Strange behaviour for ICMP (ping) rule on WAN interface
-
@viragomann Should I remove the bridge before adding the IP to VLAN90?
Anyway, if you can, please take a look at my last reply to the stephenw10 message.
Thanks.
Mauro -
If it can help, I would like to say that, after enabling the bridge, I was not able to ping the WAN interface with public IP y.y.y.2 although a rule allows to do it.
-
The fact it is trying to ping implies it must have an ARP entry there. Why did you exclude ARP lines? What does it show with ARP?
Do you see anything different trying to ping the gateway?
What firewall rules do you have on the 'public LAN' interface/
Remeber that without an IP on it the system alias 'public LAN net' is not valid so you cannot use it as the source IP. You would see those pings blocked in the firewall log though.Steve
-
@stephenw10 you can find below my answers, thanks.
The fact it is trying to ping implies it must have an ARP entry there. Why did you exclude ARP lines? What does it show with ARP?
This is the output (without excluding ARP lines) of tcpdump running on pfsense (involving "public LAN" interface). I can see a lot of similar ARP lines...
15:24:35.444044 IP y.y.y.5 > y.y.y.2: ICMP echo request, id 3512, seq 32, length 64
15:24:35.444062 ARP, Request who-has y.y.y.5 tell y.y.y.2, length 28
15:24:35.465454 ARP, Request who-has y.y.y.19 tell y.y.y.1, length 46
15:24:35.497470 ARP, Request who-has y.y.y.16 tell y.y.y.1, length 46
15:24:35.503224 ARP, Request who-has y.y.y.95 tell y.y.y.1, length 46
15:24:35.561627 ARP, Request who-has y.y.y.28 tell y.y.y.1, length 46
15:24:35.593446 ARP, Request who-has y.y.y.87 tell y.y.y.1, length 46
15:24:35.597442 ARP, Request who-has y.y.y.34 tell y.y.y.1, length 46
15:24:35.721419 ARP, Request who-has y.y.y.113 tell y.y.y.1, length 46
15:24:35.721457 ARP, Request who-has y.y.y.69 tell y.y.y.1, length 46
15:24:35.849455 ARP, Request who-has y.y.y.11 tell y.y.y.1, length 46Do you see anything different trying to ping the gateway?
If I try to ping the gateway (y.y.y.1), I can see only ARP lines in tcpdump output (no ICMP lines).
What firewall rules do you have on the 'public LAN' interface/
-
@mauro-tridici said in Strange behaviour for ICMP (ping) rule on WAN interface:
If I try to ping the gateway (y.y.y.1), I can see only ARP lines in tcpdump output (no ICMP lines).
Do you see the client at .5 ARPing for the gateway at .1?
And you don't see the gateway responding?
Steve
-
Hmm, actually I see zero states on that rule on Public LAN. Did you you move the bridge filtering using system tunables?
-
@stephenw10 I would like to ask you another important question:
what is the gateway I should set on the VM/host belonging to the "public LAN"?
y.y.y.1 that is the router IP address or y.y.y.2 that is the pfsense WAN address?
in my case, which is the upstream gateway I should set in the VM network configuration file?Thank you in advance,
Mauro -
@stephenw10 mmmh no, I didn't move the bridge filtering. I simply added the interfaces to the bridge.
-
Do you see the client at .5 ARPing for the gateway at .1?
And you don't see the gateway responding?
Yes, but please note that I set the pfsense WAN address "y.y.y.2" as gateway for the VM.
I hope it is the right choice... -
No the VM should use the main gateway at .1 since it's in that subnet.
-
@stephenw10 ok, thank you. I changed the VM gateway. Now, it is pointing to y.y.y.1 IP address. I started a "ping y.y.y.1" from VM and the output now is:
From y.y.y.5 icmp_seq=1 Destination Host Unreachable
From y.y.y.5 icmp_seq=2 Destination Host Unreachable
From y.y.y.5 icmp_seq=3 Destination Host Unreachable
... -
Hmm, do you see an ARP entry for the gateway on the VM?
I would expect to see 'host is down' if ARP was failing. That error seems more like a routing issue which shouldn't occur inside the same subnet. Are you sure the subnet mask is correct there?
-
Hmm, do you see an ARP entry for the gateway on the VM?
How can check that?
I executed the "arp -a" command on the VM and the result is:
gateway (y.y.y.1) at <incomplete> on ens192The subnet mask seems to be ok.
-
Ok, so it isn't seeing ARP replies from the gateway. Are there any complete ARP entries there beyond it's own IP? Presumably it has the pfSense y.y.y.2 IP because it does send ICMP packets to that.
The next thing I would do then is run a pcap on the pfSense WAN and see traffic is there. It should have the ARP requests from the VM.
Steve
-
Ok, so it isn't seeing ARP replies from the gateway. Are there any complete ARP entries there beyond it's own IP? Presumably it has the pfSense y.y.y.2 IP because it does send ICMP packets to that.
Mmmh, unfortunately no. After changing the VM gateway from y.y.y.2 to y.y.y.1, no complete ARP entries are listed.
Using the old (but wrong) configuration (with y.y.y.2 as gateway for the VM), I can see the complete ARP entry for y.y.y.2 IP.The next thing I would do then is run a pcap on the pfSense WAN and see traffic is there. It should have the ARP requests from the VM.
Let's try! I executed the "ping y.y.y.1" from the VM and I captured the pcap file on WAN interface, IPv4, Any protocol, host address y.y.y.0/25 (at the end, I revealed the subnet...). If I'm not wrong the .5 IP is not listed in pcap. I will send you the subnet details in a private message.
-
-
That pcap spans only 2.2 seconds. You will probably need to filter it by something. Here what we are looking for is ARP requests from .5 for .1 so I'd filter for just ARP in initially.
Also run the pcap on the Public LAN interface too to make sure they are arrivign there.The bridge should just pass those.
Also you should still be able to try to ping the .2 address and see the ARP table populated for that.
Steve
-
@stephenw10 ok, I'm going to do it soon. How can I filter for ARP? I'm using the pfsense GUI. Do you think that I should do it using the command line?
-
In attachment the pcap files.
em0 is the wan interface
em6.90 is the lan interfacethanks,
Mauro -
Ok, so we can see the VM at .5 ARPing for the gateway at .1 and on both interfaces, both sides of the bridge.
But the gateway is not responding.What is the upstream device at .1? It has a VMWare MAC address.
