Some IP's not reachable



  • Hello everybody,

    sorry if this is a beginner question, I set up pfsense yesterday the first time but I cannot find a solution for the following problem. Some external IP's are not reachable from my Client.
    I have a Modem (Pirelli, 10.0.0.138), pfsense on fit-PC2 (WAN: 10.0.0.10, LAN, 10.0.1.10) and my Client (10.0.1.103). Making a tracert on my client for www.derstandard.at gives back 10.0.1.10, than 10.0.0.138 and after some more Ip's the IP for www.derstandard.at. Doing the same for www.google.at gives back 10.0.1.10 and then nothing but that the host is not reachable.

    At first I thought it is a DNS problem, but I tried also some IP addresses directly in the browser that did't work.

    Can you just give me a hint where I should start searching the error? DNS? Firewall? ….

    regards
    Michael



  • Please post the network mask for both the LAN and WAN pfsense interfaces. The interfaces need to be in distinct subnets and you haven't provided enough information to verify the interfaces have been correctly configured.



  • Hello,

    I made some screenshots, I hope they help to narrow the problem.

    The Output of Tracert:
    C:\Users\mhaerb>tracert www.derstandard.at

    Routenverfolgung zu www.derstandard.at [194.116.243.20] über maximal 30 Abschnit
    te:

    1    <1 ms    <1 ms    <1 ms  pfsense.haerb [10.0.1.10]
     2    <1 ms    <1 ms    <1 ms  Discus.home [10.0.0.138]
     3     *        *        *     Zeitüberschreitung der Anforderung.
     4    30 ms    29 ms    29 ms  195.3.73.1
     5     *       40 ms    33 ms  195.3.118.241
     6    36 ms    85 ms    34 ms  IIX10-AUX11.highway.telekom.at [195.3.70.126]
     7    34 ms    35 ms    34 ms  te3-1-vix-uni-c1.vivi.sil.at [193.203.0.109]
     8    35 ms    35 ms    35 ms  86.59.80.11
     9    35 ms    35 ms    34 ms  www.derstandard.at [194.116.243.20]

    Ablaufverfolgung beendet.

    C:\Users\mhaerb>tracert forum.pfsense.org

    Routenverfolgung zu forum.pfsense.org [69.64.6.7] über maximal 30 Abschnitte:

    1    <1 ms    <1 ms    <1 ms  pfsense.haerb [10.0.1.10]
     2     *        *        *     Zeitüberschreitung der Anforderung.
     3     *     pfsense.haerb [10.0.1.10]  meldet: Zielhost nicht erreichbar.

    Ablaufverfolgung beendet.

    Under General Setup I have DNS Server 10.0.0.138, no gateway, allow DNS Server list yes, Do not use the DNS Forwarder as a DNS server for the firewall yes

    Putting the IP 69.64.6.7 in the browser also brings an Error that the connection to the server was reseted. The IP should be the IP of forum.pfsense.org







  • Netgate Administrator

    Two things:
    1. You have your wan subnet as /1. It should probably be /24 but it may not make any difference since it can still see the modem. This does imply though that any address on the internet can be reached directly from the WAN interface, which is clearly wrong!

    2. You can't use pfsense.org for any testing as it doesn't respond to pings.

    Steve

    Edit: Also your WAN is in a private network (behind your modem/router) so you need to uncheck 'block private networks'.



  • Dear Steve,

    1. thanks a lot, changing the wan subnet to /24 solved the issue, I can now connect to every site (I just do not totally understand why :-))

    2. Changing block private networks made no difference, it is possible to let it on.

    "This does imply though that any address on the internet can be reached directly from the WAN interface, which is clearly wrong!"
    Do I have a security issue here?

    Thanks a lot for your help,
    regards

    Michael


  • Netgate Administrator

    You don't have a security issue.

    A /24 subnet (common on a small or home network) is equivalent to a subnet mask of 255.255.255.0. This implies addresses between x.x.x.0 and x.x.x.255. A computer using that subnet can send packets directly, not via a router or gateway, to any other computer in that subnet.
    A /1 subnet would be the entire internet! Your computer thinks it can reach any address without going through a router or gateway, clearly wrong.
    It's hard to say exactly what was happening that allowed some traffic to be routed correctly.

    Steve

    Edit: You could use a subnet of /32 on your WAN instead. This would imply that all traffic from it has to go via the gateway. However if /24 is working for you it's not a problem.


Log in to reply