pfSense is driving me nuts ICMP DHCP DNS work. Cannot download web pages

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
MiniKnight

MiniKnight

Well-Known Member
Mar 30, 2012
3,073
974
113
NYC
I'm going nuts.

Fresh installation using the standard configurator

Public IP set on WAN. LAN set to: 10.10.10.1/24

pfSense can ping and curl web pages via the shell. So the WAN is working.

I have a client Ubuntu 18.04 VM:
  • It gets a DHCP address 10.10.10.10
  • It gets DNS servers
  • It can resolve hostnames and I'm using Wikipedia here
  • I can ping Wikipedia and other sites
  • Firefox won't connect to Wikipedia
  • curl won't get Wikipedia
Has anyone tried this? ICMP flows fine. I used the default firewall rules, and then added a pfSense "pass any LAN to any" rule and pass any WAN rule.

What can this be?
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
If it is a virtual pfsense, you could be hitting an issue due to use of paravirtual (or whatever they are called) NICs.

You may need to disable hardware checksum offload as described on this page: Virtualization — VirtIO Driver Support | pfSense Documentation

You can also use a virtual NIC model like Intel e1000, that might do the trick as well.
But the other option is the generally recommended solution AFAIK.
 
  • Like
Reactions: mathiastro and MiniKnight
MiniKnight

MiniKnight

Well-Known Member
Mar 30, 2012
3,073
974
113
NYC
@RTM know that on this day, you are a god.

E1000 worked for me and I didn't have to disable checksum offload. That's insane and why I've been going nuts. I knew the configuration was OK in pfSense.

Thank you.
 
  • Like
Reactions: mathiastro and gigatexal
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
MiniKnight said:
@RTM know that on this day, you are a god.

E1000 worked for me and I didn't have to disable checksum offload. That's insane and why I've been going nuts. I knew the configuration was OK in pfSense.

Thank you.
Click to expand...
I am glad it solved your problem :)

I have managed to forget it so many times now that I just make it a point to always use e1000 for pfsense VMs, it is just absurd how it appears to work but not quite anyway.

I don't really like to disable the checksum offload functionality either, that would disable it on NICs that have been passed through via VT-d as well. But then e1000 is (probably?) limited to 1gbps, where as Virtio/VMXnet3 is not, so there are pros/cons with everything.

I wonder what the performance/CPU impact of disabling it in non-virtual (or VT-d) environements.
 
zer0sum

zer0sum

Well-Known Member
Mar 8, 2013
849
474
63
Weird...because I use pfsense 2.4.4 on vmware ESXi 6.7 and use exclusively VMXNET3 interfaces without any problems at all.

I have IPSEC and OpenVPN tunnels running, with WAN/LAN/DMZ/ETC and use NAT/DHCP/DNS, Port forwarding etc.

Did you mess with Outbound NAT at all?

upload_2018-10-24_12-24-32.png
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
zer0sum said:
Weird...because I use pfsense 2.4.4 on vmware ESXi 6.7 and use exclusively VMXNET3 interfaces without any problems at all.

I have IPSEC and OpenVPN tunnels running, with WAN/LAN/DMZ/ETC and use NAT/DHCP/DNS, Port forwarding etc.

Did you mess with Outbound NAT at all?

View attachment 9526
Click to expand...
To be fair, I am the one who included vmxnet3, it is quite possible ESXi is not affected at all.
I couldn't remember if I had this issue on ESXi, so I included in when I listed paravirtual NICs, I guess it all depends on how you read it, but I can see why including it could cause confusion - sorry.
 
You must log in or register to reply here.
Top Bottom