Troubleshooting Network Connectivity

The following list covers most causes of outbound connec!vity failure in common usage scenarios.

Each test assumes the items above it have been checked. This document assumes a single WAN

but most of the advice is relevant to mul!ple WANs.

WAN Interface

• Check the WAN IP address (Interfaces > WAN)

◦ This is only relevant to sta!c WANs, dynamic WANs handle addresses automa!cally

◦ Using the wrong address could prevent the ISP from delivering traffic to/from the firewall,

among other issues

• Check that the WAN IP address has the correct subnet mask (Interfaces > WAN)

◦ This is only relevant to sta!c WANs, dynamic WANs handle subnet masks automa!cally

◦ An improper subnet mask such as /1 could cause connec!vity issues to large por!ons of

the Internet, using /32 for a mask could prevent the firewall from contac!ng its gateway

• Check that WAN has a gateway and that the gateway IP address is correct (Interfaces > WAN)

◦ This is only relevant to sta!c WANs, dynamic WANs handle gateways automa!cally

◦ This interferes with automa!c outbound NAT and route-to / reply-to

• Check the default gateway configura!on (System > Rou!ng)

◦ Without a default gateway traffic has no exit path

◦ If it is set to Automa!c, the automa!c selec!on process may have chosen a non-viable

gateway

Netgate Docs Appliances Pla$orms Support Training

Troubleshooting — Troubleshooting Network Connectivity | pfSense D... https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

1 of 4 10/19/21, 6:57 AM

• Check that the default gateway shows Online (Status > Gateways)

◦ If it is not, verify the WAN se%ngs and gateway se%ngs, or use an alternate monitor IP

address

• Check the default gateway in the rou!ng table (Diagnos!cs > Routes)

◦ Another source such as a VPN may have changed the default gateway

LAN Interface

• Check the LAN IP address (Interfaces > LAN)

◦ Using an invalid IP address (e.g. .0 or .255 in a /24 ) will cause problems reaching

addresses locally.

• Check the LAN subnet mask (Interfaces > LAN)

◦ Using an incorrect subnet mask, such as /32 , will prevent other hosts in the LAN subnet

from finding the firewall LAN address to use as a gateway and vice versa

• Check that LAN does NOT have a gateway set (Interfaces > LAN)

◦ This will interfere with automa!c outbound NAT

• Check that LAN does NOT have Block Private Networks set (Interfaces > LAN)

◦ If the LAN subnet is using a private network, this will block local traffic.

• Check that LAN does NOT have Block Bogon Networks set (Interfaces > LAN)

◦ If the LAN subnet is using a private network, this will block local traffic.

Firewall/Rules

• Check the firewall log for blocked connec!ons from hosts on LAN (Status > System Logs,

Firewall tab)

◦ If the log contains entries showing blocked connec!ons, check the rule that triggered the

block and adjust rules accordingly (Firewall > Rules, LAN tab)

• Check that the LAN rule allows all protocols, or at least TCP and UDP ports for reaching DNS

and HTTP/HTTPS, and allows ICMP for tes!ng. (Firewall > Rules, LAN tab)

◦ Not allowing UDP would make DNS fail, among other things.

◦ Similarly, on a DNS rule, using UDP only and not TCP/UDP will cause larger queries to fail.

◦ Not allowing ICMP would cause ping to fail, but other protocols may work

◦ Not allowing TCP would cause HTTP, HTTPS, and other protocols to fail.

• Check that the LAN rules allow to a des!na!on of any (Firewall > Rules, LAN tab)

◦ Using the wrong des!na!on would not allow traffic to reach the Internet. For example, WAN

net is only the subnet of the WAN interface, NOT the Internet, so typically the correct

se%ng is any.

• Check that the LAN rule does not have an improper gateway set (Firewall > Rules, LAN tab)

◦ If it is set to leave by another (possibly broken) non-WAN gateway it would cause the

connec!ons to fail

Outbound NAT

Netgate Docs Appliances Pla$orms Support Training

Troubleshooting — Troubleshooting Network Connectivity | pfSense D... https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

2 of 4 10/19/21, 6:57 AM

• Check Outbound NAT, ensure it is set for Automa!c or Hybrid outbound NAT (Firewall > NAT,

Outbound tab)

◦ If the firewall requires manual outbound NAT, skip to the next test

◦ Incorrect NAT se%ngs will prevent traffic from reaching WAN

• Check manual outbound NAT rules, if in use, to ensure that they match local traffic sources

◦ Incorrect NAT se%ngs will prevent traffic from reaching WAN

Diagnostic Tests

• Check connec!vity from the firewall itself: Try to ping 8.8.8.8 (Diagnos!cs > Ping)

◦ If this does not work, ensure proper WAN se%ngs, gateway, etc.

• Check DNS: Try to lookup pfsense.org (Diagnos!cs > DNS Lookup)

◦ If this does not work, fix/change the DNS configura!on (Troubleshoo!ng DNS Resolu!on

Issues)

• Test NAT: Try to ping 8.8.8.8 using LAN as the Source Address (Diagnos!cs > Ping)

◦ If this fails but the other tests work, then the problem is likely outbound NAT (See the

WAN/LAN gateway checks above)

Client Tests

• Test if the client can ping the LAN IP address of the firewall

◦ If this fails, check the LAN rules, client IP address/subnet mask, LAN IP address/subnet

mask, etc.

• Test if the client can ping the WAN IP address of the firewall

◦ If this fails, check the client subnet mask and gateway

• Test if the client can ping the WAN Gateway IP address of the firewall

◦ If this fails, check the client subnet mask and gateway, and double check outbound NAT on

the firewall

• Test if the client can ping an Internet host by IP address (e.g. 8.8.8.8 )

◦ If this fails, check the client subnet mask and gateway, and triple check outbound NAT on

the firewall

• Test if the client can ping an Internet host by Host name (e.g. www.google.com )

◦ If this fails, check the client DNS se%ngs, and/or the DNS Resolver or Forwarder on the

firewall (Services > DNS Resolver, Services > DNS Forwarder, Diagnos!cs > DNS Lookup)

Miscellaneous Additional Areas

• If Cap!ve Portal is enabled, disable it temporarily (Services > Cap!ve Portal).

◦ See Cap!ve Portal Troubleshoo!ng.

• Check for packages such as pfBlockerNG, Snort, Suricata, or Squid that might interfere with

connec!vity and disable them if necessary

◦ Improperly configured packages could allow certain traffic such as ICMP ping to work but

might prevent access to HTTP and/or HTTPS sites.

Netgate Docs Appliances Pla$orms Support Training

Troubleshooting — Troubleshooting Network Connectivity | pfSense D... https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

3 of 4 10/19/21, 6:57 AM

Netgate Docs Appliances Pla$orms Support Training

Troubleshooting — Troubleshooting Network Connectivity | pfSense D... https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

4 of 4 10/19/21, 6:57 AM