Can ping to LAN but not Web Configurator

stephenw10 · Sep 11, 2014, 8:47 PM

Some devices do not redirect to https when you try to use http and behave like this.
If you had two devices trying to be 192.168.1.1 would you get ping response in both directions? Especially if one of them was the switch.

Steve

johnpoz · Sep 11, 2014, 10:36 PM

no you could get answer to ping

so from 192.168.1.100 I ping 192.168.1.1 but get mac of say the switch IP.. He answers. When you ping the 100 from pfsense .1 he pings the mac of .100 and .100 send answer to the mac that asked.

stephenw10 · Sep 11, 2014, 11:36 PM

Hmm, yes layer 2/3 difference. The MAC would show though as you've been saying.

Steve

SKT174 · Sep 11, 2014, 11:57 PM

Thanks for all the input guys, really appreciated.

As suggested, I've taken out the switch, now directly connect my notebook to LAN interface (white cable , UE1 on pfsense), WAN (UE0) still the same Red Cable

I followed the instructions as shown to me

I can't confirm the MAC address as the J5 creator doesn't print the MAC on the unit nor the package it came with

I've checked my Proxy setting to make sure

I've installed Wireshark and as soon as I go to the pfsense box (192.168.1.1) I get the RED text on Black shown in Wireshark

SKT174 · Sep 12, 2014, 12:05 AM

Oh I forgot to mentioned . Yes I've connected to another pfsense box to that address in the past.

And .. I've also tried connecting using another Desktop PC, same results.

It is a clean install, it doesn't route internet traffic yet, WAN interface is connected but I can't access internet on my notebook.

stephenw10 · Sep 12, 2014, 12:14 AM

Hmm, weird. Looks like the pfSense box is replying but your laptop is ignoring the replies. Perhaps. :-\

Are you able to browse other external sites? Ping external addresses? In other words is routing working?

I notice your WAN interface has auto-negotiated to 10Mb which is odd but shouldn't be causing this.

Steve

Derelict · Sep 12, 2014, 12:32 AM

I've installed Wireshark and as soon as I go to the pfsense box (192.168.1.1) I get the RED text on Black shown in Wireshark

SYN from you
SYN,ACK from pfSense
ACK from you should be next. It's not there so you aren't getting the webConfigurator.

SKT174 · Sep 12, 2014, 12:37 AM

So .. just to be sure I'm not doing anything stupid…

I've wipe & Re-Install PFsense again.

I selected option 1

I selected option I

And it is still not working for some strange reason.

The routing isn't working either as I can't access external internet.

kejianshi · Sep 12, 2014, 1:22 AM

More USB ethernet…

Trouble shooting these setups is always hard when they are so simple and yet things refuse to work, but I don't like USB ethernet, and I'm sure its working for some people in some installations, but up to this point, its the most likely culprit I've noticed. You don't have even a single built in NIC?

SKT174 · Sep 12, 2014, 1:21 AM

I'm thinking whether it's those USB ethernet adapter is causing it. I'll see if I can try another brand and see if it makes any difference.

stephenw10 · Sep 12, 2014, 1:50 AM

Hard to believe it would work with ICMP but not TCP.
As Derelict said your client is not responding. This appears to be a client side issue. Yet you say you tried a different client? Different browser?

Steve

Derelict · Sep 12, 2014, 1:47 AM

You want to check that "Block private networks" is unchecked on your WAN interface. I don't know if the installer does that by default if it detects a private WAN address.

Is that wireshark capture a few messages back taken from the 192.168.1.100 windows client? If so, you need to figure out why it is not sending an ACK in reply to the SYN,ACK sent by pfSense in the connection process before you waste any more time looking at pfSense.

Or, as has been mentioned, USB ethernet interfaces: not a fan. BUT if they're mucking up the works, it should show in the SYN,ACK captured by wireshark.

Guest · Sep 12, 2014, 7:02 AM

If you look at "Valid interfaces are" the answer is:

Probably not…

Derelict · Sep 12, 2014, 7:11 AM

Yeah. More likely some software firewall or antivirus or ? on the windows pc.

johnpoz · Sep 12, 2014, 10:14 AM

You will notice that the connection just kind of dies.. Not only do you see retrans from pfsense you call see retrans from .100 to .1

It is not answering dns queries either..

Juts for be complete - how you would verify the mac your pinging is to look in your arp table on the .100 box

So

C:>arp -a

Interface: 192.168.1.100 –- 0xc
Internet Address Physical Address Type
169.254.7.80 00-26-24-08-8a-ed dynamic
169.254.82.185 00-1c-c3-09-05-7a dynamic
192.168.1.3 00-0c-29-c8-f2-dc dynamic
192.168.1.7 00-0c-29-dd-02-ba dynamic
192.168.1.8 00-0c-29-55-4f-95 dynamic
192.168.1.40 00-1f-29-54-17-14 dynamic
192.168.1.97 00-26-24-08-8a-ed dynamic
192.168.1.98 00-1c-c3-09-05-7a dynamic
192.168.1.99 00-06-dc-43-ad-78 dynamic
192.168.1.253 00-0c-29-1e-18-ae static
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
239.255.255.250 01-00-5e-7f-ff-fa static

You notice from my workstation that is the mac I saw on my ifconfig..

Your sniff is odd.. You see 3 different connections to 80.. And yes you see the syn-ack back, but you never send ack? And actually start the conversation.. And then you just see a bunch of retrans

You see retrans from pfsense sending his syn-ack because he never got back the ack.. And you see .100 sending back his syn because seems he thinks he never got the syn-ack.

Need to figure out why your client .100 did not send back ACK to the syn-ack he was clearly sent and seen by wireshark for the 3 different connections you tried to create to http (80)

Do you have another client you can try?

Derelict · Sep 12, 2014, 5:00 PM

MACs will also be in your wireshark captures.

johnpoz · Sep 12, 2014, 7:43 PM

yeah in there it looks right

to where he is sending the request for 80

Derelict · Sep 12, 2014, 7:57 PM

Are these captures taken on .1 or .100?

It makes a difference because if from .1 we know the SYN-ACK was sent, but not that it was actually received. If from .100 we know it was sent and received.

johnpoz · Sep 12, 2014, 8:23 PM

Have to assume it is taken on .100

Since he states
"I've installed Wireshark and as soon as I go to the pfsense box (192.168.1.1) I get the RED text on Black shown in Wireshark"

I doubt he installed wireshark on the pfsense box ;)

SKT174 · Sep 15, 2014, 12:38 AM

Hi Guys

I want to isolate the problem, so I grab an old desktop, put an extra NIC in it and install PFSense.

Notebook, Cables, is the same, only difference here is the pfsense box.

Once installation finished

Everything works as it should, I can go to Web Configurator, i can access external internet.

So …

For some strange reason.. pfsense doesn't like those USB to NIC adapters, even though you can ping it.

So disappointed as I really want to use those Intel NUC for pfsense.

Thanks so much for the help, really appreciated. :)