Problems to access Internet
-
Hello to everybody,
could you advise on the following LAN office configuration due to INTERNET connection issue:The modem is directly (via cable) connected to pfsense with the following parameters:
modem:192.168.0.1/24 (nat able)
pfsense:192.168.0.2/24LAN internal pfsense has an other networking card
192.168.1.1/24
clients' ip address are setup manually
-192.168.1.2/24
-192.168.1.3/24- etc…
clients gateway is 192.168.1.1
Problem is that they very often losing internet connection.
Is this problem from the internet provider ?
or
pfsense set up is not property configured?
Thank you for sharing your ideas with me
cheers Roberto -
Well for starters why are you double natting? Sure can not be helping matters ;)
I would remove the nat on the "modem" – (gateway modem/router combo if its natting) so that you get public IP on the pfsense wan. Now you can see if pfsense is loosing connectivity to its gateway (internet).
But in general your double nat setup should be working, but no ideal if you ask me. Are you sure its just not a dns problem for the clients. losing internet connection is not a lot of details to work with, and could mean a slew of different things. What exactly is not working? Can the clients ping their gateway? Can pfsense talk to your "modem" -- is the modem online?
Is it ALL users at the same time, or just a couple/one?
-
Thanks Johnpoz,
i have just nat in modem, means i havent setup nat on pfsense.
Do u think will be better to remove nat from modem and get public ip on pfsense wan?
But in this case i need to setup on pfsense nat right?
Pfsense I setup dns on google.I will be able answer if clients can ping gateway after 22 sep 12, when i am back from business trip.
Problem appeares since 3 days ago which i am trying to solve remotely, responding your question "what is not working properly" - internet connection is working up and down / they have connectivity and losing connectivity.
for instance if they switch off / switch on modem connection get back to normal.Can pfsense talk to your "modem" – is the modem online - YES
is ALL users at the same time, or just a couple/one? - ALL USERSBeing away from the office, temporary solution i found is: i removed pfsense :( from modem and connected directly modem to switch.
thanks for sharing your experiences with me roberto
-
If your doing just nat on the "modem" and not pfsense - did you setup routing on the "modem" How does modem know how to get to 192.168.1.0/24 the network your clients are on? What "modem" are you using? Were you running some routing protocol - RIP for example? I don't see how your setup would of worked at all unless you put in a specific route on your "modem"
Yes I would think it better to use pfsense as your gateway/firewall and it should have a public IP on its WAN.
-
I setup on pfsense just gateway 192.168.0.1 that is my modem/router.
wan pfsense=192.168.0.2
Modem/router 192.168.0.1/24 no dhcp,nat, thats all. -
Why that won't work.
So your on a box say 192.168.1.14 for example and your trying to go to pfsense.org. so box at 1.14 says hey pfsense.org is on 69.64.6.21, that is not on any network connected to me - so it sends it to its gateway pfsense lan 192.168.1.1, it "routes" the traffic for 69.64.6.21 which is not on any of its interfaces so sends to its gateway - your modem "192.168.0.1" this is all fine.
So your "modem" now says hey your trying to get to 69.64.6.21, I will send that to my gateway (your isp) and NAT the traffic so it looks like it came from your "modems" public IP – lets call it 1.2.3.4.. So it sends it on its way to your isp with dst 69.64.6.21, and source ip 1.2.3.4 and stores the NAT of hey if your coming back from 69.64.6.21 to my IP of 1.2.3.4 I need to send you to 192.168.1.14.
Problem is how does your modem know how to get to 192.168.1.0/24??? it has no interfaces on that network. It only has interfaces on 192.168.0.0/24 and your public IP 1.2.3.4. It needs to know how to get to the 192.168.1.0 network by sending it to pfsense wan interface on 192.168.0.2
Without a route back to 192.168.1.0/24 your modem has no idea what to do with that traffic -- it needs a route!! Which you make no mention of. So what you were trying to setup would NEVER WORK. It would not be intermittent, it wouldn't work.
So unless your leaving off some details about running a routing protocol on pfsense and your "modem" so pfsense can share with your "modem" that to get to the 192.168.1.0/24 talk to my 192.168.0.2 interface your modem would not be able to send the return traffic from pfsense.org back to the client on 192.168.1.14
edit: if you were NATTING on pfsense, then it would NAT all the traffic from 192.168.1.0/24 network to its 192.168.0.2 IP, but you clearly stated your NOT natting on pfsense. If that is the case then you have to have a route on your "modem" on how to get to the 192.168.1.0/24 since pfsense did not NAT it to the network connected to your modem. Your modem has no idea how to get there - so it would send traffic to its default gateway -- your isp. How does it know to send to 192.168.0.2 to get to 192.168.1.14??
-
but you clearly stated your NOT natting on pfsense.
but robertog said
@robertog:i have just nat in modem, means i havent setup nat on pfsense.
which could mean that because he hasn't done anything to setup NAT in pfSense he assumes pfSense is not NATing. But my recollection is that NAT is on by default in pfSense between LAN and WAN.
-
Yup I agree nat is on by default normally. but way I read it was he turned nat off.
Why would he mention that he was not running it?? Unless he knew for sure it was on or off?
@robertog can you verify for us if you turned NAT off?
here
http://doc.pfsense.org/index.php/Outbound_NATTo completely disable NAT and all firewall function from all interfaces, do the following. Note that you will skip the previous section ("Disable NAT") when taking this approach.
Go to the System: Advanced page and click the Firewall / NAT tab.
Check the box to "Disable Firewall / Disable all packet filtering."
Save changes.To completely disable NAT to have a routing-only firewall, do the following.
Go to the Firewall -> NAT page, and click the Outbound tab.
Select the option "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save.
Remove all automatically generated NAT rules at the bottom of the screen.
Apply changes
–-Did you do either of those on your pfsense box? If not then NAT would be on, and would explain why it works atleast some times - because if you had turned NAT off I don't see how it would work at all.
So again I would suggest you remove the "modems" nat and allow pfsense to handle your nat/firewall/etc
-
Hello!
thanks for your reply but at moment I cant verify if Nat off..Im in business trip sorry, I repeat you I havent setup nat on pfsense so if this means defaults pfsense has nat i didnt know….
But do u think that can create problems and sometimes internet connection is up and down?
thanks roberto -
As the others said by default pfSense will NAT between WAN and LAN. You almost certainly have this enabled. This means you are double NATing but that doesn't usually cause a problem. I have run double NAT setups for testing purposes for months before and never once experienced any issue. However you should be aware that under specific circumstances it can be a problem.
You need to determine where the failure is occurring and you will probably need to be doing that locally. We could speculate what might be happening but without testing it will only be speculation. ;)
The first thing I would look at is the pfSense logs. Look for WAN disconnects. Look at the RRD graphs of connection quality. Are there periods of packet loss or high latency?
How is your WAN address assigned? Static IP?
Steve
-
hello,
thanks for reply when i come back in office i will do of course.
I have wan ip static.bye
roberto -
"Look at the RRD graphs of connection quality. Are there periods of packet loss or high latency?"
But that is really not testing his internet connection in the current setup because pfsense gateway is his modem. His ISP could be offline and pfsense would still think internet is happy with a <1ms response time because he is just talking to the lan of his modem.
Which is why I suggest he puts pfsense on the border so that yes now he can see what the internet connection is doing.
-
But that is really not testing his internet connection in the current setup because pfsense gateway is his modem.
That's true. However if it does show something that will be a big clue. ;)
The fact that the connection is solid when the pfSense box is removed suggests a problem on the local side of the modem.
Having a static WAN means that it's unlikely to show anything in the system logs except perhaps if it's a faulty cable.Having a public IP on the pfSense WAN and a single NAT config is a better setup but that should not stop it working as it is.
Steve
-
I agree it can work with double nat, as stated before it is not ideal sort of setup. But it should work - but he mentions
"Can pfsense talk to your "modem" – is the modem online - YES"
Well that tells me its his ISP or pfsense. I would look to ISP first, but since his pfsense is not directly connected and behind a nat. It is impossible to tell if pfsense can not talk to the gateway. Which he would see instantly if pfsense was on public IP.
-
he mentions
"Can pfsense talk to your "modem" – is the modem online - YES"
Good point. Though that doesn't mean it's continuously online. However that should show up in the logs.
Much as I'm enjoying this speculating I think I'll wait for more information. ;)
Steve
-
hi,
thanks guys for sharing your ideas and suggestions. I can't wait when i am physically back in the office (cc. 24.9) in order to try suggested options & share back with you all results. Roberto
