TTL exceeded

  • pfsense 2.0

             wifi(rosewill card in pfsense)

    Default NAT rules.
    Default LAN rules.
    WLAN rules added a ANY rule like that default from LAN(DNS internal nor external query did not work until this was added, makes sense).
    RFC1918 blocking turned off on LAN and WLAN.
    Tried with BOGONS off though it should not matter.
    Tested a lower MTU on WAN interface as modem wants 1400.

    From LAN client:
    -DNS queries work, pfsense gui works, ssh to pfsense works, pings to pfsense work, etc.
    -DNS to external dns servers see to work (ie: dig @externaldns)
    -Everything else fails.

    *Pings return a time to live exceeded error.
    *telnet to port 80

    18:17:32.001648 IP > Flags [s], seq 1869472157, win 5840, options [mss 1460,sackOK,TS val 28314908 ecr 0,nop,wscale 6], length 0
    18:17:32.004295 IP > ICMP time exceeded in-transit, length 68
    From WLAN client:
    -Same as above.
    From a shell locally on firewall:
    -Same as above.
    I can not for the life of me figure out what is going on here. Anyone seen this sort of scenario and/or can clue my clueless self in?

  • Traceroute client:

    [foo@bar]> traceroute
    traceroute to (, 30 hops max, 60 byte packets
    1  ares.local (  0.359 ms  0.544 ms  0.445 ms
    2  ares.local (  0.687 ms  2.134 ms  2.180 ms
    3  ares.local (  2.537 ms  2.810 ms  2.715 ms
    4  ares.local (  2.957 ms  3.194 ms  3.099 ms

    28  ares.local (  6.358 ms  6.561 ms  6.408 ms
    29  ares.local (  6.244 ms  6.409 ms  6.608 ms
    30  ares.local (  6.454 ms  6.659 ms  6.504 ms

    Traceroute pfsense locally:
    Same as above but out to 64 and "localhost" vs "ares.local". IP and ms changed of course.

  • You've somehow created a routing loop. Did you create any static routing rules?

  • Thats actually what it looks like to me but no. I created no routes manually whatsoever. The setup effectively default. That is, other than those simple firewall rules I added to the wifi interface everything is setup based off what pfsense automatically generates.

    Bit more info:

    vr0 = lan
    vr1 = wan

    192.168.7.x -> ->

    [2.0-RELEASE][root@ares.local]/root(2): ping
    PING ( 56 data bytes
    36 bytes from localhost ( Time to live exceeded
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 5400 0983   0 0000  01  01 d309 
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default        UGS         0    31623    vr0       UGHS        0       15    vr1          link#4             UH          0      870    lo0     link#1             U           0    11361    vr0      link#1             UHS         0    57819    lo0    link#2             U           0      307    vr1       link#2             UHS         0        0    lo0 link#8             U           0        0 ral0_w    link#8             UHS         0    57376    lo0       UGHS        0       15    vr1

  • UG!  :-[  I found the problem. Apparently at some time ago when I first attempted the wireless setup I created a "Gateway" under Routing. Im not entirely sure why this impacted everything but in the GUI it was shown as:

    name wlan1

    Id have thought that would only impact the wlan1 interface. Regardless a typical case of PEBCAK. Upon removal of that gateway all my problems vanished.

    Sorry for the run around, sincerely.

Log in to reply