No internet from LAN after 1 hour: NAT weird(?)



  • G'evening  ;D

    Having been inspired by the great Chris/CMB to install the 2.2 RC, I just did today. This is what I did:

    • Installed the memstick from the mirror onto my second machine, the Dell R200 (btw, the problem that you need to disable all kinds of bios settings first in order to install, specific for the Dell, that was there in 2.0 and 2.1, is gone  :) );

    • Updated to the latest snapshot twice (one was there right after I installed, when I was finished installing packages the dasboard said there was a new one dated Jan. 7, so I installed that too. Note: the problem I am writing about in this thread was already there before the second snapshot, so today's snapshot).

    • Setup interfaces (dual WAN, failover group, only one WAN (VDSL) connected as WIFE was busy on the other machine (cable) and needed internet too).

    • Rebooted.

    • Restored firewall rules, aliases, DHCP static assignments, traffic shaper, from a cfgbackup (these settings I have manually created a couple of days ago, when I was completely reinstalling my first box to get rid of some other errors. So they are considered to be fresh).

    • Setup /boot/loader.conf.local network card tweaks for igb and bge (wiki).

    • Rebooted.

    • Installed packages: nut, mailreport, vnstat, FreeRadius (Enterprise).

    • Installed OpenVPN client PrivateInternetAccess.

    • Went on to test. All worked fine, except for firewall rule descriptions not showing.

    • After 1 hour: internet from LAN (my Debian box) suddenly gone. No website loaded anymore.

    • Ping pfSense from LAN: it resolved the IP, but the ping timed out (tried that with other sites too, taking sites I hadn't visited for months (like abc.com), to make sure it was not some locally cached IP).

    • ping www.google.com through SSH from pfSense: worked.

    • Removed the setting from step .6. and rebooted. Didn't solve anything.

    • Disabled all firewall rules everywhere, and activated the default 'allow LAN out any any'. Nothing.

    • Double-checked DNS Forwarder servicing LAN, it did. Restarted the service.

    • Double checked: there are four external DNS-servers in System/general, all pingable from the pfSense box.

    • Got lost  :-[ [/li]

    • Got downstairs, kissed WIFE told her I love her and she has the best box currently (because she still has internets albeit no failover between WAN and WAN2), and got beer ( ;D )

    • Tried to get upstairs again to my office: jumped to hide away from my Rottweilers who tried to jump on me to play with Daddy ( ;D ).

    • Started snooping around double checking: and then I saw something weird in NAT.

    • Obviously, the GUI has changed in 2.2, as now in NAT it doesn't show 'WAN address' as a description only, but the actual WAN address itself.

    • I noticed that the actual WAN address shown in NAT is not the actual WAN address I was currently having. Not even after the reboots.

    • Could this have anything to do with it? I am lost  ???

    • I've attached 3 screenshots.



  • The old IP being in there is a bug where it's hard coding the specific IP it has at the time rather than leaving it to the interface IP when you switch from auto to manual outbound, working on fixing that now.

    You probably want hybrid mode in 2.2 rather than manual anyway, just easier to deal with in your circumstance I think. You can manually add specific outbound NAT rules that apply before the auto-generated ones. I'd switch it to hybrid, and delete all the outbound NAT rules with the exception of the ones for your VPNs.



  • @cmb:

    The old IP being in there is a bug where it's hard coding the specific IP it has at the time rather than leaving it to the interface IP when you switch from auto to manual outbound, working on fixing that now.

    That's fixed now, though only for newly-generated manual outbound NAT rulesets after the switch from auto to manual. Your existing rules there will need to be deleted. Though you don't need them anyway I don't think, see previous post re: hybrid mode.



  • Great CMB, thank you; I switched to hybrid, deleted the existing rules, and hoppa, it's working again  ;D

    Thank you for this ultra-fast help  :)


Log in to reply