New installation of 2.2.6 (also tried beta 2.3) no internet, but ping works
-
I am gonna lose the rest of my hair…
Have been running pfSense in a small hotel now for a few years and it works very well.
Then I wanted to use it in a school where I am doing some work now and we bought the same SuperMicro computers that is used as the pfSense rackmount appliance with 8 core processor and 8GB RAM. We installed it on an 160 GB SSD.
After installation, I set IGB0 as the WAN and IGB1 as LAN.
I can connect to the firewall and I can get the GUI. WAN is connected to a public IP and if I connect the same computer I use to see the GUI to the public net, I am online immediately.
BUT - I can not get internet through the firewall. I have re-installed it several times. From the diagnostics in the GUI, I can ping servers that are anywhere in the world using URL, not only IP address. But pfSense is not able to check it's own version information/upgrade.
I am scratching my head and wondering what I am doing wrong. It must be something simple. I have been checking many threads in the forum, but can not find anything that matches completely and no solutions that work for me.
-
https://doc.pfsense.org/index.php/Connectivity_Troubleshooting
-
not much to go on here, but i'll give it a go
-
do you get an ip on your WAN interface? If not: reboot the (cable)modem
-
what kind of ip are you getting? if RFC 1918: uncheck "block private networks' on interfaces–>WAN
-
-
heper: Should be a lot to go on :-) - I can ping any server from the firewall - meaning I have correct IP on wan. I also said it was a public IP.
I am on Ethernet, not any modem etc.
The installation is completely new. No firewall rules etc. Nothing has been changed. This means WAN is on DHCP and LAN is using 192.168.1.1.
ptt: Nothing wrong according to that guide.
-
Sounds like you either:
Have no rules on LAN to pass traffic
Have no Outbound NAT rules so traffic is not being translated.
Both of these conditions are all set to go after a default install.
Or a DNS issue.
When you connect a computer to LAN:
Do you get an interface config from DHCP?
Can you ping the IP address DHCP gives you as a gateway?
Can you ping the IP address of the pfSense WAN?
Can you ping 8.8.8.8?
Can you resolve names?
Can you ping www.google.com?
What did you put in System > General Setup for DNS Servers?
Did you check Allow DNS server list to be overridden by DHCP/PPP on WAN ?
Did you check Do not use the DNS Forwarder or Resolver as a DNS server for the firewall?
-
Sorry for not replying immediately. We are not adding this firewall until we know it is ok, and we have a lot of other things to do as well, so I will try to put in some extra hours to get this done…
I am quoting the best answer so far and commenting on the different statements.
Thank you for taking the time to help!!!
Svein
Sounds like you either:
Have no rules on LAN to pass traffic
Have no Outbound NAT rules so traffic is not being translated.
Both of these conditions are all set to go after a default install. <- As I said in my first post, everything is vanilla. All rules that should be on a default install are there.
Or a DNS issue. <- This is what I have concluded so far as well. But exactly what kind of DNS problem is not easy to find out. Remember this: I have done a plain install of 2.2.6 and 2.3 beta and both behave exactly the same.
When you connect a computer to LAN:
Do you get an interface config from DHCP? Yes. There is no problem with the DHCP server on pfSense
Can you ping the IP address DHCP gives you as a gateway? Yes. See above.
Can you ping the IP address of the pfSense WAN? Yes.
Can you ping 8.8.8.8? Yes.
Can you resolve names? No.
Can you ping www.google.com? No.
What did you put in System > General Setup for DNS Servers? At the start, nothing. WAN was set to DHCP and that should work out of the box…
Did you check Allow DNS server list to be overridden by DHCP/PPP on WAN ? Yes
Did you check Do not use the DNS Forwarder or Resolver as a DNS server for the firewall? No.
I finally managed to get things working by adding a full list of DNS servers in the general setup as well as adding the same servers in the pfsense DHCP server.
Is there a good application to analyze a DNS setup from Windows 7? During boot, pfSense is "pausing" for a long time at the two "DNS lines". As we are on the campus network and we have our own DNS here, it should be really fast. This is a university college and we have 10 Gb in here (I only have around 1 Gb in the office where I am testing…).
-
I will install 2.3 RC on one of the boxes (we bought two…) and see if things are the same now.
-
So… Installed 2.3RC and got the same result. It is really confusing as I have been using pfSense for several years and it is the first time I am experiencing this.
One possibility I need to check is if the line I am on has any restrictions. They use access lists here, and I will ask for an IP address that is completely without any restrictions. Just to be sure.
I am also wondering if there could be any problems with their DHCP server. That would also explain any trouble. So I will look for a program I can run on Win7 to test the DHCP server. Any suggestions?
-
Can you resolve names? No.
Out of the box pfsense both 2.2.6 and 2.3 use resolver mode… So does not matter what dns you put in pfsense general setup.. Its going to use unbound to resolve, not forward. So if your network is blocking direct outbound access to 53 udp/tcp and your only allowing access to known public dns, or your own internal dns server your going to have problems.
Try changing pfsense to forwarder mode (dnsmasq)or enable forward mode in unbound. And point to whatever dns server you want pfsense to use..
-
Resolver/Unbound is very early and fast up during (re)boot, that's to say when your WAN is not connected yet (MoDem, PPPoE, etc.) Then you experience no DNS. So you have to restart Resolver/Unbound.
-
Another thing that confuses me is that when I click on save to save a change, most times it takes 1-2 minutes to update a setting.
I did a factory reset now and turned on DNS Query Forwarding. I also enabled "Do not use the DNS Forwarder as a DNS server for the firewall". And now it works.
But is this normal?
-
no its not normal, resolver should work out of the box unless there is something in your connectivity that blocks dns to the public internet. Resolver needs to be able to talk to all the roots and tlds and any and all authoritative name servers for whatever domain your looking for.. If you have something that blocks this then yeah the resolver is going to fail.
In such case you need to fix that connectivity, or use forwarder mode to some dns that your allowed to talk to that can resolve for you. Out of the box pfsense should only talk to itself for name resolution, which will then either use resolver or forwarder mode how you have configured it and be able to resolve records you have setup in pfsense.
To be honest the only dns you should see in pfsense is pointing to 127.0.0.1, this is all that should be required in a normal setup using the resolver (unbound)
-
Exactly. I have used pfSense for years and not seen this before. I have to wait until tomorrow to talk to a colleague about the line here. Will get back.
Probably a result of the same problems - I am gettting "Unable to check for updates" in the dashboard.
-
Yeah I would assume so too if pfsense can not resolve shit, it wouldn't be able to check for updates either ;)
-
Got confirmation today that it is not possible to use any other DNS than the two on campus. External DNS'es are blocked - or rather, the port is blocked. Which should be fine, I guess.
Will this impact pfSense in any way?
Also, have you seen this thread? https://forum.pfsense.org/index.php?topic=109179.0
Looks very similar to what I am experiencing.
-
well if all you can use is your dns on your network, then yeah resolver would not be an option for you… You would have to forward to these dns servers you can get to resolve for you.
-
So, anything in particular I should turn on or off?
Also, how do I get the update to work in an environment like this?
-
Update works fine like that, you just need to point pfsense itself to its own forwarder. I personally would just turn off the resolver and enable the forwarder dnsmasq its forwarding features are better than unbound because it can be set to send to all of them and use the fastest response.
-
The firewall is now fully up and running. Thank you very much johnpoz for your help!
We are using 2.3.1 now on this hardware:
https://www.supermicro.nl/products/system/1U/5018/SYS-5018A-FTN4.cfm
One thing that had me scratching my head for a while was that when I installed pfSense, things were working ok. Then I set up fixed IP and it did not work. My very silly mistake was that for some reason, /32 is standard when setting manual IP. After changing to /24 things were working again.
Also, as mentioned above, we had to use the campus DNS'es.
So far, things are working smooth. I also hope we can get a feed from our broadcast clock that is synced to GPS so our whole network will be completely in sync with the clocks on the walls. But that is a project for another day - as well as setting up a second firewall as redundancy.
-
As to the /32 - well it has to default to something. So it could be either a non viable option like select me I guess, or some other mask. What do you feel should be the default mask? /24 - while that might be common on a lan side interface, normally that wouldn't be correct for a static wan.. I would guess something smaller for a common public IP range.
When setting a static IP it would seem realistic to expect the person setting it to validate they are are indeed setting the correct mask for their use ;)
Glad you got it sorted.. I would assume you can query your campus ntp via unicast as well, and not just rely on broadcast. I don't see a way in the gui to select broadcastclient mode.. Guess it would always be viable to edit the ntp conf directly vs using the gui, but this is normally not a good idea. Such edits don't normally survive service restarts unless you edit the actual pfsense files that start and stop the services - which these do not survive updates to pfsense, etc.
Would seem odd they would only provide broadcast as a means of sync to ntp.
