After updating WAN IP traffic does not route over the WAN interface anymore.

  • So I had my ISP update my external IPs, as an example it changed from to

    After this all WAN traffic has stopped routing.

    They are in a /24 block and the gateway has been been configured as per the ISP's instructions.

    In this case it is

    The only traffic I see hitting the firewall is broadcast traffic from my LAN, nothing external to internal and if I go to the status of the gateway it says the gateway is down.

    I have a link light on the physical WAN interface and pfSense shows the interface is up.

    As background originally I had a secondary IP in the 10.0.1.x range while also having a 10.0.0.x IP and was doing some testing to try and get virtual IPs set up.

    During that testing I had a virtual IP set up as trying to sort the whole thing out.

    That has been removed and I downloaded the backup config and confirmed it no longer shows in there.

    If there is anyway someone can help me sort this out I would be deeply grateful.

    As part of my troubleshooting I also wiped the firewall to factory defaults but that didn't resolve it, I have since restored it to a back up.

    Edit: Static routes are empty, everything is set to flow out the default gateway.

  • LAYER 8 Netgate

    I think you should verify you have everything correct with your ISP.  They are probably in the best position to help you with this.

  • Sorry, I just noticed I forgot to mention, when these settings are inputted into my laptop they work and I have internet traffic while plugged into the modem directly.

    Only through pfSense I have no internet traffic.

    To add to this, if I change the gateway to any other IP it shows as online temporarily but then goes offline about 10 seconds later.

    Image of the connection

  • LAYER 8 Netgate

    Are those IP addresses accurate?  Do you have block private addresses disabled on WAN?

  • No, those are sanitized representations of my actual IP addresses.

    I suppose I could have used a better example but the IP addresses I am assigned are in public, not private space.

  • LAYER 8 Netgate

    Well, without knowing what you're actually dealing with I don't know how we can help you.

    If you configure the WAN interface correctly, it will work.  Double check everything.  Address, netmask, gateway, etc.

  • Gateway as per my ISP
    WAN interface
    WAN status

    Out of frustration I re-installed pfSense and used the latest version 2.2, same issue with gateway showing offline and no traffic being router externally on a barebones set up, nothing changed from the stock image aside from the above pics.

    If I put those exact same setting directly into my laptop it functions as intended.

    Is it possible it isn't translating the /24 to a netmask somehow? I'm just pulling at straws here since I can't think what I am over looking.

  • LAYER 8 Netgate

    Nope.  This can be confirmed looking at ifconfig in the shell.

    When you test with the laptop are you taking the cable out of pfSense and plugging it into the laptop or plugging it in someplace else?

    You might want to talk to your ISP.  You might be looking at an ARP cache issue or something else on their end.

    This is a pretty simple config.

    Nothing in the firewall logs on WAN? With gateway monitoring you should be seeing an entry per second if there's a firewall problem (which there shouldn't be unless you have some floating rules on WAN direction out).

    I trust you have tried it without block bogons checked?  For now I would uncheck them both just to be sure, even though any hits would be logged, I think.

  • This is the output of ifconfig

    $ ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 18:03:73:c7:7c:06
    	inet6 fe80::1a03:73ff:fec7:7c06%em0 prefixlen 64 scopeid 0x1 
    	inet XXX.XXX.XXX.XXX netmask 0xffffff00 broadcast XXX.XXX.XXX.XXX
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
    	status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 68:05:ca:27:30:24
    	inet netmask 0xffffff00 broadcast 
    	inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2 
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    pflog0: flags=100 <promisc>metric 0 mtu 33144
    pfsync0: flags=0<> metric 0 mtu 1500
    	syncpeer: maxupd: 128 defer: on
    	syncok: 1
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    	options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet netmask 0xff000000 
    	inet6 ::1 prefixlen 128 
    	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
    	nd6 options=21 <performnud,auto_linklocal>enc0: flags=0<> metric 0 mtu 1536
    	nd6 options=21<performnud,auto_linklocal></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>

    When I test with my laptop I take it from the pfSense WAN port, plug it into my laptop's only ethernet port, configure the interface with the ISP provided values and I have full access.

    For firewall traffic I see nothing hitting the WAN, all LAN traffic only.

    I tried disabling both bogons and private rules and it didn't make a change.

    I've been at this with my ISP for 2 days and them having wiped their hands clean of this, do you know of a way I could conclusively prove this isn't something related to my firewall?

    btw, I appreciate you taking the time to go through all of this and help me.

  • LAYER 8 Netgate

    Configure your laptop as the ISP default gateway (.254 instead of .130) and plug it into pfSense WAN.  Make sure the laptop allows inbound pings.  Does the gateway come up then?

  • Okay, so that is doing stuff!

    When I do that I show actual data on the status and I see WAN traffic.

    This should mean that something my ISP is doing is cocking it all up correct?

    I also see firewall traffic targeting the WAN port too.

  • LAYER 8 Netgate

    It means that something between your pfSense WAN port and the ISP is hosed.

    The modem?  The ISP?  The cabling? something.  Not pfSense WAN.

    If you have some sort of modem, put pfSense back on it, Unplug the modem for a few, and plug it back in.  See if that helps.

    I'm still suspecting ARP in the ISP switch.  Plug in pfSense, call them one more time, and have them tell you what MAC address is associated with .130.  If it is not 18:03:73:c7:7c:06, have them clear it and watch your WAN come up.

    Or you could take the MAC address of your laptop and put it into pfSense WAN.  I'd do that as a last resort and if it works, make your ISP fix it so your hardware MAC works.

  • Thank you so effing much!

    Turns out that my modem has a cocked up firmware on it that has issues when bridging it.

    After some work with the ISP I am online.

    If possible I would like to send you something via paypal as an appreciation, if you feel like accepting PM me where I can send it to.

    Thanks you again!!!

  • LAYER 8 Netgate

    Please donate whatever you feel is appropriate to the Electronic Frontier Foundation or FreeBSD Foundation.

    Glad to help.

  • Consider it done!

Log in to reply