Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TTL exceeded

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 11.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Amarth
      last edited by

      pfsense 2.0

      lan–-pfsense---modem---net
                |
               wifi(rosewill card in pfsense)

      Default NAT rules.
      Default LAN rules.
      WLAN rules added a ANY rule like that default from LAN(DNS internal nor external query did not work until this was added, makes sense).
      RFC1918 blocking turned off on LAN and WLAN.
      Tried with BOGONS off though it should not matter.
      Tested a lower MTU on WAN interface as modem wants 1400.

      From LAN client:
      -DNS queries work, pfsense gui works, ssh to pfsense works, pings to pfsense work, etc.
      -DNS to external dns servers see to work (ie: dig @externaldns)
      -Everything else fails.

      *Pings return a time to live exceeded error.
      *telnet to port 80

      
      18:17:32.001648 IP 192.168.7.177.44936 > 72.14.204.105.http: Flags [s], seq 1869472157, win 5840, options [mss 1460,sackOK,TS val 28314908 ecr 0,nop,wscale 6], length 0
      18:17:32.004295 IP 192.168.7.254 > 192.168.7.177: ICMP time exceeded in-transit, length 68
      
      From WLAN client:
      -Same as above.
      
      From a shell locally on firewall:
      -Same as above.
      
      I can not for the life of me figure out what is going on here. Anyone seen this sort of scenario and/or can clue my clueless self in?
      
      Thanks![/s]
      
      1 Reply Last reply Reply Quote 0
      • A
        Amarth
        last edited by

        Traceroute client:

        [foo@bar]> traceroute www.google.com
        traceroute to www.google.com (72.14.204.147), 30 hops max, 60 byte packets
        1  ares.local (192.168.7.254)  0.359 ms  0.544 ms  0.445 ms
        2  ares.local (192.168.7.254)  0.687 ms  2.134 ms  2.180 ms
        3  ares.local (192.168.7.254)  2.537 ms  2.810 ms  2.715 ms
        4  ares.local (192.168.7.254)  2.957 ms  3.194 ms  3.099 ms
        …
        28  ares.local (192.168.7.254)  6.358 ms  6.561 ms  6.408 ms
        29  ares.local (192.168.7.254)  6.244 ms  6.409 ms  6.608 ms
        30  ares.local (192.168.7.254)  6.454 ms  6.659 ms  6.504 ms

        Traceroute pfsense locally:
        Same as above but out to 64 and "localhost" vs "ares.local". IP and ms changed of course.

        1 Reply Last reply Reply Quote 0
        • Cry HavokC
          Cry Havok
          last edited by

          You've somehow created a routing loop. Did you create any static routing rules?

          1 Reply Last reply Reply Quote 0
          • A
            Amarth
            last edited by

            Thats actually what it looks like to me but no. I created no routes manually whatsoever. The setup effectively default. That is, other than those simple firewall rules I added to the wifi interface everything is setup based off what pfsense automatically generates.

            Bit more info:

            vr0 = lan
            vr1 = wan

            192.168.7.x -> 192.168.7.254(pfsense)192.168.15.3 -> 192.168.15.1(modem)NET

            
            [2.0-RELEASE][root@ares.local]/root(2): ping www.google.com
            PING www.l.google.com (72.14.204.104): 56 data bytes
            36 bytes from localhost (127.0.0.1): Time to live exceeded
            Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
             4  5  00 5400 0983   0 0000  01  01 d309 192.168.7.254  72.14.204.104 
            
            Internet:
            Destination        Gateway            Flags    Refs      Use  Netif Expire
            default            192.168.7.254      UGS         0    31623    vr0
            63.251.62.33       192.168.15.1       UGHS        0       15    vr1
            127.0.0.1          link#4             UH          0      870    lo0
            192.168.7.0/24     link#1             U           0    11361    vr0
            192.168.7.254      link#1             UHS         0    57819    lo0
            192.168.15.0/24    link#2             U           0      307    vr1
            192.168.15.3       link#2             UHS         0        0    lo0
            192.168.241.192/26 link#8             U           0        0 ral0_w
            192.168.241.254    link#8             UHS         0    57376    lo0
            204.74.97.104      192.168.15.1       UGHS        0       15    vr1
            
            
            1 Reply Last reply Reply Quote 0
            • A
              Amarth
              last edited by

              UG!  :-[  I found the problem. Apparently at some time ago when I first attempted the wireless setup I created a "Gateway" under Routing. Im not entirely sure why this impacted everything but in the GUI it was shown as:

              name wlan1  192.168.7.254 192.168.7.254

              Id have thought that would only impact the wlan1 interface. Regardless a typical case of PEBCAK. Upon removal of that gateway all my problems vanished.

              Sorry for the run around, sincerely.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.