TTL exceeded

Amarth

pfsense 2.0

lan–-pfsense---modem---net
          |
         wifi(rosewill card in pfsense)

Default NAT rules.
Default LAN rules.
WLAN rules added a ANY rule like that default from LAN(DNS internal nor external query did not work until this was added, makes sense).
RFC1918 blocking turned off on LAN and WLAN.
Tried with BOGONS off though it should not matter.
Tested a lower MTU on WAN interface as modem wants 1400.

From LAN client:
-DNS queries work, pfsense gui works, ssh to pfsense works, pings to pfsense work, etc.
-DNS to external dns servers see to work (ie: dig @externaldns)
-Everything else fails.

*Pings return a time to live exceeded error.
*telnet to port 80

18:17:32.001648 IP 192.168.7.177.44936 > 72.14.204.105.http: Flags [s], seq 1869472157, win 5840, options [mss 1460,sackOK,TS val 28314908 ecr 0,nop,wscale 6], length 0
18:17:32.004295 IP 192.168.7.254 > 192.168.7.177: ICMP time exceeded in-transit, length 68

From WLAN client:
-Same as above.

From a shell locally on firewall:
-Same as above.

I can not for the life of me figure out what is going on here. Anyone seen this sort of scenario and/or can clue my clueless self in?

Thanks![/s]

Amarth

Traceroute client:

[foo@bar]> traceroute www.google.com
traceroute to www.google.com (72.14.204.147), 30 hops max, 60 byte packets
1  ares.local (192.168.7.254)  0.359 ms  0.544 ms  0.445 ms
2  ares.local (192.168.7.254)  0.687 ms  2.134 ms  2.180 ms
3  ares.local (192.168.7.254)  2.537 ms  2.810 ms  2.715 ms
4  ares.local (192.168.7.254)  2.957 ms  3.194 ms  3.099 ms
…
28  ares.local (192.168.7.254)  6.358 ms  6.561 ms  6.408 ms
29  ares.local (192.168.7.254)  6.244 ms  6.409 ms  6.608 ms
30  ares.local (192.168.7.254)  6.454 ms  6.659 ms  6.504 ms

Traceroute pfsense locally:
Same as above but out to 64 and "localhost" vs "ares.local". IP and ms changed of course.

Cry Havok

You've somehow created a routing loop. Did you create any static routing rules?

Amarth

Thats actually what it looks like to me but no. I created no routes manually whatsoever. The setup effectively default. That is, other than those simple firewall rules I added to the wifi interface everything is setup based off what pfsense automatically generates.

Bit more info:

vr0 = lan
vr1 = wan

192.168.7.x -> 192.168.7.254(pfsense)192.168.15.3 -> 192.168.15.1(modem)NET

[2.0-RELEASE][root@ares.local]/root(2): ping www.google.com
PING www.l.google.com (72.14.204.104): 56 data bytes
36 bytes from localhost (127.0.0.1): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 0983   0 0000  01  01 d309 192.168.7.254  72.14.204.104 

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.7.254      UGS         0    31623    vr0
63.251.62.33       192.168.15.1       UGHS        0       15    vr1
127.0.0.1          link#4             UH          0      870    lo0
192.168.7.0/24     link#1             U           0    11361    vr0
192.168.7.254      link#1             UHS         0    57819    lo0
192.168.15.0/24    link#2             U           0      307    vr1
192.168.15.3       link#2             UHS         0        0    lo0
192.168.241.192/26 link#8             U           0        0 ral0_w
192.168.241.254    link#8             UHS         0    57376    lo0
204.74.97.104      192.168.15.1       UGHS        0       15    vr1

Amarth

UG!  :-[  I found the problem. Apparently at some time ago when I first attempted the wireless setup I created a "Gateway" under Routing. Im not entirely sure why this impacted everything but in the GUI it was shown as:

name wlan1  192.168.7.254 192.168.7.254

Id have thought that would only impact the wlan1 interface. Regardless a typical case of PEBCAK. Upon removal of that gateway all my problems vanished.

Sorry for the run around, sincerely.