Pfsense on ESXI: Unable to connect to some website.

IT-ER

Hi all,

I've setup my pfsense on my esxi server with 2 NICs. One (acting as WAN) connects to physical adapter with an external static IP and the other NIC (acting as LAN) connects to a virtual switch. All of VMs will connect to this virtual switch in order to be able to access to the internet. So, far my VMs are able to connect to websites such as google.com or youtube.com. But for some reason, my VMs will not be able to connect to cnn.com, or yahoo.com (able to see yahoo website, but without images). Any idea what causes this behavior?

podilarius

Did you install any packages? Like squid or dansguardian, or any others?

IT-ER

Hi podilarius,

Thank you for the reply. I didn't install any other packages or run any updates. I just used the pfsense 2.1 iso and installed pfsense as VM from there. Am I supposed to install these package?

johnpoz

"my VMs will not be able to connect to cnn.com, or yahoo.com (able to see yahoo website, but without images). Any idea what causes this behavior?"

I would look to a dns related problem here if your not using a proxy..  Can your vm resolve cnn.com?

IT-ER

Hi johnpoz,

I'm suspecting there is some issues with DNS as well. My VM couldn't not resolve cnn.com. I pinged cnn and got "request time out". I looked at pfsense dashboard and realized that besides 2 of my primary and alternate DNS, there is also a DNS with an IP of 127.0.0.1. Do you think if this causes the issue?

Thanks

johnpoz

127.0.0.1 is used when you have the dns forwarder enabled.. So you can resolve hosts in your local domain.

"VM couldn't not resolve cnn.com. I pinged cnn and got "request time out""

How would it timeout if it could not resolve - A timeout would be when it resolved to something and that IP did not answer in the time allowed..  If you can not resolve you should get something like this

C:>ping lsjdfs.sldjsdf.com
Ping request could not find host lsjdfs.sldjsdf.com. Please check the name and try again.

So did it come back with an IP, of so what?

IT-ER

Hi Johnpoz,

Sorry for the lack of knowledge, When I pinged www.cnn.com, i got the IP of 157.166.249.10. Please also see the attachment. I also typed this ip directly to the web browser and it would not connect as well. Please let me know if you have anymore question. Thanks

johnpoz

Well name resolution is working, it not answering ping is normal - not all sites answer ping.

Can you do a traceroute -n in linux or tracert -d if on windows to www.cnn.com - what do you get.. Just need to see that you get past your pfsense and router, etc..  don't need to see all the way to cnn

traceroute -n www.cnn.com
traceroute to www.cnn.com (157.166.248.11), 30 hops max, 60 byte packets
1  192.168.1.253  0.249 ms  0.243 ms  0.229 ms
2  24.13.176.1  17.072 ms  18.056 ms  34.917 ms
3  68.85.131.149  17.776 ms  17.742 ms  17.792 ms
4  68.87.229.126  17.711 ms 68.87.232.58  17.550 ms 69.139.235.254  18.777 ms
5  68.86.187.193  17.650 ms 68.87.230.53  17.569 ms 68.85.176.61  18.210 ms
6  68.86.95.237  20.475 ms  19.984 ms  19.926 ms
7  68.86.88.45  21.580 ms  12.971 ms  20.181 ms

What kind of connection you on for your internet - something that has an odd mtu size?  Have you messed with or altered mtu size be it on pfsense, your esxi switch or your vm clients?  Quite often when problems with some websites, mtu is a problem.

podilarius

I use dig or nslookup.

IT-ER

Here is the result from tracert -d www.cnn.com

Tracing route to cnn-56m.gslb.vgtf.ney [157.166.249.11]
over a maximum of 30 hops:
1      <1 ms <1 ms <1 ms 192.168.1.1
2      *          *        *        Request time out
3      *          *        192.168.1.1    reports: Destination host unreachable.
Trace complete.

What do you mean connection i'm on for my internet? I have not messed up with mtu size on pfsense as well as vm clients.

johnpoz

Tracing route to cnn-56m.gslb.vgtf.ney [157.166.249.11]
3      *          *        192.168.1.1    reports: Destination host unreachable.

Well clearly you have something wrong there..  Can you post your route table.. I think you got something messed up there, its amazing anything would work at all - but clearly your not getting to the internet when trying to go to 157.166.249.11  And what is odd is your LAN IP is first hop which is normal - but then also hop 3?  You have some default gateway setup on your lan or have your default gateway set as your own lan IP?

Here is example route table - mine

Weiyentan

One more thing to check.

Is your vswitch (the one that pfsense is hooked into) is that set to promiscuous?

biggsy

@Weiyentan:

One more thing to check.

Is your vswitch (the one that pfsense is hooked into) is that set to promiscuous?

Promiscuous mode is not needed.  Or are you saying it should not be on if it is?

johnpoz

Dude look at your traceroute

Tracing route to cnn-56m.gslb.vgtf.ney [157.166.249.11]
over a maximum of 30 hops:
1      <1 ms <1 ms <1 ms 192.168.1.1
2      *          *        *        Request time out
3      *          *        192.168.1.1    reports: Destination host unreachable.

3      *          *        192.168.1.1    reports: Destination host unreachable.

You must have gateway set to itself on your lan?  Lan interface should NEVER have a gateway set on the interface.  If you have downstream networks that you need to access via your lan interface, then you would create a gateway and route to these networks.. But you would NOT assign the gateway to the lan interface directly on the interface settings.

This makes pfsense think its a WAN sort of interface, and could enable NAT, etc.  All kinds of BAD things happen if you do this and yeah not going to work.

You hit pfsense 192.168.1.1 – but then hop 3 192.168.1.1 says sorry can not talk to that host.  This is clearly not right and points to you having a gateway set on the interface to me.