Cannot ping opt1 interface or router connected to opt1 (wan2) interface from lan
-
I've created the rule, but still cannot ping opt1 interface nor adsl router behind it!! :-\
When i ping from lan to op1 pfsense int, i get this on pfsense:
tcpdump -i rl0 -vv -t icmp
tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
IP (tos 0x0, ttl 128, id 12744, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 13572, length 40
IP (tos 0x0, ttl 128, id 13031, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 13828, length 40
IP (tos 0x0, ttl 128, id 13051, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 14084, length 40
IP (tos 0x0, ttl 128, id 13064, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 14340, length 40if i do a tracert -d from the lan to the opt1 int of pfsense i get a strange response (look at the attached pic)!
This is my ifconfig:
ifconfig
xl0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 85.35.156.x netmask 0xfffffff8 broadcast 85.35.156.x
inet6 fe80::260:8ff:fe95:627d%xl0 prefixlen 64 scopeid 0x1
ether 00:60:08:95:62:7d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 10.0.0.10 netmask 0xfffffff8 broadcast 10.0.0.15
inet6 fe80::260:8ff:fe95:6289%xl1 prefixlen 64 scopeid 0x2
ether 00:60:08:95:62:89
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 192.168.100.20 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::2e0:4cff:fe49:230%rl0 prefixlen 64 scopeid 0x3
ether 00:e0:4c:49:02:30
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
inet 192.168.200.20 netmask 0xffffff00 broadcast 192.168.200.255
inet6 fe80::216:ecff:febd:ee94%vr0 prefixlen 64 scopeid 0x4
ether 00:16:ec:bd:ee:94
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pflog0: flags=100 <promisc>mtu 33208
enc0: flags=0<> mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
pfsync0: flags=41 <up,running>mtu 2020
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128i've attached my lan rules and alias created and if config.
see if i'm missing something. Thanks a lot for paying attention….
</up,running></up,loopback,running,multicast></promisc></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>
-
Probably a state-issue. Go to diagnostics>states, reset states. Then retest. Rules look valid to me.
-
I've done a state reset but cannot ping. I'll attach other pics, in case something is wrong with the config.
-
This happens when i tracert from lan: opt1(wan2) - wan - opt2(DMZ)
It seems that when i ping the opt1(wan2) pfsense int from lan, it tries to reach it going out to internet instead to just replying from the firewall itself!
Strange!
-
This is my loadbalancer config:
-
::)…. any suggestions?? Or do i better reset to defaults: rules, nat and loadbalancer and see if i resolve and start over the config step by step?
Thanks.
-
Disable the manual advanced outbound nat and set it to automatic again. Retest. Does it work now?
-
tried… :-\ but no ping.... is aon worse than using automatic?
If tracerouting opt1 pfsense int from lan, give me back wan gateway as this:
C:>tracert -d 10.0.0.9
Rilevazione instradamento verso 10.0.0.9 su un massimo di 30 punti di passaggio
1 <1 ms <1 ms <1 ms 85.35.156.x -----> this is default gateway on pfsense wan int
2 85.35.141.x rapporti: Rete di destinazione non raggiungibile. (Network unreachable)
|
|--> This is next op routerRilevazione completata.
does it mean that it is trying to find a reply from opt1 going out to internet, instead of just replying from its internal int?
.... ???
-
It means that for some reason it skips your first new created firewallrule. Don't know why though. Maybe reboot.
-
already rebooted….what other factor can lead to such a problem? only loadbalancing or i've to check also other configurations such trafficshaping (but i don't think so) anyway just to be sure!
do you think that if i remove loadbalancing and failover conf i'll solve the issue? Thanks.
-
Only firewallrules and outbound nat can cause problems here. You don't have any static routes configured, right?
-
no static routes. do you need more info on my conf? i can provide you with all the settings? I have the same problem on another pfsense 1.2 box also with dual wan. Everything works fine, but i cannot ping opt1 int from lan nor router attached to that interface. What can be the problem :-\
-
Try to rebuild the config step by step and see where it breaks. I guess that'S the easiest way to find the issue atm.
-
ok thanks a lot, I'll post the result if i succeed!
-
Yes, I'm interested to see where the problem is as well :)
-
You could try with my setup.
-
you mean the localnet entry?
-
No. What ip address i you trying from?
-
i'm trying to ping from internal server 192.168.100.10/24 to pfsense op1 (wan2) interface 10.0.0.10 or router behind it 10.0.0.9 but do not ping. Those rules you mention, was there to let both internal server not being restricted by the last rule "blockall". Do you mean that those rules are blocking pings?
-
Yes if you first 192.168.100.10 rules has the gateway * or 10.0.0.9 it should work imo.