Can ping from firewall and can't ping from Green

Hi
Problem
My problem is that I can ping 8.8.8.8 from the new ipFire firewall cli. I can’t ping from a laptop on green.

Background
I am a long time user of ipCop so ipFire is already familiar to me.
I have a dedicated 4xLAN fanless PC as the firewall.
I am comfortable working with Linux from the CLI.
ipFire is configured as Red, Green, Orange, Blue.
At present, I only have Red and Green connected.

Red is a pppoe on VLAN 10 connection that is working.
Green is only connected to a win10 laptop running the GUI. Green has DHCP enabled.

What I have tried
I can ping 8.8.8.8 from the ipFire firewall CLI and get a response. I know I have a connection out to the internet.

Attempts to ping 8.8.8.8 from the laptop on Green fail.

I have checked the config and all appears to be OK but I suspect my config is not right somewhere.
Green is enabled.
Where should I look next?
What should I check?

Hi
I am not sure if this is relevant but the connection to the isp is reported as “idle” on the Main Page, when it is actually “connected”.
When the connection is reporting idle (even after F5 refresh), I can still ping google.com from the ipFire CLI which means:

  • the connection is “connected”
  • I have access to the internet from the ipFire CLI (not from Green)
  • DNS is working.

on the win10 laptop, do cmd > ipconfig /all
do you get what is configured as your green network?

example:
(ppoe) red – ipfire – green 192.168.5.1 ---------- (range .100 - .200)
you access wui with https://192.168.5.1:444

laptop (win10) gets 192.168.5.100 with gateway, dns, and dhcp server 192.168.5.1

Hi
When I run ipconfig from the laptop, I see exactly what I expect to see.
When I run ip addr show dev green0 from the firewall, I see the expected.

When I run ip addr show dev red0 from the firewall, it looks like a LAN with no connection. There is no IP and no pppoe.
I took some screen shots to show a connection cycle.

Not connected. OK

When I click Connect I get ip addresses from the ISP.
When I run ip addr show dev red0 from the firewall, it still looks like a LAN with no connection.
No mention of pppoe.

When it displays that I am connected the IPs are no longer displayed.
When I run ip addr show dev red0 from the firewall, it still looks like a LAN with no connection.
No mention of pppoe.

This is my zone config. The laptop is only connected on green. Blue and Orange are not connected, but they look OK.

I have checked the vlan settings and they look OK.

The the problem seems to be with the pppoe on Red. I am not seeing any issue on Green or others.

The ISP settings are here: Spark UFB Setup

Somehow ipfire is seeing short lived ip addresses that are invisible to the # ip command.
I am stuck.

I don’t understand why you mask the private ip’s on green, orange, and blue …

anyway, can you post a screen of Network > Domain Name System and Network > DHCP Server ?

Hi
OK things have changed, but I haven’t knowingly changed anything.

I had a look at the BIOS settings and it would appear that I may have changed the boot priority.
When I booted up this morning, the bootup stopped at the EFI shell.
OK so I changed the boot priority order to ipfire (PO: SSD) and that fixed the problem.

I can see on boot the pppoe connection starting up.
DHCP failed to start on boot.

The laptop has a static address.
running arp -a on both the firewall and the laptop showed entries both ways so not a cable failure.
I could not ping the laptop or ipfire either way. I could no longer log on to the WUI.Something I was doing yesterday.

Looking at the ipfire CLI, I could see that pppoe was connected to the isp, I could see the IP addresses.
The symptoms have changed since yesterday.

I need to look at the logs in detail.

1 Like

Hi
The problem with the changing BIOS settings was due to a failing SSD card. I changed that, and did a brand new install. This recreated the same symptoms as the original post.

Initially I could not connect the laptop to the WUI. I suspect the new install didn’t have the right credentials but I didn’t get an error message. Just no connection.

The DCHP screen contents look fine.

I did get a connection from the laptop to the Internet, but the Home dashboard page was not correctly reporting idle/connecting/connected states. That was not helpful. I could not get my Wifi access point to connect with the internet so still some work todo. Something is still not right.

I have had a number of computer issues today that have prevented me from looking at the ipFire install to closely. I have a busy week ahead so may not respond quickly to any advice.

1 Like

Hi
OK I have been able to look at this issue today.

I can reliably make a connection between the laptop (static ip) and the ipfirewall.

I can now reliably make/break a connection with the ISP via the VLAN10 pppoe.

I found in the WUI update the tick box for “update index.cgi”
Now that this is ticked, I have found that the “Connected / Not Connected” status is not updating. I have a monitor connected directly to the ipfirewall running a terminal. I can see when ipfire makes/breaks a connection.

I can ping 8.8.8.8 from the ipfirewall.
I cannot ping 8.8.8.8 from the laptop.

When I run $>ip addr show everything looks normal.
Here is the DHCP setup page. It looks OK noting that the laptop has a static IP of xxx.yyy.21.88 outside of the DHCP ip range.

At present, there is nothing connected on the blue interface.

Although I have 4x ports and the Orange DMZ selected, I don’t see any where to setup the Orange zone. There is nothing connected to the Orange network, so not a problem at present.

So I have made some progress, but I still can’t connect to the internet from the laptop.
Any help or suggestions would be appreciated.

Hi
I have checked the routing and it all looks OK to me.

The fully exposed ip addresses are DHCP ISP. They change randomly.

I am thinking that the connected/not-connected not updating may possibly be a clue.
I have internet connection from the ipfirewall. The blockage appears to be in the Green network. I still can’t ping from the laptop to the internet via ipfirewall.

Also, ipFire was able to complete an update. No issues. An update did not solve the problem.

Hi,

skimming through this thread, I struggle to understand which issues you are currently facing, which ones are already resolved and which ones are unrelated.

Um, if this (i. e. Core Update 167) went successfully and you rebooted your IPFire afterwards, the “firewall hits” graph should be displayed properly again. Are you sure the update went fine?

For the general situation, would it be possible to change your setup so it does not involve VLANs? I figure it might be better to get a simple, vanilla-like IPFire setup working for you, and if it does that, we can add functionality step by step.

Also, please post a screenshot of your DNS configuration here, and double-check whether the PC in question is using IPFire’s DNS resolver or not.

Hope to have helped for a start.

Thanks, and best regards,
Peter Müller

2 Likes

you mentioned your pc has a static ip xxx.yyy.21.88 outside the dhcp range. Can you configure that pc to get dhcp instead of static? if not, what is the DNS on that pc? it should be the DNS of ipfire xxx.yyyy.21.1 (I don’t understand why you mask private address … you’re using 172.30.21.*)

Your network is:

222.152.25.36  - ipfire - green  172.30.21.1    range 100-200
                        - blue   172.30.22.1    range 100-200
                        - orange unused
2 Likes

Hi Paul
Yes I can configure the laptop to use dhcp, but I chose not to during trouble shooting because making it static eliminates a possible source of error.

My blue network is not connected to anything. It will be connected to a separate Wifi AP that will run DHCP for wifi connected devices. So although I have filled out the boxes for Blue DHCP, they will remain unused and DHCP will not be enabled on ipFire.

DNS for the xxx.yyy.21.zzz subnet is set to xxx.yyy.21.1
I don’t think DNS is the problem because I can ping 8.8.8.8 from ipFire, but I can’t ping 8.8.8.8 from the laptop.

The VLAN is not optional for me. It is specified by the ISP. The connection is fibre optic, pppoe with VLAN 10. The speed is throttled to 100Mbps. I was running on this connection for years with ipCop without issue.

So the one problem I now have is that I can’t reach the internet from the laptop. I can’t ping 8.8.8.8 (excludes DNS as a problem). If I launch a browser, I can’t load Google website.

Thanks for your suggestions

Hi Peter

The update reported that it was completed OK. No errors. I left the update run unattended, so I don’t know if it rebooted on completion.

The VLAN is not optional for me. It is specified by the ISP. The connection is fibre, pppoe with VLAN 10. The speed is throttled to 100Mbps. I was running on this connection for years with ipCop without issue.

I have had a number of issues that I have found and cleared. The one problem I now have is that I can’t reach the internet from the laptop. I can’t ping 8.8.8.8 (excludes DNS as a problem) from the laptop. If I launch a browser, I can’t load Google website.

One thing I have noticed is that the routing table doesn’t mention VLAN10. I don’t know if it should. If the pppoe is running through the VLAN, then it shouldn’t care or matter about the VLAN. If that was a problem, I don’t think I would be able to ping 8.8.8.8 from ipFire.

I am going to work on it again today. I think there will be one small thing that is blocking access.

Thanks for your suggestions

if the laptop has 172.30.21.88 then you need to give mask 255.255.255.0 and gateway 172.30.21.1
Is the laptop win10 or linux?

1 Like

Hi Paul
Yes, done exactly as you say.
The laptop is win10.

Is there a firewall on win10 blocking things? windows is not my thing.
Start cmd prompt, paste the output of ipconfig /all

the laptop is connected via an rj45 cable to the green network.

A static address on green0 requires complete and correct network settings on the client. Your inability to ping from a client on green0 indicates that those settings are not correct.

It would be more reliable to start with a DHCP setting on client. DHCP for green0 has been reliable on the stable version of core 167

1 Like

@dazz In Network > Edit Hosts add your laptop with 172.30.21.88 then test.

For my test, I changed the network adapter tcp settings on my win10 desktop.
My net is 10.0.0.0/24 but .88 is outside of my dhcp range. I’m able access to the Internet.

image

1 Like

Hi
I have made some progress, but something is still not right.

When I select “Obtain an IP address automatically”
I leave the DNS server address manually set to xxx.yyy.21.1
I get full internet access.

Automatically obtaining or manually setting the DNS server address has no effect.

So the remaining problem now is that:
If I manually set a static IP address on the laptop, I lose internet access from the laptop. I have never had this problem before on the laptop or any other device when I was running ipCop.

This is a major issue for me because I run a number of Raspberrry Pi’s and other devices on my network, and they need to have static addresses. Some need internet access.

I know I could allocate DNCP leases based on their MAC but that does not help when I am identifying R.Pi’s based on the SD card (software version) rather than the device.

Can you show the result of the route print command when you have a static IP address and when you have a dynamic one?

edit
Have you tried resetting the network settings on your laptop?

1 Like