pfSense not responding to icmp ping from switch
-
@johnpoz GigabitEthernet1/0/15 and 16 are connected to my NAS, not pfsense. There's only one interface connected to pfsense, which is port 18
-
@ryansun yeah my bad - miss read.. doh
But where is that 192.168.1.26 IP coming from? Also disable those pfblocker rules.. Can you ping now?
Your going to have to setup a name server on your switch if you want to do dns, I personally wouldn't use dhcp for a switch.. But it should work - just don't see any config for a nameserver, if it got it from dhcp - you would think it should list it ;)
-
@johnpoz
"But where id the 192.168.1.26 come from?" - I misconfigured a virtual ip - should've used 192.168.1.26/24 instead of 192.168.1.26/32. However after correcting it (now LAN subnets shows 192.168.1.0/24 only) the issue is still there"Your one pfblocker reject rule has some hits to pfb_pri1_v4, does this have rfc1918 space in, that for sure would block the switch from pinging pfsense IP." - Negative. Also if this rule is blocking icmp from lan how could other devices successfully ping pfsense?
-
@ryansun very true if your pfblocker was block, your other clients wouldn't be able to ping pfsense eitehr.. odd one.. that is the correct mac for pfsense in your arp table?
edit: what are you running pfsense on - that mac shows as
eac AUTOMATION-CONSULTING GmbH
Never heard of them.. You would think it would be a known mac of network interfaces..
-
@johnpoz It is the right mac address. Pfsense is running on a protectli box
-
@ryansun odd one..
Your not running snort or suricatad by chance? Ie an IPS package of pfsense.
Are you running + version of pfsense and maybe enable the ethernet filtering, ie layer 2 stuff?
Hmmmm?
Are you doing anything with static arp? You say pfsense can ping the switch 192.168.1.4, look in the arp table - is this the correct mac for the switch? But if that was the case - you would still think you would see it in the sniff..
If I had to guess something is blocking pfsense from seeing the ping request, while it shows up on the interface you see it in the sniff - maybe its not going farther up the stack for pfsense to send a response.. Or maybe for whatever reason its sending it out a different interface.. You don't have any vpn correction on pfsense?
And you don't show anything in the log for the icmp being blocked?
-
@johnpoz VPN was the issue! I set up an IPSec site to site tunnel long ago. It turns out the ip address assigned to switch (192.168.1.4) is being used by the vpn tunnel. This also explains the strange behavior that the switch but switch does not show up in arp table in pfsense, even after doing a "fresh" ping.
After assigning switch a different ip, ping and dns are working as expected. Thank you for your help!
-
@ryansun great! I wouldn't use any sort of tunnel network that overlaps with your local network.. Is the remote network also 192.168.1?
-
@johnpoz No, the remote network is a different subnet. My understanding is that those IPs serve as the "default gateway" to remote subnet, since I use BGP for routing between the local and remote networks. This (I think) was the link I was trying to follow at that time: https://support.oracle.com/knowledge/Oracle%20Cloud/2488578_1.html (Need a free account to access)
-
Yes it would still conflict if that IP is used as the transport subnet for a routed IPSec tunnel. That's why many services (like AWS) use APIPA addresses for that to prevent any possibility of a conflict.
-
@stephenw10 sdwan company we used for few customers at last gig used the documentation network...
192.0.2.0/24
For the tunnels to make didn't overlap with sites of the customer network.
