 8.8.8.8 (Linux)

    Please also post a screenshot of the LAN rules.



  • Tracing route to 8.8.8.8 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  192.168.0.1
      2    *        *        *    Request timed out.
      3    *        *        *    Request timed out.
      4    *        *        *    Request timed out.
      5    *        *        *    Request timed out.
      6    *        *        *    Request timed out.
      7    *        *        *    Request timed out.
      8    *        *        *    Request timed out.
      9    *        *        *    Request timed out.
    10    *        *        *    Request timed out.
    11    *        *        *    Request timed out.
    12    *        *        *    Request timed out.
    13    *        *        *    Request timed out.
    14    *        *        *    Request timed out.
    15    *        *        *    Request timed out.
    16    *        *        *    Request timed out.
    17    *        *        *    Request timed out.
    18    *        *        *    Request timed out.
    19    *        *        *    Request timed out.
    20    *        *        *    Request timed out.
    21    *        *        *    Request timed out.
    22    *        *        *    Request timed out.
    23    *        *        *    Request timed out.
    24    *        *        *    Request timed out.
    25    *        *        *    Request timed out.
    26    *        *        *    Request timed out.
    27    *        *        *    Request timed out.
    28    *        *        *    Request timed out.
    29    *        *        *    Request timed out.
    30    *        *        *    Request timed out.

    Trace complete.



  • The most likely thing is that you have something on the Windows clients that is interfering (a software firewall or some other package).

    Can you try booting into a Linux live CD (such as Ubuntu) and see if you get the same result?



  • Just tested using my laptop(OS X) and the result was the same. Roommates laptop(Joli OS) has same result.



  • @No1451:

    Just tested using my laptop(OS X) and the result was the same. Roommates laptop(Joli OS) has same result.

    I presume you mean that on both machines a traceroute 8.8.8.8 displayed @No1451:

    Tracing route to 8.8.8.8 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  192.168.0.1
     2     *        *        *     Request timed out.
     3     *        *        *     Request timed out.
    . . .

    I would check the traceroute (or ping 8.8.8.8 ) is really arriving on the pfSense LAN interface. (Perhaps you have another system on your LAN with IP address 192.168.0.1)



  • @wallabybob:

    (Perhaps you have another system on your LAN with IP address 192.168.0.1)

    That's one thing that came to mind. Another, maybe LAN and WAN are on the same subnet, which of course won't work.

    Attaching the full config backup would at least show us whether your config is sane.



  • @wallabybob:

    @No1451:

    Just tested using my laptop(OS X) and the result was the same. Roommates laptop(Joli OS) has same result.

    I presume you mean that on both machines a traceroute 8.8.8.8 displayed @No1451:

    Tracing route to 8.8.8.8 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  192.168.0.1
     2     *        *        *     Request timed out.
     3     *        *        *     Request timed out.
    . . .

    I would check the traceroute (or ping 8.8.8.8 ) is really arriving on the pfSense LAN interface. (Perhaps you have another system on your LAN with IP address 192.168.0.1)

    That is what I meant, yes. I have nothing else on the network with the same IP(and I have tried alternative IPs as well to rule that out as a possibility). When running a ping/traceroute there wasn't any reported activity in the log(I was watching firewall).

    I'm fairly certain that WAN and LAN are on separate subnets, LAN is on /24 and WAN is entirely handled by DHCP.

    My config file: http://dl.dropbox.com/u/9118076/config-pfSense.localdomain-20111010144530.xml



  • Your laptops apparently are using 192.168.0.1 as their gateway. The pfSense LAN interface IP address in the configuration file is 192.168.0.2.

    What has IP address 192.168.0.1 and why are your clients routing through it?

    @No1451:

    I'm fairly certain that WAN and LAN are on separate subnets, LAN is on /24 and WAN is entirely handled by DHCP.

    ?
    WAN having its IP address assigned by DHCP is not sufficient to guarantee it will get an IP address in a different subnet from the subnet you have assigned to LAN.

    I don't recall you mentioning what you have upstream of the WAN interface.  Lots of small routers/modems use 192.168.0.0/24 as their LAN so one of them would assign your WAN interface an IP address on 192.168.0.0/24 which is the same subnet as your LAN. I suggest you check your WAN IP address (Status -> Interfaces) and report it here. If there is a conflict with your LAN subnet I suggest you move your LAN subnet to 192.168.251.0/24 (or something else well away from 192.168.0.0/24) and adjust the DHCP range on the LAN interface accordingly, restart pfSense, connect a client, cold start (fresh start, not 'resume from suspend' or the like) the client (to ensure you completely refresh its network configuration) and then test.



  • It being on 192.168.0.2 was due to a test(to see if there may be something that wasn't showing up on 192.168.0.1 that was conflicting).

    24.52.224.193 is the gateway listed under Status–>Interfaces for WAN.

    Should it normally be this hard to get pfsense set up to do something as basic as normal router functionality?



  • @No1451:

    Should it normally be this hard to get pfsense set up to do something as basic as normal router functionality?

    Are you referring to the length of time from your first post to now and that you still don't have it working? I'm sure it didn't take me anything like that long to get my first pfSense configuration working.

    Some things haven't helped. Sometimes there have been long intervals between someone asking for information and you replying. There are probably good reasons for that. I'm just saying those intervals haven't helped.

    I asked for the WAN IP address but instead you gave me the IP address of the WAN gateway. Please provide the IP address of the pfSense WAN interface.

    I noticed your configuration file still has a gateway on the LAN. This appears unnecessary. The configuration file of my production pfSense has two gateways on the LAN but these correspond to actual gateways for "downstream" networks. The configuration file for my test pfSense has no gateways on LAN and it works fine.  I don't know if removing your unnecessary gateway definition will help but in the interests of making the configuration as simple as possible please delete the LANGW gateway through the web GUI, confirm it has gone from the configuration file, reboot pfSense to ensure the running firewall has no hint of the LANGW and retest.



  • Well damn, that was a ridiculously simple fix. Thanks



  • What was the ridiculously simple fix? There were a number of configuration problems.



  • May i make assumption. DHCP was serving .1 address as gateway and pfsense were .2?


Locked