Cannot access Router/Internet

franzenobody · Feb 10, 2013, 10:08 AM

Hey,
I managed to set up the DHCP Server so far but I cannot reach the Router, maybe it is a problem with the static route?

The network architecture is as follows:

WWW–--ROUTER----PFSENSE----LAN
The router is a cheap Zyxel but has static route.

IP adresses:
Zyxel Router 192.168.1.1/24
pfs-router 192.168.1.2/24 (WAN) - Gateway 192.168.1.1
pfs-client 192.168.2.1/24 (LAN) - DHCP Server 192.168.2.100 - 192.168.2.200

The static route in the Zyxel looks as follows
Target: 192.168.2.0
SUBNET: 255.255.255.0
Gateway: 192.168.2.1 (PF-Sense)

If I ping from a client (192.168.2.100), I can reach the pfsense 192.168.2.1 and also 192.168.1.2, but not the Zyxel.
When I try to ping the Zyxel the output is as follows:
PING 192.168.1.1 (192.168.1.1): 56 data bytes
36 bytes from pfsense.XXX (192.168.2.1): Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 150c 0 0000 40 01 e0e7 192.168.2.100 192.168.1.1

Vice versa, from the router net (192.168.1.100), I even cannot ping the pfs-server which should be in the same subnet (192.168.1.2):
Request timeout for icmp_seq 0

Does anyone have an idea where I could have made a mistake?

thx, a Nobody

wallabybob · Feb 10, 2013, 1:10 PM

The you have NAT enabled (the default if I recall correctly) the static route @franzenobody:

The static route in the Zyxel looks as follows
Target: 192.168.2.0
SUBNET: 255.255.255.0
Gateway: 192.168.2.1 (PF-Sense)

is unnecessary since everything going out the pfSense WAN interface will appear to come from the pfSense WAN IP address.

If you don't have NAT enabled in the pfSense box then the route is wrong: the gateway should be an IP address on the same subnet as the Zyxel LAN interface. In this case it should be the IP address of the pfSense WAN interface.

@franzenobody:

If I ping from a client (192.168.2.100), I can reach the pfsense 192.168.2.1 and also 192.168.1.2, but not the Zyxel.
When I try to ping the Zyxel the output is as follows:
PING 192.168.1.1 (192.168.1.1): 56 data bytes
36 bytes from pfsense.XXX (192.168.2.1): Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 150c 0 0000 40 01 e0e7 192.168.2.100 192.168.1.1

Destination host unreachable suggests EITHER pfSense thinks its WAN interface is not "running" OR the pfSense routing table is "messed up" (perhaps you have been changing IP addresses or subnet or firewall rules or some combination; I have found a pfSense reboot is sometimes needed to clear things up after "major changes" in IP subnets.)

@franzenobody:

Does anyone have an idea where I could have made a mistake?

I suggest you reboot, try your pings again and if you don't get a ping response from the Zyxel, post the output of the pfSense shell command```
ifconfig -a; /etc/rc.banner

franzenobody · Feb 10, 2013, 3:11 PM

Thanks for your fast answer, I restarted everything and I still could not ping the Zyxel (I deleted the static route) FROM THE CLIENT-PC (from the WAN Interface I can now, see below).

I ran the command on the serial interface, here is the outcome:

ifconfig -a; /etc/rc.banner
vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:2b:e0:88
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::20d:b9ff:fe2b:e088%vr0 prefixlen 64 scopeid 0x1
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:2b:e0:89
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20d:b9ff:fe2b:e089%vr1 prefixlen 64 scopeid 0x2
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:2b:e0:8a
inet6 fe80::20d:b9ff:fe2b:e08a%vr2 prefixlen 64 scopeid 0x3
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33200
*** Welcome to pfSense 2.0.2-RELEASE-nanobsd (i386) on pfsense ***</promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

From the serial interface, I can ping the router and also google.de, when I ping from the terminal (Mac), still the same outcome. [EDIT: Pinging the Internet/Zyxel from the WAN was not possible yesterday. But it still seems that the LAN->WAN routing doesn't work?]

wallabybob · Feb 10, 2013, 3:51 PM

The output from /etc/rc.banner was truncated so I can't see some of the settings it would normally display. Please provide output of pfSense shell command:```
/etc/rc.banner ; netstat -r -n


You should be able to ssh to the pfSense box from your MAC client, capture the command output in the ssh window and paste it into reply. (Please post all the output this time.)

franzenobody · Feb 10, 2013, 4:12 PM

ifconfig -a; /etc/rc.banner; netstat -r -n
vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:2b:e0:88
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::20d:b9ff:fe2b:e088%vr0 prefixlen 64 scopeid 0x1
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:2b:e0:89
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20d:b9ff:fe2b:e089%vr1 prefixlen 64 scopeid 0x2
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:2b:e0:8a
inet6 fe80::20d:b9ff:fe2b:e08a%vr2 prefixlen 64 scopeid 0x3
nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33200
*** Welcome to pfSense 2.0.2-RELEASE-nanobsd (i386) on pfsense ***

WAN (wan) -> vr1 -> 192.168.1.2
LAN (lan) -> vr0 -> 192.168.2.1
OPT1 (opt1) -> vr2 -> NONE Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGS 0 1548 vr1
127.0.0.1 link#4 UH 0 58 lo0
192.168.1.0/24 link#2 U 0 257 vr1
192.168.1.2 link#2 UHS 0 216 lo0
192.168.2.0/24 link#1 U 0 449 vr0
192.168.2.1 link#1 UHS 0 216 lo0

Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%vr0/64 link#1 U vr0
fe80::20d:b9ff:fe2b:e088%vr0 link#1 UHS lo0
fe80::%vr1/64 link#2 U vr1
fe80::20d:b9ff:fe2b:e089%vr1 link#2 UHS lo0
fe80::%vr2/64 link#3 U vr2
fe80::20d:b9ff:fe2b:e08a%vr2 link#3 UHS lo0
fe80::%lo0/64 link#4 U lo0
fe80::1%lo0 link#4 UHS lo0
ff01:1::/32 fe80::20d:b9ff:fe2b:e088%vr0 U vr0
ff01:2::/32 fe80::20d:b9ff:fe2b:e089%vr1 U vr1
ff01:3::/32 fe80::20d:b9ff:fe2b:e08a%vr2 U vr2
ff01:4::/32 ::1 U lo0
ff02::%vr0/32 fe80::20d:b9ff:fe2b:e088%vr0 U vr0
ff02::%vr1/32 fe80::20d:b9ff:fe2b:e089%vr1 U vr1
ff02::%vr2/32 fe80::20d:b9ff:fe2b:e08a%vr2 U vr2
ff02::%lo0/32 ::1 U lo0</promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

Sorry, I hope these are the data you need!

franzenobody · Feb 12, 2013, 7:27 PM

Ok, many thanks, it works now!
I don't know why, but as soon as I set up the static route again, it worked. Even the Zyxel does NAT, the route was obviously necessary!