Unable to ping between IPs on same interface
-
Not sure where this one goes (category wise), but here is my problem.
I have a pfSense firewall running at the data center. It has an WAN interface, a LAN interface (172.16.160.0/24), and an OpenVPN interface. I needed to add two extra IP subnets on the LAN interface, so I created two Virtual IPs of type "if Alias" using 192.168.2.0/24 and 192.168.3.0/24. For some reason, I cannot get any traffic to pass between 172.16.160.0/24 and any machine on the 192.168.2.0/24 network. I have the default firewall rule that allows all traffic on the LAN interface and even enabled the checkbox "Bypass firewall rules for traffic on the same interface".
Some observations:
* An OpenVPN client can get to all three networks.
* A machine on the 172.16.160.0/24 network can ping the pfSense IF-Alias interface (192.168.2.1)
* A machine on the 192.168.2.0/24 network can ping the pfSense LAN interface (172.16.160.1)
* A machine on the 192.168.3.0/24 network can get to (ping, ssh, etc) both the 172.16.160.0 and 192.168.2.0 networks.
* I have disabled pfctl via CLI (pfctl -d) and still cannot ping between the 172.16.160.0 and 192.168.2.0 networks.I must be missing something with regards to NAT and/or firewall rules.
Any pointers? How can I debug this on pfSense?
-
Is the pfsense Box virtual? I know Vmware have some issues i was reading about.. If its physical, ill think of something else.
-
Yep, in fact, it is virtual. That is a good reminder - maybe I did not set promiscuous mode on the vSwitch for this particular vlan.
Thanks for the reminder!
-
LOL trust me! I have a virtual box on vmware.. And this rings so many bells. Apparently you cant add alias's on virtual nics to add as different gateways.. Something to do with Vmware's security… Maybe someone else can backup what im trying to say...
What i did though to get round the issue is just simply add another Virtual nic to the sam virtual network.. Works for me!
-
Thanks for the info, Craig. Turns out, rebooting pfSense fixed the issue. I have seen this sporadically in the past; making IPSec or OpenVPN changes sometimes requires a reboot of the firewall.
Thanks again for the quick reply.
-
Nice one!