ICMP pings still timing out despite ICMP traffic being reported as passed
-
I'm still having this issue. Has anyone downloaded that program and gotten the Poll function to work behind their pfsense router?
-
No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.
-
No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.
After it finishes a Traceroute, you have to click Poll. Then it will fill out the columns to the right.
-
Log from traceroute:
pass Nov 8 09:37:17 LAN 10.100.4.45:137 159.153.225.30:137 UDP pass Nov 8 09:37:12 LAN 10.100.4.45:137 159.153.225.5:137 UDP pass Nov 8 09:37:08 LAN 10.100.4.45:137 10.242.195.225:137 UDP pass Nov 8 09:37:03 LAN 10.100.4.45:137 10.105.0.1:137 UDP pass Nov 8 09:37:03 LAN 10.100.4.45 159.153.234.54 ICMPLog from polling:
pass Nov 8 09:38:17 LAN 10.100.4.45 159.153.226.105 ICMP pass Nov 8 09:38:17 LAN 10.100.4.45 159.153.225.30 ICMP pass Nov 8 09:38:15 LAN 10.100.4.45 159.153.225.5 ICMP pass Nov 8 09:38:14 LAN 10.100.4.45 206.126.236.55 ICMP pass Nov 8 09:38:12 LAN 10.100.4.45 96.34.3.89 ICMP pass Nov 8 09:38:11 LAN 10.100.4.45 96.34.0.48 ICMP pass Nov 8 09:38:09 LAN 10.100.4.45 96.34.2.40 ICMP pass Nov 8 09:38:08 LAN 10.100.4.45 96.34.80.126 ICMP pass Nov 8 09:38:06 LAN 10.100.4.45 96.34.84.142 ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 10.242.195.225 ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 x.x.x.x ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 10.105.0.1 ICMPMy suggestion would be to allow any to any from your internal IP and log the traffic. Everything that I can touch, the uo program can touch.
-
I made any to any in the WAN rules, with logging, and the only thing that showed up was ICMP packets. I already have any to any in the LAN rules. When I did a Poll, I was still getting 100% loss.
-
Not having any issues here with polling.
I have no special rules other than the default lan rules.. Nat is automatic - you really should not have to do anything for pings to work.
So curious - are you behind a double nat.. You hide that second hop in your trace..
-
Second hop is very likely his public IP.
-
I made any to any in the WAN rules
Well there's your problem. You're allowing anyone from anywhere into your WAN interface. Firewall rules apply to inbound packets. The ones from you are inbound on your LAN interface, outbound on your WAN interface. Once they've traversed your WAN interface, for all intents and purposes they're considered an established session, and you don't need any rules on your WAN interface to keep it working. Take the any to any rule off of your WAN interface, that's extremely dangerous.
Create a rule like this:
only with your IP instead of mine, and let me know what happens. Make sure that in the "protocol" section you select "any." -
Second hop is very likely his public IP.
It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21 So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)
-
Yeah, meant gateway. Slow brain day. I've got a /28, so exposing my gateway would not be a great idea. Most people don't get /21s to play around with.
-
Second hop is very likely his public IP.
It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21 So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)
It is my WAN IP that I did block out of the picture. My pfSense router is connected to a Motorola SURFboard SB 6121 modem, which should have no routing or firewalling of any kind.
I made the rule exactly as you said, and here it is under pfsense firewall logs.
Edit: While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem. Immediatly I started getting responses. It's not my ISP or modem, it's pfsense. I just need to know what setting I have wrong in my router.
-
"While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."
Really – normally you need to power cycle a cable modem. I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.
Power cycle your modem after you connect pfsense.
Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.
As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop. So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.
-
"While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."
Really – normally you need to power cycle a cable modem. I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.
Power cycle your modem after you connect pfsense.
Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.
As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop. So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.
Oh you're right. That's a different IP address. The more I know….
I am gonna power cycle everything once people aren't using the Teamspeak server.
Edit: Power cycled, removed the MAC Address spoofing, but still having the issue.
-
I too am having this issue.
Have 2 WAN connections, both PPPoE on pfSense.
WAN 1 has an interface address (DHCP) with 5 Static IPs configured as Virtual IP Alias.
WAN 2 has a single Static IP, assigned via DHCP from the ISP.I can ping WAN 2 on it's static IP just fine, as it's the same IP as the Interface address.
WAN 1 however, will only respond to a ping on it's interface address, but not on any of the IP Aliases. In the system logs, it shows this traffic as a pass entry (I specified to log it), but the machine is not getting a response.Makes no sense!!
Any suggestions would be much appreciated. Please let me know if I can help by providing any more information.
Thanks in advance.
-
Your issue is not anything like the OP, not you have described it not.
The OP can not ping or traceroute to outside IPs.
Your talking about pinging your wans virtual IPs - not even in the same ballpark. Start your own thread!
-
My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.
Good luck OP
-
My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.
Good luck OP
Try adding individual firewall rules for each IP on the interface, that was my fix in your case.
-
I downloaded the utility and ran it, no issues with the polling function behind pfSense. Furthermore, I ran a wireshark capture on its traffic and all it generates is ICMP pings. I really can't see why it wouldn't just work ???
-
I disabled all packet filtering temporarily and despite NAT being completely off, it's still not working. Also I polled a couple of computers on the network just fine, with 0% loss.
So if it's not the firewall that's stopping it, what is?
-
What if you get one of those hops and ping it from a console? Do you get replies?
