Pfsense + Thomson ST510
-
Hi everyone,
I'm having a little trouble with why I can't get an internet connection.
My setup is as follows… Thomson ST510 > Assign public IP to a device = my pfsense.
Pfsense gets my external IP on its WAN interface and gets my ISP's gateway through DHCP - gateways can be seen in gateways under routing.
Pfsense is also getting ISP DNS server addresses via DHCP.However I lose all connection to the internet - pfsense cannot ping anything internet facing on WAN. - Not even ISP gateways.
What have I configured wrongly ??
Thanks in advance!
-
A common setup error is to put a gateway on LAN.
If you have an incomplete but present IPv6 implementation coming from your ISP or router then pfSense may attempt to us that first. https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_PreferencePlease give more details.
Steve
-
Hi,
Nope my ISP isn't doling out any IPV6 and never will.
Should I disable IPv6 anyway ?
thanks for the reply, what would I use as the gateway on LAN ? When I use DHCP on the WAN side im not sure what to use as gateway - pfsense has my ISP's gateway and my WAN Has my static IP provided by my ISP
Do I use my static IP as the gateway ?
Thanks!
Chris.
-
You shouldn't have a gateway on the LAN interface. Putting one in is the common mistake. ;)
If you try to ping, say, google.com and 8.8.8.8 from the pfSense console what is the error given?Steve
-
ok if I set it up how I did it before with just a GW on the WAN from my ISP, if I ping google I get failed pings.
Ping output:
PING 8.8.8.8 (8.8.8.8) from 77.86.33.157: 56 data bytes–- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
-
At present the only interface that has a GW is WAN, to get internet access I have to set the WAN IP to '192.168.1.253' with a GW of '192.168.1.254' then I get internet access… but I'd rather have pfsense do all of the routing and only have the Thomson as a Modem.
When my Static External address is set via DHCP still no internet access.
Puzzled :S :o
-
Wait your WAN IP is 192.168.1.x? Then you need to uncheck the box on the WAN interface that says, "Block private networks" AND use a different subnet (e.g. 192.168.2.x) on the LAN interface.
-
^^^^ done both of those… using 192.168.2.0/24 on my lan and have unchecked the box ... it works its only when I use DHCP on the WAN and get my EXTERNAL IP when it doesnt.
-
Is it a static address or is it DHCP? If it is static you need to assign a gateway. If it's DHCP verify that it gets a gateway and DNS servers (Status -> Interfaces - Gateway IPv4 and ISP DNS servers).
-
-
Hi,
If I ping - It fails. I posted the output in a previous post.
I'm using DHCP when it doesnt work.. My IP (External Static from ISP) gets assigned to WAN interface, My ISP's gateways also appear in Gateways and I also receive the DNS Server IP's.
IF I set a manual address of '192.168.1.253' on my WAN and a GW of '192.168.1.254' I get Internet access.
As setup in the images - my Internet works - As soon as I set my WAN to DHCP I no longer get internet access and no idea why.
Thanks in advance for all of your help - I appreciate it.
-
Hi all,
I have done some screenshots of DHCP on WAN side.
-
For some reason when DHCP is set on WAN, i get IP on interface and receive gateway from ISP but that gateway cannot be reached.
-
Any help most appreciated guys!!
Thanks!!
-
The reason I asked you to ping google.com as well as 8.8.8.8 was to determine if DNS was working. At this point it's probably not relevent since pinging by IP didn't work but the first thing that you see when pinging by URL is:
[2.1.3-RELEASE][root@pfsense.fire.box]/root(1): ping google.com PING google.com (173.194.34.174): 56 data bytes 64 bytes from 173.194.34.174: icmp_seq=0 ttl=56 time=13.773 msYou can see that it has resolved the url to an IP.
I notice that the IP you're given when set to DHCP on WAN is still a private address in the 10.0.0.0/8 range. Is that the same type of address that the Thompsom router gets if it's connecting without pfSense?
Steve
-
If your ISP really is handing out 10/8 IPs, if it's doing CGN for example, then you may have to disable the firewall in the ST510. You probably want to do that anyway.
http://www.petenetlive.com/KB/Article/0000210.htm
If having selected to assign the public IP to a device in the router you can still access the internet by using the routers lan side subnet details manually then I would suggest it has not correctly assigned the public IP.
Steve
-
Yes, My ISP's gateway is in the 10. range. (Private range) my thomson router has a 10.0.0.138 IP but this cannot be reached at all when I set my WAN to DHCP.
-
What subnet is your ISP handing the WAN?
Some ISPs are now handing out /32 subnets via DHCP which is not a standards compliant configuration. Other OSes allow this configuration (Windows, some Linux distros) but FreeBSD does not. There is a workaround.Steve
-
I believe it's a /30.
Not entirely sure - you've got to realize that the ISP we are dealing with here isn;t your usual ISP, they do things very differently.
I'm within this range.
https://apps.db.ripe.net/search/query.html?searchtext=77.86.33.157&searchSubmit=search#resultsAnchor
I'll be honest I think it's a slash /30 but it COULD be A /32
Anyway I can find out ??
-
Ah, the broadband principality of Hull! ;)
The address in that link is not handed to you then?
Go to Status: Interfaces: in the webgui. All the details handed to you should be there.
Steve
-
Screenies:
-
Any Ideas ?
And thanks by the way I appreciate the help - I'd love to get this working… If I can!!!
I'm lost, I cant think of anything else to try!!
-
Would the following work.
I assign an IP on my WAN for example 77.86.33.156….
And my Gateway set that to... the actual IP that I get from DHCP from my ISP ?
Would/Should that work ?
-
Ah, I just re-read the thread and now it makes more sense. I had assumed that because the gateway being given to you is 10.X.X.X then the IP would similarly be 10.x.x.x. But no.
Ok well the gateway address you are being sent, 10.55.200.44, is outside the subnet of your WAN address which is a real public IP. The subnet mask you're being sent is a /8 which is really weird. Like you say Kcom are not a 'normal' ISP! ::)
The workaround should still apply here but the details you have are very odd. If you connect the router in the normal way, without pfSense, does it too receive these same (or similar) details?
Anyway the workaround for this is to add a route to the gateway address. See:
https://redmine.pfsense.org/issues/972
Specifically at the console enter these two commands:# route add -net 10.55.200.44/32 -iface rl0 # route add default 10.55.200.44If that works then you can add the commands to Shellcmd so they run at each boot.
We might need some input from a higher source on this though because it looks….wrong! ???
Steve
-
Thanks yes it is an odd setup and yes even usjng the thomson on its own I get alk of the same IP settingd same subnet n everything.
Ok thanks for those commands ill try them when I get chance to get back on my machine.
what exactly will those commands do ???
-
This is a very old post but may still be relevant:
http://karooforums.net/index.php/topic,483.msg4677.html
I expect to see something similar to that posters gateway settings. The issue you may have is the gateway address you're given changes if you reconnect the modem for whatever reason.Are you active on the Karoo forum? Maybe time to join if not. There's sure to be some people trying to do something similar there.
Those commands add a route to the gateway IP via your WAN interface, because otherwise pfSense has no idea how to reach it, and then sets the gateway IP as the default route for all traffic.
Steve
-
Ok when I do dhcp on the WAN that 10. Adress does appear in gateways… is that not the same thing ?? Its gets this from dhcp.
-
The same thing as what? What the commands do? Yes except that it cannot be set as default route because without those commands pfSense cannot get to the gateway address, it's outside the subnet of the WAN.
Steve
-
Im going to try the commands tonight - will keep you posted!!
Thanks
-
-
Thanks for all your help!!!
-
Ok. :)
Those routes will only stay in place until your re-boot the pfSense box so to make them run each time the box is booted install the shellcmd package and them add them to it.
The other thing is that this depends entirely on Karoo always giving you the same IP details, or at least the same gateway. They may or may not do that. Their setup seems so odd it's impossible to even speculate! If they don't then what is needed is a script to enter the routes based on whatever gateway is given. There were several comment to that effect in the bug report but nothing I've actually seen.
It would be great to get a second oppinion on just what's going on here. Anyone?
Also I would definitely suggest a post on the Karoo forum. You fellow subscribers will have faced this before any will probably have more info.
Steve
-
Hi, Ive added package ShellCMd and have added those commands - and it works!!
I do have one little problem though and if I could solve it everything would be perfect!!
For some reason I'm getting dropouts when browsing the internet…. under Interfaces - I have errors 0/12.
Any Ideas ?
-
Which interface is that?
If it's the wifi interface then it's to be expected. For example my own home ath interface:Status up MAC address 00:11:f5:**:**:** - Askey Computer IPv4 address 192.168.10.1 Subnet mask IPv4 255.255.255.0 IPv6 Link Local fe80::211:f5**:****:****%ath0_wlan0 Media autoselect mode 11g <hostap>Channel 8 SSID ******** BSSID 10:bf:48**:**:** Rate 48M RSSI 16.5 In/out packets 288630/321309 (32.64 MB/327.74 MB) In/out packets (pass) 288630/321309 (32.64 MB/327.74 MB) In/out packets (block) 950/0 (184 KB/0 bytes) In/out errors 3/119 Collisions 0</hostap>What do you mean by drop outs?
Steve
-
No, errors are on the WAN interface… by drop outs I mean that at certain times the is no response from the internet or takes an age to load a web page. Ive changed to static NAT instead of Automatic and seems to be a bit better.
Thanks
-
Nothing in the logs when that happens?
Chaning the NAT to static shouldn't make any difference. It only takes any action when you add or remove interfaces anyway.
Something occurs to me. The fact that you have such an enormous subnet on the WAN could be causing a problem here. If you're trying to access some resource that happens to be at address 77.x.x.x then pfSense will try to access it directly without going via the gateway. It may be waiting for something to timeout before then sending traffic via the gateway.
Normally you could avoid that happening by specifying the gateway in the firewall rules on your LAN interfaces and disabling the 'negate rules' in System: Advanced: Firewall and NAT: However with your default gateway setup I'm not sure what would happen. :-\See if you can spot a link between the delay and what site you're trying to access.
Steve
-
Hi Stevenw10
Nothing in the logs as far as I can see, I've left NAT on Manaul and I've also noticed that the 'dropout' was pages hanging on "Resolving host" so I suspect a DNS issue, As a test I've pointed one of my hosts to '192.168.1.254' which is the Thomson and also '8.8.8.8' As A Secondary, and so far I've seem to have no drop outs. Presently my clients were using the LAN address of PFSense for DNS.
I've not been on that machine today but will be later on so will let you know my findings…..
IF it is DNS, I wonder what can be done to fix it, dynamically I get DNS servers from my ISP ?
Thanks - All of your help is GREATLY appreciated
Chris.
-
You can add DNS servers to pfSense that it then uses for the DNS forwarder. Go to System: General Setup: in the webgui. By default the 'Allow DNS server list to be overridden by DHCP' box is checked but you can uncheck that and enter any public DNS servers if Karoo's are a bit flaky. I use 8.8.8.8 and 8.8.4.4, Google already knows everything about me anyway! ::)
Steve
-
OK I'll let you know my findings!!
Thanks
-
Looks like it was a DNS issue, I've set 8.8.8.8 in general setup and set KC's gateway as the gateway for that DNS server and so far all is well!!
No dropouts!!
:)
