Cannot ping opt1 interface or router connected to opt1 (wan2) interface from lan

hoba

Probably a state-issue. Go to diagnostics>states, reset states. Then retest. Rules look valid to me.

glanc

I've done a state reset but cannot ping. I'll attach other pics, in case something is wrong with the config.

nat1.JPG_thumb

nat2.JPG_thumb

glanc

This happens when i tracert from lan: opt1(wan2) - wan - opt2(DMZ)

It seems that when i ping the opt1(wan2) pfsense int from lan, it tries to reach it going out to internet instead to just replying from the firewall itself!

Strange!

tracert1.JPG_thumb

glanc

This is my loadbalancer config:

loadbalancer.JPG_thumb

glanc

::)…. any suggestions?? Or do i better reset to defaults: rules, nat and loadbalancer and see if i resolve and start over the config step by step?

Thanks.

hoba

Disable the manual advanced outbound nat and set it to automatic again. Retest. Does it work now?

glanc

tried… :-\ but no ping.... is aon worse than using automatic?

If tracerouting opt1 pfsense int from lan, give me back wan gateway as this:

C:>tracert -d 10.0.0.9

Rilevazione instradamento verso 10.0.0.9 su un massimo di 30 punti di passaggio

1 <1 ms <1 ms <1 ms 85.35.156.x -----> this is default gateway on pfsense wan int
2 85.35.141.x rapporti: Rete di destinazione non raggiungibile. (Network unreachable)
|
|--> This is next op router

Rilevazione completata.

does it mean that it is trying to find a reply from opt1 going out to internet, instead of just replying from its internal int?

.... ???

hoba

It means that for some reason it skips your first new created firewallrule. Don't know why though. Maybe reboot.

glanc

already rebooted….what other factor can lead to such a problem? only loadbalancing or i've to check also other configurations such trafficshaping (but i don't think so) anyway just to be sure!

do you think that if i remove loadbalancing and failover conf i'll solve the issue? Thanks.

hoba

Only firewallrules and outbound nat can cause problems here. You don't have any static routes configured, right?

glanc

no static routes. do you need more info on my conf? i can provide you with all the settings? I have the same problem on another pfsense 1.2 box also with dual wan. Everything works fine, but i cannot ping opt1 int from lan nor router attached to that interface. What can be the problem :-\

hoba

Try to rebuild the config step by step and see where it breaks. I guess that'S the easiest way to find the issue atm.

glanc

ok thanks a lot, I'll post the result if i succeed!

hoba

Yes, I'm interested to see where the problem is as well :)

Perry

You could try with my setup.

mine.JPG_thumb

glanc

you mean the localnet entry?

Perry

No. What ip address i you trying from?

lanrules2.JPG_thumb

glanc

i'm trying to ping from internal server 192.168.100.10/24 to pfsense op1 (wan2) interface 10.0.0.10 or router behind it 10.0.0.9 but do not ping. Those rules you mention, was there to let both internal server not being restricted by the last rule "blockall". Do you mean that those rules are blocking pings?

Perry

Yes if you first 192.168.100.10 rules has the gateway * or 10.0.0.9 it should work imo.

glanc

!!SOLVED!! Perry found the problem! ;) The rules under LAN that i put to let 192.168.100.10 go out without being filtered by the last rule, had the gateway not to default one but specified to use opt1 default gateway, so when pinging from lan from that ip, it didn't look at the defaut routing tables causing the problem! Thanks a lot Perry. I suppose that the other rule to let the same internal host go out via opt1 using opt1 default gw is ok. Because i so not want to filter that host when going out from opt1.