Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some quick help

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 4 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      Metu69salemi
      last edited by

      Some higher end AP's don't take a point from where those are configured, if you have gave those a knowledge of GW. without it http traffic doesn't know route to outside of it's own subnet.

      though ssh connection is still possible to use from different lan/wan.

      1 Reply Last reply Reply Quote 0
      • T Offline
        The Sorrow
        last edited by

        Thanks for the link. It'll come in handy for sure. Another issue. On my DMZ i have one box with IP 10.10.2.100. The Interface IP is 10.10.2.254. i can ping the box with the pfSense ping tool, but i cannot ping the box from my LAN interface and my DMZ box cannot ping the pfSense box. Im guessing the initial ping request goes out but the reply is blocked from returning. Is this correct?

        1 Reply Last reply Reply Quote 0
        • W Offline
          wallabybob
          last edited by

          @The:

          On my DMZ i have one box with IP 10.10.2.100. The Interface IP is 10.10.2.254. i can ping the box with the pfSense ping tool, but i cannot ping the box from my LAN interface

          The ping from pfSense will have a source address on the DMZ. When the server replies the reply goes back to a system on the same network.
          When you ping the DMZ server the reply needs to go to a different network (the pfSense LAN network). Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?

          @The:

          my DMZ box cannot ping the pfSense box.

          As discussed earlier, this access will be blocked unless you have added a rule on the DMZ interface to allow it. The pfSense box has multiple IP addresses. Does the DMZ box have a route to get to the ping target IP address?

          The Firewall log is often a useful source of trouble shooting information (See Status -> System Logs, click on the Firewall tab.) Another useful troubleshooting tool is packet capture: For both these problems packet capture can be used to see if packets arrive on a particular interface or leave a particular interface.

          1 Reply Last reply Reply Quote 0
          • T Offline
            The Sorrow
            last edited by

            Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?

            It's Gateway is the DMZ interface IP (10.10.2.254). As far as routes thats something i am not sure how to check. there are no inter-network routes in the Diagnostic -> routes table.

            The firewall log does show the ICMP broadcast is being blocked. Would allowing ICMP to pass through to the LAN be a large security hole?

            1 Reply Last reply Reply Quote 0
            • W Offline
              wallabybob
              last edited by

              @The:

              Does the DMZ server have a suitable default gateway on its network OR a route to the pfSense LAN network?

              It's Gateway is the DMZ interface IP (10.10.2.254). As far as routes thats something i am not sure how to check. there are no inter-network routes in the Diagnostic -> routes table.

              If the DMZ server has a valid default gateway (and that sounds valid) then it doesn't need a route.

              @The:

              The firewall log does show the ICMP broadcast is being blocked. Would allowing ICMP to pass through to the LAN be a large security hole?

              Blocked on what interface and under what circumstances? (If the ping is initiated from LAN the the firewall should create a "temporary rule" to allow the ping responses. This is true of all "connections" not just pings.) As to whether ICMP would be a large security hole I wouldn't think so for my home network but I don't have security responsibility for your network. Perhaps you could allow it for a little while for your own testing then block it and see who complains.

              1 Reply Last reply Reply Quote 0
              • T Offline
                The Sorrow
                last edited by

                Ok so i reset everything to default, added the DMZ interface and changed nothing in the firewall rules. still cant ping 10.10.2.100 from 10.10.1.100 on the LAN. It doesnt have any entries in the firewall logs, it just says host unreachable.

                1 Reply Last reply Reply Quote 0
                • W Offline
                  wallabybob
                  last edited by

                  Host unreachable in this case probably means the link from the LAN system to pfSense is down OR the LAN system doesn't have a default gateway (hence it doesn't know where to send something destined for a system which isn't on its own network).

                  Does your LAN system have the correct IP address, gateway DNS server?

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    The Sorrow
                    last edited by

                    /etc/network/interfaces

                    iface eth0 inet static
                        address 10.10.2.100
                        network 10.10.2.0
                        netmask 255.255.255.0
                        broadcast 10.10.2.255
                        gateway 10.10.2.254

                    Unless im wrong then it does have a good IP setup. Im getting a timeout. Host unreachable was my mistake.

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      wallabybob
                      last edited by

                      @The:

                      Im getting a timeout.

                      Configuration looks OK. What is timing out?

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        The Sorrow
                        last edited by

                        Ill be more specific.

                        here is my setup

                        10.10.1.0\24
                        Internet –-> pfSense (LAN INT 10.10.1.254\24)------>LAN --------> Home PC (10.10.1.200\24)
                                                |
                             DMZ INT (10.10.2.254\24)
                                                |
                                                |
                                  DMZ (10.10.2.0\24)
                                                |
                                           Web Server (10.10.2.100\24)

                        When i try to ping from Home PC to Web Server:

                        Pinging 10.10.2.100 with 32 bytes of data:
                        Request timed out.
                        Request timed out.
                        Request timed out.
                        Request timed out.
                        
                        Ping statistics for 10.10.2.100:
                            Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
                        

                        However when i ping using the pfSense ping tool

                        Ping output:
                        
                        PING 10.10.2.100 (10.10.2.100) from 10.10.2.254: 56 data bytes
                        64 bytes from 10.10.2.100: icmp_seq=0 ttl=64 time=0.689 ms
                        64 bytes from 10.10.2.100: icmp_seq=1 ttl=64 time=0.372 ms
                        64 bytes from 10.10.2.100: icmp_seq=2 ttl=64 time=0.307 ms
                        
                        --- 10.10.2.100 ping statistics ---
                        3 packets transmitted, 3 packets received, 0.0% packet loss
                        round-trip min/avg/max/stddev = 0.307/0.456/0.689/0.167 ms
                        

                        same story for pinging pfsense on my Home PC:

                        
                        Pinging 10.10.1.254 with 32 bytes of data:
                        Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                        Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                        Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                        Reply from 10.10.1.254: bytes=32 time<1ms TTL=64
                        
                        Ping statistics for 10.10.1.254:
                            Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
                        Approximate round trip times in milli-seconds:
                            Minimum = 0ms, Maximum = 0ms, Average = 0ms
                        

                        And for pinging my Home PC from pfSense:

                        Ping output:
                        
                        PING 10.10.1.200 (10.10.1.200) from 10.10.1.254: 56 data bytes
                        64 bytes from 10.10.1.200: icmp_seq=0 ttl=128 time=0.446 ms
                        64 bytes from 10.10.1.200: icmp_seq=1 ttl=128 time=0.309 ms
                        64 bytes from 10.10.1.200: icmp_seq=2 ttl=128 time=0.316 ms
                        
                        --- 10.10.1.200 ping statistics ---
                        3 packets transmitted, 3 packets received, 0.0% packet loss
                        round-trip min/avg/max/stddev = 0.309/0.357/0.446/0.063 ms
                        

                        I can also ping pfSense from my ubuntu Web Server

                        PING 10.10.2.254 (10.10.1.254) 56(84) bytes of data.
                        64 bytes from 10.10.2.254: icmp_req=1 ttl=64 time=0.261 ms
                        64 bytes from 10.10.2.254: icmp_req=2 ttl=64 time=0.209 ms
                        
                        

                        This is a base pfSense install with the default Lan -> any rule being untouched.

                        Insert foot in mouth

                        Was on static IP with no gateway. Figured it would work for some reason. Set it to DHCP and it works.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.