Remote ping to multi GW IP's

brebix

I am trying to figure out how to be able to ping each gateway interface remotely.  I have tried a bunch of stuff but the best i could do is ping only 1 and not the other not both.
Figure someone has to know this one I am sure I am missing something dumb.

Thanks in advanced
Ray

phil.davis

I guess the text on your diagram has a typo - it says the piing to gateway 2 both works and fails. I assume ping to gateway 1 works, ping to gateway 2 fails.
Do both gateways have a real public IP right to the pfSense?
Do both gateways have firewall rules that allow ping (ICMP) coming in from the internet (at least from the remote place you ping from)?

brebix

@phil.davis:

I guess the text on your diagram has a typo - it says the piing to gateway 2 both works and fails. I assume ping to gateway 1 works, ping to gateway 2 fails.
Do both gateways have a real public IP right to the pfSense?
Do both gateways have firewall rules that allow ping (ICMP) coming in from the internet (at least from the remote place you ping from)?

Yep Typo sorry yes you are correct.

I have public IP's one static assigned public IP one public dynamically assigned IP.

I have set allow ICMP any source and dest IF adddress for each interface.

Its odd because I can see it hit my firewall and its blocked then i set up the rules and its no longer showing on firewall log as blocked or passed (checked Log Packets rule).

It seems i can only ping whatever one i set up as my default GW at this time.

brebix

I simply cant ping each wan interface IP independently with the rules set up
pass  wan1  | ICMP any | source any | dest wan1 address
pass  wan2  | ICMP any | source any | dest wan2 address

I stop seeing on my firewall log the blocked ICMP on either interface but I can still only ping one of them.
It seems whatever one I set as my default gateway works

ggzengel

I think this will be the solution:
https://doc.pfsense.org/index.php/Interface_Groups

Using Interface Groups for WANs will not put "reply-to" on the resulting rules, because it can't do so for rules in groups. Due to this, traffic entering via an alternate WAN (non-default route) will exit back via the default route.

To keep the proper return routing, you must place rules for inbound services behind the firewall on their respective WAN tabs, and not on the group tab.

brebix

@ggzengel:

I think this will be the solution:
https://doc.pfsense.org/index.php/Interface_Groups

Using Interface Groups for WANs will not put "reply-to" on the resulting rules, because it can't do so for rules in groups. Due to this, traffic entering via an alternate WAN (non-default route) will exit back via the default route.

To keep the proper return routing, you must place rules for inbound services behind the firewall on their respective WAN tabs, and not on the group tab.

I am not using interface groups I set duplicate rules on both interfaces..
and I have individual rules for ICMP on each WAN interface…

I have them in a gateway group for load balancing on the LAN interface.

ggzengel

I hope you didn't disable reply-to on System: Advanced: Firewall and NAT.

Look at your outgoing NAT rules: The source address shouldn't include the WAN addresses.
I use an alias with all internal used (or all private networks) as source addresses.