Strange behaviour for ICMP (ping) rule on WAN interface
-
@viragomann @stephenw10 you can find in attachment a sketch describing the scenario I'm trying to create.
From the top to the bottom, you can see:
- the ISP, that is connected to our router with a point-to-point link;
- our router, that have 2 IP addresses (one IP address for the point-to-point link and the first (#1) public IP of the public subnet that ISP provided us)
- the pfsense router that acts as firewall (the second (#2) public IP has been assigned to the WAN interface of pfSense)
- the existing LANs
- the new LAN ("LAN with public IP behind the pfsense") that I created in order to group every hosts with the public IP.
I created the "LAN with public IP behind the pfsense" without doing anything else. So, I don't know if the LAN is a "routed" LAN; when a lan is defined "routed"? (sorry for my stupid question, but I'm a newbie...).
My ultimate goal is to protect hosts with IP address using existing firewall.
-
@stephenw10 this is definitely the answer I was looking for. the bridge and related limitations impact only the bridge itself.
So, the existing NAT rules, involving WAN and other LAN interfaces, are not involved.Many thanks,
Mauro -
@mauro-tridici
A routed subnet means, that the ISP routes the subnet to your primary WAN IP.
This is applicable to your WAN network y.y.y.0/25 for instance. This is routed to the WAN-side routers IP.If the "public LAN" was routed to your WAN IP it would be routed to the outer router IP as well. Additionally it would need to route on the ISP router to point it to the pfSense WAN IP.
Is the "public LAN" a separate subnet or are the IPs part of y.y.y.0/25?
If the latter case you can go with bridge WAN <> public LAN and you should be able to access the IPs inside from the internet without issues. Proper firewall rule on WAN presumed.
Otherwise it needs to be routed to your WAN IP by the ISP to use it behind pfSense. The configuration is well described in the docs: Routing Public IP Addresses. -
Yeah, it looks like you do have a routed subnet there, the /25 is routed to you over the /30.
But you can't use it as a routed subnet in pfSense because you have some other router upstream and the /25 is on the pfSense WAN directly.
In that situation you would have to bridge it to use the public IP on servers directly.A much better setup though would be to remove the upstream router so pfSense uses the /30 on it's WAN. Then you can use the /25 directly on an internal interface as a routed subnet.
That may not be possible/practical.Steve
-
@viragomann thank you very much for the detailed explanation. The "public LAN" is not a separate subnet and related IPs are part of y.y.y.0/25.
So, I can proceed with the bridge WAN <> public LAN.
Thanks again for everything you have taught me, I really appreciated.
In any case, I will study also the content of the link you provided.Tomorrow morning I will apply the new configuration to the pfSense instance.
Kind regards,
Mauro -
@stephenw10 thank you for sharing with me your know-how.
I will save this discussion to a PDF file because it is very interesting from the educational point of view.You and @viragomann have helped me a lot!
Thanks,
Mauro -
@mauro-tridici said in Strange behaviour for ICMP (ping) rule on WAN interface:
In any case, I will study also the content of the link you provided.
That's not applicable for you since you say
The "public LAN" is not a separate subnet and related IPs are part of y.y.y.0/25.
In this case you can only go with a bridge or as Steve suggested kick out the ISP router if possible.
-
Dear @viragomann and @stephenw10 ,
following your suggestions, during the last hour I created the bridge between the WAN and "public LAN (VLAN with VLAN ID 90)".
No IP has been added to the "public LAN".After that, I created a virtual machine on my hypervisor and I connected it to a physical switch port (this port is configured in access mode on VLAN 90).
The uplink port of the same switch is connected to the pfSense "public LAN" interface (the switch port is in trunk mode).I added a test rule (ICMP any to any) both to the "public LAN" interface both to the "WAN".
You can find below a sketch of the current scenario.
I just started some tests, but, unfortunately, I'm not able to ping, from the VM, the y.y.y.1/25 and y.y.y.2/25 IP addresses.
Could you please help me to detect what I'm doing wrong and solve this last issue?Many thanks for your patience.
Mauro -
Do you see any traffic blocked in the firewall logs?
What error is shown when you try to ping?
-
@mauro-tridici
Are you sure that your VLAN works properly?For testing purposes you can assign an IP to the VLAN90 interface directly and try to ping it from the VM. Also try to ping from the switch if it is capable doing that.
-
@stephenw10 at this moment, I don't see any error in firewall logs related to WAN and "public LAN" interfaces. No error during the ping execution. The ping command is in execution without producing output.
I started tcpdump on pfsense "public LAN" interface (IP y.y.y.2/25) and I made some "ping" from VM (y.y.y.5/25). The output of "tcpdump|grep -v ARP" is the following one:
14:32:11.231082 IP y.y.y.5 > y.y.y.2: ICMP echo request, id 18558, seq 982, length 64
14:32:12.231062 IP y.y.y.5 > y.y.y.2: ICMP echo request, id 18558, seq 983, length 64It seems that pfsense receives the request, but it is not able to reply to VM.
Please, note that, on the VM, I set y.y.y.2 as gateway (please refer to the sketch above). -
@viragomann Should I remove the bridge before adding the IP to VLAN90?
Anyway, if you can, please take a look at my last reply to the stephenw10 message.
Thanks.
Mauro -
If it can help, I would like to say that, after enabling the bridge, I was not able to ping the WAN interface with public IP y.y.y.2 although a rule allows to do it.
-
The fact it is trying to ping implies it must have an ARP entry there. Why did you exclude ARP lines? What does it show with ARP?
Do you see anything different trying to ping the gateway?
What firewall rules do you have on the 'public LAN' interface/
Remeber that without an IP on it the system alias 'public LAN net' is not valid so you cannot use it as the source IP. You would see those pings blocked in the firewall log though.Steve
-
@stephenw10 you can find below my answers, thanks.
The fact it is trying to ping implies it must have an ARP entry there. Why did you exclude ARP lines? What does it show with ARP?
This is the output (without excluding ARP lines) of tcpdump running on pfsense (involving "public LAN" interface). I can see a lot of similar ARP lines...
15:24:35.444044 IP y.y.y.5 > y.y.y.2: ICMP echo request, id 3512, seq 32, length 64
15:24:35.444062 ARP, Request who-has y.y.y.5 tell y.y.y.2, length 28
15:24:35.465454 ARP, Request who-has y.y.y.19 tell y.y.y.1, length 46
15:24:35.497470 ARP, Request who-has y.y.y.16 tell y.y.y.1, length 46
15:24:35.503224 ARP, Request who-has y.y.y.95 tell y.y.y.1, length 46
15:24:35.561627 ARP, Request who-has y.y.y.28 tell y.y.y.1, length 46
15:24:35.593446 ARP, Request who-has y.y.y.87 tell y.y.y.1, length 46
15:24:35.597442 ARP, Request who-has y.y.y.34 tell y.y.y.1, length 46
15:24:35.721419 ARP, Request who-has y.y.y.113 tell y.y.y.1, length 46
15:24:35.721457 ARP, Request who-has y.y.y.69 tell y.y.y.1, length 46
15:24:35.849455 ARP, Request who-has y.y.y.11 tell y.y.y.1, length 46Do you see anything different trying to ping the gateway?
If I try to ping the gateway (y.y.y.1), I can see only ARP lines in tcpdump output (no ICMP lines).
What firewall rules do you have on the 'public LAN' interface/
-
@mauro-tridici said in Strange behaviour for ICMP (ping) rule on WAN interface:
If I try to ping the gateway (y.y.y.1), I can see only ARP lines in tcpdump output (no ICMP lines).
Do you see the client at .5 ARPing for the gateway at .1?
And you don't see the gateway responding?
Steve
-
Hmm, actually I see zero states on that rule on Public LAN. Did you you move the bridge filtering using system tunables?
-
@stephenw10 I would like to ask you another important question:
what is the gateway I should set on the VM/host belonging to the "public LAN"?
y.y.y.1 that is the router IP address or y.y.y.2 that is the pfsense WAN address?
in my case, which is the upstream gateway I should set in the VM network configuration file?Thank you in advance,
Mauro -
@stephenw10 mmmh no, I didn't move the bridge filtering. I simply added the interfaces to the bridge.
-
Do you see the client at .5 ARPing for the gateway at .1?
And you don't see the gateway responding?
Yes, but please note that I set the pfsense WAN address "y.y.y.2" as gateway for the VM.
I hope it is the right choice...
