Help please: pfSense stops access to internet from LAN
-
Hi everybody,
I have a pfSense setup working fine most of the time however sometimes pfSense gets into a state where access to internet from LAN is impossible. Some Details:
-
I have an ALIX 2d13 with pfSense 2.1.3 installed.
-
WAN interface is PPPoE. I have a modem connected to pfSense.
-
When the problem occurs pfSense itself has access to the internet. Ping to 8.8.8.8 for example is possible from the pfSense box but not from LAN workstations. The console looks just fine.
-
There is no clue in the firewall logs why access to the internet form LAN workstations would not be possible. Esp. there are no block entries.
-
Restarting my pfSense box resolves the problem
I would be glad if anyone could tell me where to start looking.
-
-
Hello!
There is no clue in the firewall logs why access to the internet form LAN workstations would not be possible. Esp. there are no block entries.
Do you also Log traffic blocked by default deny rule?
Do you have packages installed?
Something in system log? -
So your saying you can not ping an public IP address, or are you saying your browser stops loading your fav web site?
Seems when users say internet is broken, quite often its just a dns related problem. And not actually related to connectivity.
Are you using proxy (squid package)? From your client that loses access, can you ping say 4.2.2.2 or 8.8.8.8, can you ping your isp gateway? What does a traceroute look like from a client?
examples - see attached.. If ping works you have connectivity.. Look to dns/browser related problem. If ping does not work, what does tracert show.. Do you get to your isp gateway? Where does connectivity stop?
-
…in addition: does it help to obtain a new IP from your providerer instead of rebooting the box?
-
Seems I missed to give a lot of details. Thanks for asking!
First of all: I restarted my pfSense box to get internet working again. So every information I give here is from memory. I hope it is possible to get a clue about what could have been to problem.
If this should happen again either:
-
I can do a fix or at least
-
I know where to look into more detail.
About packages:
I have the pfblocker package installed however this is not activated. (Remainder from playing around with this package.) Is it possible even remotely that this could cause a problem?
Also I have installed FreeRADIUS 2. This is also not being used at the moment.
The problem is not DNS related. I can tell the difference: I had a problem weeks ago when the DNS stopped working. I could then resolve this by restarting the DNS on pfSense. DNS was the first thing to check after I was informed about the problem this time - no luck.
Regarding DNS, ping, traceroute:
I tried to ping 8.8.8.8. I could ping this address from the pfSense box. I could not ping or traceroute this address from a LAN workstation. Traceroute showed just *s.
While trying ping and traceroute there were no entries in the firewall log or in the system log. From looking into pfSense it was just as if there was no traffic at all from the LAN. On the other hand I could access the pfSense box just fine.
I cannot ping my provider's gateway even under normal circumstances. My provider is Deutsche Telekom (in Germany). It seems that my provider's default gateway drops ICMP. I use 8.8.8.8 for monitoring the gateway for that reason.
When I had the problem the gateway seemed to be up (which is no surprise when a ping from the pfSense box to 8.8.8.8. was possible).
Because the problem is not occuring right now I cannot repeat pings and traceroutes with the same results now.
I will record output of traceroute and ping in detail next time.
Regarding firewall logging:
I do log actions by the default deny rules. There are no blocks visible in the firewall log. The problem seems not to be related to changes in the firewall rules: I haven't made any changes recently. After reboot of the pfSense box everything worked again also without changes to the firewall.
Regarding new IP:
I didn't check this. How would I do this btw? (I never needed that until now …).
This is all really weird. Thank's again for helping!
-
-
New IP: Status -> Interfaces and then "Disconnet" for the WAN interface.
Gateway not responding to pings is a common disease for Telekom/Congstar ;D
-
Thank you chemlud,
next time this problem occurs I can check whether I can get around it this way.
Telekom-gateway not responding to ping is not such a severe problem. As long as I have a reliably substitute for monitoring this is fine. It would be a problem however if a problem with connectivity is not on my side but in the Telekom network between the default Gateway and other hosts in the internet. Fortunately this seems to be quite reliable …