PfSense 2.2 not passing traffic, but ping does get through
-
Hi,
I have a fresh 2.2 install on a KVM guest. The host has two physical network interfaces (bridges), one LAN, one connected to my ISP router (LAN side of the router, so pfSense WAN side is a private network). pfSense has two virtio interfaces. I understand this setup causes double NAT, but I have no choice, my ISP does not allow other equipment or config changes to their router.
The following fails:
- Clients cannot reach the internet, no traffic gets passed. Ping DOES work however, see below!
- pfSense console: telnet <isp router="" lan="" ip="">80 > no connection, seems pfSense itself cannot do anything but ping hosts
- pfSense console: telnet <any webserver="">80 > no connection
The following all works:
- I can reach the webconfig via the LAN
- LAN clients can ping everything, using pfSense as their gateway, all the way to 8.8.8.8 (!)
- pfSense can ping everything, all the way to 8.8.8.8 and everything on the LAN
- Clients connected directly to the ISP router can access the internet just fine
The following config checks look OK to me:
- Firewall rules are clean, default (allow LAN to access everything. automatic NAT)
- Private networks are not blocked, bogon networks are not blocked on the WAN interface
- Gateway (ISP router LAN side) is the default and only gateway and is UP
- Double-checked IP addresses, subnet masks, gateways address.
Version: 2.2-RELEASE, built on Thu Jan 22 14:04:25 CST 2015</any></isp>
-
Are you able to ping by hostname or only by IP?
(from both client machines and pfsense)
-
Both. pfSense is able to resolve host names using 8.8.8.8. DNS lookup via the web configurator works.
If I configure a LAN client to use pfSense as a local DNS server, lookups work too. So clients can ping google.com and they get replies.This is a copy/paste from diagnostics / DNS lookup:
Resolve DNS hostname or IP
Hostname or IP
= 216.58.219.174Resolution time per server
Server Query time
127.0.0.1 5 msec
8.8.8.8 107 msec
8.8.4.4 87 msec
More Information: Ping
Traceroute
NOTE: The following links are to external services, so their reliability cannot be guaranteed.IP WHOIS @ DNS Stuff
IP Info @ DNS Stuff
-
And this is a copy/paste from Diagnostics / Ping:
PING google.com (216.58.219.78): 56 data bytes
64 bytes from 216.58.219.78: icmp_seq=0 ttl=55 time=55.964 ms
64 bytes from 216.58.219.78: icmp_seq=1 ttl=55 time=55.682 ms
64 bytes from 216.58.219.78: icmp_seq=2 ttl=55 time=56.017 ms–- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 55.682/55.888/56.017/0.147 ms
-
So you can ping things by both IP and hostname -> everything is working? What is the actual issue here?
-
If I set pfSense as my default gateway, I can ping, but I cannot access anything else. No ssh, no http. I was hoping pfSense would allow me to do more than just ping ;-)
Edit: I just realized, ssh and http are TCP. Is it possible pfSense is passing UDP (DNS) and ICMP (ping) but not TCP?
-
Assuming you have the default "Default allow LAN to any rule" on LAN then it should pass everything through from LAN -> WAN. Check the firewall log and do a packet capture to see whats going on.
-
Instead of letting people guess, why don't you just check/post firewall logs/rules here?
-
These (see attachment) are the LAN firewall rules. The WAN tab is empty.
Text version:ID Proto Source Port Destination Port Gateway Queue Schedule Description
* * * LAN Address 80 * * Anti-Lockout Rule
IPv4* LAN net * * * * none Default allow LAN to any rule
IPv6* LAN net * * * * none Default allow LAN IPv6 to any rule
-
As for the firewall log, it's empty. It did contain IP6 related entries. I disabled IP6 on the client, cleared the log and tried connecting to the internet via pfSense again. Nothing appeared in the log.
The system dashboard shows:
2.2-RELEASE (i386)
built on Thu Jan 22 14:04:25 CST 2015
FreeBSD 10.1-RELEASE-p4
Unable to check for updates.pfSense is unable to check for updates, although it can ping the world, resolve host names and it's connected to a router that allows full internet access - clients connected directly to the ISP router can connect to anything on the internet.
I think: no TCP routing is happening here. Or it is happening, but no NAT is happening. The ISP router would not know what to do with non-NATted packets from the pfSense LAN side.
-
This is wat the NAT outbound rules look like. It's a fresh install, no changes.
-
Packet captures below. I can't see what's wrong from this, at least not yet.
Packet capture, LAN side.
Client 192.168.0.196 is trying to access Google (216.58.219.78:80)
pfSense LAN side is 192.168.0.25219:06:53.285513 IP 192.168.0.252.53 > 192.168.0.196.60003: UDP, length 76 19:06:54.714668 IP 192.168.0.196.51332 > 216.58.219.78.80: tcp 0 19:06:54.841045 IP 192.168.0.196.56142 > 192.168.0.252.53: UDP, length 37 19:06:54.845216 IP 192.168.0.252.53 > 192.168.0.196.56142: UDP, length 77 19:06:54.846406 IP 192.168.0.196.51338 > 216.58.219.78.443: tcp 0 19:06:54.951584 IP 192.168.0.196.51333 > 216.58.219.78.80: tcp 0 19:06:55.291665 IP 192.168.0.196.51336 > 216.58.219.78.443: tcp 0 19:06:55.455828 IP 192.168.0.196.51337 > 216.58.219.78.443: tcp 0 19:06:56.671783 IP 192.168.0.196.51334 > 62.69.175.109.80: tcp 0 19:06:56.809020 IP 192.168.0.196.52478 > 192.168.0.252.53: UDP, length 28 19:06:56.810237 IP 192.168.0.252.53 > 192.168.0.196.52478: UDP, length 44 19:06:56.811612 IP 192.168.0.196.51339 > 216.58.219.78.80: tcp 0 19:06:57.062611 IP 192.168.0.196.51340 > 216.58.219.78.80: tcp 0Same scenario, now WAN side. pfSense WAN is 192.168.7.252, ISP router is 192.168.7.254
19:07:51.898694 IP 192.168.7.252.27180 > 205.251.192.57.53: UDP, length 44 19:07:52.198428 IP 205.251.192.57.53 > 192.168.7.252.27180: UDP, length 196 19:07:52.204635 IP 192.168.7.252.56383 > 108.160.165.189.443: tcp 0 19:07:52.210622 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 35773, length 44 19:07:52.211711 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 35773, length 44 19:07:53.220143 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 36029, length 44 19:07:53.220916 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 36029, length 44 19:07:53.748700 IP 192.168.7.252.9196 > 216.58.219.78.443: tcp 0 19:07:54.008374 IP 192.168.7.252.38630 > 216.58.219.78.443: tcp 0 19:07:54.228310 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 36285, length 44 19:07:54.229275 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 36285, length 44 19:07:55.201675 IP 192.168.7.252.56383 > 108.160.165.189.443: tcp 0 19:07:55.267333 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 36541, length 44 19:07:55.268015 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 36541, length 44 19:07:56.307582 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 36797, length 44 19:07:56.308639 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 36797, length 44 19:07:56.712085 IP 192.168.7.252.24188 > 108.160.169.188.80: tcp 0 19:07:57.039836 IP 192.168.7.252.25088 > 62.69.166.210.80: tcp 0 19:07:57.303517 IP 192.168.7.252.27234 > 216.239.32.10.53: UDP, length 39 19:07:57.307442 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 37053, length 44 19:07:57.308079 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 37053, length 44 19:07:57.388742 IP 216.239.32.10.53 > 192.168.7.252.27234: UDP, length 44 19:07:57.394470 IP 192.168.7.252.8493 > 216.58.219.78.80: tcp 0 19:07:57.646223 IP 192.168.7.252.49477 > 216.58.219.78.80: tcp 0 19:07:58.320115 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 37309, length 44 19:07:58.320916 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 37309, length 44 19:07:59.330378 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 37565, length 44 19:07:59.331114 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 37565, length 44 19:07:59.743873 IP 192.168.7.252.9196 > 216.58.219.78.443: tcp 0 19:08:00.003967 IP 192.168.7.252.38630 > 216.58.219.78.443: tcp 0 19:08:00.339999 IP 192.168.7.252 > 192.168.7.254: ICMP echo request, id 14886, seq 37821, length 44 19:08:00.340785 IP 192.168.7.254 > 192.168.7.252: ICMP echo reply, id 14886, seq 37821, length 44 19:08:00.393862 IP 192.168.7.252.8493 > 216.58.219.78.80: tcp 0 19:08:00.640923 IP 192.168.7.252.49477 > 216.58.219.78.80: tcp 0 19:08:00.647629 IP 192.168.7.252.33846 > 216.239.34.10.53: UDP, length 48
-
Guessing some kind of checksum offloading problem. Which type of NICs are you using in KVM? Try disabling hardware checksum offloading under System>Advanced, Misc. Reboot afterwards to be on the safe side.
-
I found the setting under System > Advanced > Networking.
Disable hardware checksum offload
Checking this option will disable hardware checksum offloading. Checksum offloading is broken in some hardware, particularly some Realtek cards. Rarely, drivers may have problems with checksum offloading and some specific NICs.I selected the checkbox and rebooted. No change. The pfSense VM can ping external hosts, but ssh from the pfSense console to an external ssh server does not work, clients cannot access the internet via pfSense.
These are my KVM NIC settings (virtio). br0 is LAN on the host, br1 is WAN.<interface type="bridge"><mac address="54:52:00:44:13:69"><source bridge="br0"> <target dev="vnet4"><model type="virtio"><address type="pci" domain="0x0000" bus="0x00" slot="0x03" function="0x0"> <interface type="bridge"><mac address="54:52:00:1d:48:7e"><source bridge="br1"> <target dev="vnet5"><model type="virtio"><address type="pci" domain="0x0000" bus="0x00" slot="0x04" function="0x0"> </address></model></target></mac></interface> </address></model></target></mac></interface>
-
I had this same problem with ProxmoVE. pfSense installed as KVM with "VirtIO" emulator which is default for KVM. WAN bride with eth0 and go out. Local bridge for LAN side of pfSense.
Installed Windows & Ubuntu with VirtIO Driver. When Windows VM was set to go through pfSense I could ping but no internet no TCP/UDP connections at all. Same scenario. After bashing my head on the wall for whole sleepless night trying to resolve this. Finally I decided to setup XenServer instead of Proxmox which runs Xen hypervisor.
Implemented the same setup in XenServer with all default settings. Windows was installed with default Realtek NIC driver. Alverything worked perfectly fine.
When I installed xe-tools which turned Realtek NIC to "Xen Paravirtualized driver" it stopped work with same results as above. When I uninstalled xe-tools it worked again.
Conclusion
From this what I can see is Paravirtualzied drives are causing this issue in both setup. VirtIO in KVM & PV in Xen. With other NIC emulators like e1000 or Realtek it works fine.I haven't found a solution to get this working with para drivers which will improve the performance.
-
I just ran into this issue too. I have been beating my brain to figure out what the issue was. Once I switched the vNICs to e1000 everything worked.
-
how to change vNICs to e1000 in xenserver 6.5
-
Hello,
I am running in the same problem just, it is not a Virtual Machine, just a normal HP server with 4 Intel NICs…I already disabled the Hardware checksum offload, and disabled "fast IP forwarding", but on one of my server (the primary) after a reboot this happens... :S
Thanks,
Michele
-
facing a similar issue since few days, have read almost every thread on this topic but couldn't make it work yet..!
My network setup is as follows
ISP modem to rl0 ie wan on pfsense , lan re0 to my switch box .
everything was fine until last two days suddenly pfsense stopped giving access to the internet,, tried almost everything known but no success,, finally reconfigured the pfsense NO SUCCESS still.
mine is a static IP connection ,
I am able to ping anything and everything from the pfsense ping host using ip address aswell as the host-names, However i am not able to ping through the client using HOST-NAMES only IP address works and thats what i think is the problem,,ANY HELP would be heartily appreciated.. ! thanks in advance..
-
i am not able to ping through the client using HOST-NAMES only IP address works
Sounds like a DNS issue. Check your client DNS settings and work up from there. What is DNS for your network? pfSense?
-
Thanks for the reply KOM.
my dns addresses are as follows : pref dns; 103.29.249.245
alt dns :8.8.8.8Also if i configure the same settings in my DLINK DIR 600 ROUTER ie if i bypass the pfsense everything seems to work perfect. , my clients systems are on DHCP and refer to the pfsense LAN ip ie 192.168.0.1 as the gateway and the DNS server,
-
I had the same problem as described in op with Xen and pfSense. The first sticky post in this forum describes the problem and a workaround. In the end, I had to turn off just the checksum offload on my private network using ethtool.
IMPORTANT: Xen/KVM networking will not work on 2.2 using default hypervisor settings!
https://forum.pfsense.org/index.php?topic=88467.0
-
I had this same problem with ProxmoVE. pfSense installed as KVM with "VirtIO" emulator which is default for KVM. WAN bride with eth0 and go out. Local bridge for LAN side of pfSense.
Installed Windows & Ubuntu with VirtIO Driver. When Windows VM was set to go through pfSense I could ping but no internet no TCP/UDP connections at all. Same scenario. After bashing my head on the wall for whole sleepless night trying to resolve this. Finally I decided to setup XenServer instead of Proxmox which runs Xen hypervisor.
Implemented the same setup in XenServer with all default settings. Windows was installed with default Realtek NIC driver. Alverything worked perfectly fine.
When I installed xe-tools which turned Realtek NIC to "Xen Paravirtualized driver" it stopped work with same results as above. When I uninstalled xe-tools it worked again.
Conclusion
From this what I can see is Paravirtualzied drives are causing this issue in both setup. VirtIO in KVM & PV in Xen. With other NIC emulators like e1000 or Realtek it works fine.I haven't found a solution to get this working with para drivers which will improve the performance.
I wanted to post here to first say a deep and heartfelt THANK YOU for posting this as I spent days trying to work out why all my Linux boxes didn't have internet but my Mac's and Windows machines did. After trying loads of tests and variations I found your thread which was the final clue :)
For the record (and to help people searching with similar issues) I am running pfsense on a Virtualised installation on a QNAP server, it worked great apart from Linux VM's not having internet and the QNAP itself (if sharing a virtualised switch) also lacking internet. If you route the QNAP via a none virtualised ethernet socket then you aren't affected.
Ping worked just fine. When I swapped to the Realtek ethernet emulator everything started working again.
-
@Bullz3y3 Your advice on switching to e1000 is as good on the latest version of Proxmox and the latest version of pfsense as it was in 2015, this was driving me insane, thank you!
-
@bullz3y3 I can definitely confirm your suggestion to change the network adapter to e1000 for proxmox. Thanks!
-
I am having no problems putting traffic through modern pfSense installs on a modern proxmox VE installation using the virtio drivers.
I, too, suffered from the issue with XenServer but there were fixes (using HV drivers or disabling the checksums in the VM).
-
@derelict could you please run iperf from pfsense to the host and copy&paste the output here? And maybe from a linux vm to the host?
Many thx
-
Full speed, but I only have 350/30 here.
The problems on XenServer resulted in almost no throughput when using TCP, like single-digit kilobits-per-second. If you are seeing just lower-than-expected throughput then it's a completely separate issue and you should start a different thread.
Don't performance-test by running iperf on the firewall. Test through the firewall.
-
@derelict thx for your replay, i already stared a thread "https://forum.netgate.com/topic/138988/pfsense-on-kvm-slow-network-speed" but nobody replayed, that's why i asked here. ^^
i am more interested in throughput between two local subnets through the firewall than between local net and internet.
-
1.6 Gbit/sec between two VMs in each direction. Single-stream TCP.
iperf3 hosts are on 1302 and 1201.
-
Sorry for adding to an old post but just wanted to add another +1 to this in case someone else is struggling.
Anything ICMP related seemed to work fine (ping, trace route etc) but no web, ssh, telnet, etc.
under System / Advanced / Networking; disabled Hardware Checksum Offloading, saved the setting and everything seems to have sprung into life again.
pfsense: 2.4.4-RELEASE-p3
vm host: ubuntu 16.04.6
using KVM and virtio NICs
-
@Bullz3y3 Hello..
here same situation... really frustrating..I have tried any kind of network card in proxmox.. can't reach internet from the virtual lan.
If start all lan virtual machines and I reboot the pfsense.. all works.. if i restart a lan VM with pfesense running, no internet connection...
ooh s***!!!
-
My entire lab is in proxmox. Works absolutely fine.
It is key to disable the checksum offloads or you won't be able to pass traffic reliable becasue the checksums will fail due to the way the networking stack in proxmox/kvm works. This is not an uncommon requirement in other hypervisors either.
-
But it is the first setting that i have made on pfsense after installation..
I have tried to change the network type..and nothing.. and the fact is that this error replicate in any other proxmox host installation....
-
I do not have such problems. Those settings should only be needed on guests that actually pass traffic through them.
I have never needed to do anything special on guests that simply transmit and receive traffic on one interface (Linux, Windows, FreeBSD, etc).
-
-
No idea about e1000. I always use virtio.
I do know that these checksum issues were completely absent in XenServer when you disabled PV NICs but you had to tweak the VM interfaces to not use checksums if you used PV NICs so what you have might behave completely different from what I am doing.
-
e1000 is only one of the test changing ethernet card type.
I was using virtio first.. same problem
-
if I apply the reboot with re-run startup sequences all works newly in the lan...
really strange
-
@Derelict installed now windows 10, and don't have the network problem that affect linux vps...
