Cannot ping opt1 interface or router connected to opt1 (wan2) interface from lan
-
Hi. My pfsense 1.3 is configured this way:
lan wan op1(wan2) opt2(dmz)
lan=192.168.100.20/24
wan=public ip from my isp pool, default gw adsl router with public ip from my isp pool
opt1=10.0.0.10/29, default gw adsl router 10.0.0.9/29 and nat configured on router with a dynamic assigned public ip from my second isp
opt2=192.168.200.20/24 DMZloadbalancing and failover both work and tested.
aon is configured to let lan subnet go via both wans
two servers on lan have 1:1 nat
rules are configured on all pfsense interface and i am capable of coming from internet on servers on lan via both wans
I can ping both routers and lan subnet from pfsense. I can ping and reach both wan interface and router attached on the wan interface of pfsense from my lan, but i cannot ping or reach from lan both opt1 interface and router attached to opt1 interface!
From lan:
ping 192.168.100.20 (pfsense lan) work.
ping wan int on pfsense and adsl router attached to wan int work.
ping dmz int on pfsense work.
ping op1 int and router attached to opt1 do not workI've used tcpdump on pfsense during pings, and i can see echo request coming on lan int but no reply!
Any suggestions?
Thanks a lot.
-
Policybased firewallrules are always evaluated before the traffic hits the internal routingtable. Therefore it can happen that you send the traffic to the wrong gateway with policybased rules. To prevent this from happening create a network alias with all locally attached networks (subnets at wan, opt1, opt2,…, as well as vpn subnets, in case you use those as well). Then create a firewallrule on top of your balancing rules like:
pass, protocol any, source any, destination <that network="" alias="">, gateway default. This way you will make sure that policybased rules won't interfere with these subnets.</that> -
…..just wans, vpns and dmz i suppose, not lan subnet?
I'll try to create an alias with those subnet and add a lan rule on the top, using default gw and not loadbalancer and see....
-
you can add the lan as well, it won't hurt. this way you can use the same rule for other internal subnets as well (dmz probably is different as you don't want to allow access to lan from there or at least only restricted access). You can tighten the rules much more of course if needed. The rule that I wrote in my previous post is just an example. Oh, btw, add 127.0.0.1/32 to that networkalias too. Will make the ftp-helper work and maybe other installed packages that redirect traffic to the loopbackadress :)
-
I've created the rule, but still cannot ping opt1 interface nor adsl router behind it!! :-\
When i ping from lan to op1 pfsense int, i get this on pfsense:
tcpdump -i rl0 -vv -t icmp
tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
IP (tos 0x0, ttl 128, id 12744, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 13572, length 40
IP (tos 0x0, ttl 128, id 13031, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 13828, length 40
IP (tos 0x0, ttl 128, id 13051, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 14084, length 40
IP (tos 0x0, ttl 128, id 13064, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 14340, length 40if i do a tracert -d from the lan to the opt1 int of pfsense i get a strange response (look at the attached pic)!
This is my ifconfig:
ifconfig
xl0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 85.35.156.x netmask 0xfffffff8 broadcast 85.35.156.x
inet6 fe80::260:8ff:fe95:627d%xl0 prefixlen 64 scopeid 0x1
ether 00:60:08:95:62:7d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 10.0.0.10 netmask 0xfffffff8 broadcast 10.0.0.15
inet6 fe80::260:8ff:fe95:6289%xl1 prefixlen 64 scopeid 0x2
ether 00:60:08:95:62:89
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 192.168.100.20 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::2e0:4cff:fe49:230%rl0 prefixlen 64 scopeid 0x3
ether 00:e0:4c:49:02:30
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
inet 192.168.200.20 netmask 0xffffff00 broadcast 192.168.200.255
inet6 fe80::216:ecff:febd:ee94%vr0 prefixlen 64 scopeid 0x4
ether 00:16:ec:bd:ee:94
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pflog0: flags=100 <promisc>mtu 33208
enc0: flags=0<> mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
pfsync0: flags=41 <up,running>mtu 2020
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128i've attached my lan rules and alias created and if config.
see if i'm missing something. Thanks a lot for paying attention….
</up,running></up,loopback,running,multicast></promisc></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast> -
Probably a state-issue. Go to diagnostics>states, reset states. Then retest. Rules look valid to me.
-
I've done a state reset but cannot ping. I'll attach other pics, in case something is wrong with the config.
-
This happens when i tracert from lan: opt1(wan2) - wan - opt2(DMZ)
It seems that when i ping the opt1(wan2) pfsense int from lan, it tries to reach it going out to internet instead to just replying from the firewall itself!
Strange!
-
This is my loadbalancer config:
-
::)…. any suggestions?? Or do i better reset to defaults: rules, nat and loadbalancer and see if i resolve and start over the config step by step?
Thanks.
-
Disable the manual advanced outbound nat and set it to automatic again. Retest. Does it work now?
-
tried… :-\ but no ping.... is aon worse than using automatic?
If tracerouting opt1 pfsense int from lan, give me back wan gateway as this:
C:>tracert -d 10.0.0.9
Rilevazione instradamento verso 10.0.0.9 su un massimo di 30 punti di passaggio
1 <1 ms <1 ms <1 ms 85.35.156.x -----> this is default gateway on pfsense wan int
2 85.35.141.x rapporti: Rete di destinazione non raggiungibile. (Network unreachable)
|
|--> This is next op routerRilevazione completata.
does it mean that it is trying to find a reply from opt1 going out to internet, instead of just replying from its internal int?
.... ???
-
It means that for some reason it skips your first new created firewallrule. Don't know why though. Maybe reboot.
-
already rebooted….what other factor can lead to such a problem? only loadbalancing or i've to check also other configurations such trafficshaping (but i don't think so) anyway just to be sure!
do you think that if i remove loadbalancing and failover conf i'll solve the issue? Thanks.
-
Only firewallrules and outbound nat can cause problems here. You don't have any static routes configured, right?
-
no static routes. do you need more info on my conf? i can provide you with all the settings? I have the same problem on another pfsense 1.2 box also with dual wan. Everything works fine, but i cannot ping opt1 int from lan nor router attached to that interface. What can be the problem :-\
-
Try to rebuild the config step by step and see where it breaks. I guess that'S the easiest way to find the issue atm.
-
ok thanks a lot, I'll post the result if i succeed!
-
Yes, I'm interested to see where the problem is as well :)
-
You could try with my setup.
-
you mean the localnet entry?
-
No. What ip address i you trying from?
-
i'm trying to ping from internal server 192.168.100.10/24 to pfsense op1 (wan2) interface 10.0.0.10 or router behind it 10.0.0.9 but do not ping. Those rules you mention, was there to let both internal server not being restricted by the last rule "blockall". Do you mean that those rules are blocking pings?
-
Yes if you first 192.168.100.10 rules has the gateway * or 10.0.0.9 it should work imo.
-
!!SOLVED!! Perry found the problem! ;) The rules under LAN that i put to let 192.168.100.10 go out without being filtered by the last rule, had the gateway not to default one but specified to use opt1 default gateway, so when pinging from lan from that ip, it didn't look at the defaut routing tables causing the problem! Thanks a lot Perry. I suppose that the other rule to let the same internal host go out via opt1 using opt1 default gw is ok. Because i so not want to filter that host when going out from opt1.
-
;)
Rules:
Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.If you have a private subnet on your WAN: uncheck the "Block private networks" checkbox on your WAN-config page.
http://forum.pfsense.org/index.php/topic,7001.0.html
-
Ok, But putting a rule on top with default gw * using an alias with all local net, as hoba suggested, didn't work. Why? Now i'm trying to connect from internet to lan servers using opt2(wan2) interface and i've some problem. I've an openssh server on a host, and i can connect from internet using wan, but it fails using opt1. i can see in the log that the connections arrive at pfsense, that is portforwarded correctly and that the rule on opt1 with logging turned on, is activated but the connectio faild. Probably the connection fails to come back!
-
This are the relevant part of my config:
I'm tryng to connecto via ssh to the firewall itself (not an internal host as stated in the previous post) using opt1 from internet. Via wan it already works. Maybe it is not possible since pfsense use the default gateway of wan as its gateway? ::)
-
Actually you need reply-to kind of rules for that!
Not, sure if they are generated on pfSense.Can you please go to Disagnostics->Edit file; load /tmp/rules.debug; ebven post here or check if there is any reply-to keyword in that ruleset?
Ermal
-
The problem was that I specified the default gateway of opt1 interface in the rules, and not just the default option in the gateway tab. I mean that the gateway option was set like: 10.0.0.9 (default gateway used in the interface config) and not "default". I supposed that in configuring rules on opt1 interface one should specify the same gateway used in the opt1 interface config and not just default! But i was wrong! Why?
But now I've got another customer with the same problem and I've corrected the rules config and they are ok (same gateway problem), but here i cannot ping the opt1 int anyway! What could it be?
-
Thanks to all of you who lead me to solve my problems. To summ it up, here was the problems and solutions used:
1. I was unable to ping from lan subnet to opt1 interface or router attached to this int
Here the problem was that i was using loadbalancing for lan, and because pfsense look first at fw rules before using default routing tables, when trying to ping from that subnet to opt1 interface, the loadbalancing rule was used and the ping failed for bad routes engaged. The solution was to create an alias with all pfsense local attached networks, and create a lan rule at the top like:
pass- any - from lan subnet - to ALIAS - default route. See tha attached images,2. I was unable to reach opt1 interface and lan hosts behind it from internet.
Here the problem was that in the opt1 firewall rules, i was using as gateway, not the "default" option but the opt1 default gateway configured on the interface tab (like 10.0.0.9). I don't know why this happen, because to me it was logic to use the default gateway of opt1, as gateway for the rules created on opt1 section, because i supposed that connections coming on that interface should go backup from that gateway! Anyway here someone maybe can explain to me the reason.
Sorry for my bad english…..
-
Regarding your point 2:
Incoming connections will create a state that will, once it is created, take care of the reverse direction as well. This way it is possible to have portforwards on both wans in a multiwan setup to the same host at lan and the traffic will return through the interface it originally came in.
-
Thanks a lot hoba ;D ! Just last question for you master, do you know if t is possible with pfsense to do failover ad policy routing with vpns?
-
This is currently not supported.