Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP pings still timing out despite ICMP traffic being reported as passed

    Scheduled Pinned Locked Moved Firewalling
    72 Posts 13 Posters 25.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JacktheSmack
      last edited by

      I'm still having this issue. Has anyone downloaded that program and gotten the Poll function to work behind their pfsense router?

      1 Reply Last reply Reply Quote 0
      • T
        timthetortoise
        last edited by

        No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.

        1 Reply Last reply Reply Quote 0
        • J
          JacktheSmack
          last edited by

          @timthetortoise:

          No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.

          After it finishes a Traceroute, you have to click Poll. Then it will fill out the columns to the right.

          1 Reply Last reply Reply Quote 0
          • T
            timthetortoise
            last edited by

            Log from traceroute:

            
            pass
            Nov 8 09:37:17	 LAN	  10.100.4.45:137	      159.153.225.30:137	UDP
             pass
            Nov 8 09:37:12	 LAN	  10.100.4.45:137	      159.153.225.5:137	UDP
             pass
            Nov 8 09:37:08	 LAN	  10.100.4.45:137	      10.242.195.225:137	UDP
             pass
            Nov 8 09:37:03	 LAN	  10.100.4.45:137	      10.105.0.1:137	UDP
             pass
            Nov 8 09:37:03	 LAN	  10.100.4.45	      159.153.234.54	ICMP
            
            

            Log from polling:

            
            pass
            Nov 8 09:38:17	 LAN	  10.100.4.45	      159.153.226.105	ICMP
             pass
            Nov 8 09:38:17	 LAN	  10.100.4.45	      159.153.225.30	ICMP
             pass
            Nov 8 09:38:15	 LAN	  10.100.4.45	      159.153.225.5	ICMP
             pass
            Nov 8 09:38:14	 LAN	  10.100.4.45	      206.126.236.55	ICMP
             pass
            Nov 8 09:38:12	 LAN	  10.100.4.45	      96.34.3.89	ICMP
             pass
            Nov 8 09:38:11	 LAN	  10.100.4.45	      96.34.0.48	ICMP
             pass
            Nov 8 09:38:09	 LAN	  10.100.4.45	      96.34.2.40	ICMP
             pass
            Nov 8 09:38:08	 LAN	  10.100.4.45	      96.34.80.126	ICMP
             pass
            Nov 8 09:38:06	 LAN	  10.100.4.45	      96.34.84.142	ICMP
             pass
            Nov 8 09:38:05	 LAN	  10.100.4.45	      10.242.195.225	ICMP
             pass
            Nov 8 09:38:05	 LAN	  10.100.4.45	      x.x.x.x	ICMP
             pass
            Nov 8 09:38:05	 LAN	  10.100.4.45	      10.105.0.1	ICMP
            
            

            My suggestion would be to allow any to any from your internal IP and log the traffic. Everything that I can touch, the uo program can touch.

            1 Reply Last reply Reply Quote 0
            • J
              JacktheSmack
              last edited by

              I made any to any in the WAN rules, with logging, and the only thing that showed up was ICMP packets. I already have any to any in the LAN rules. When I did a Poll, I was still getting 100% loss.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Not having any issues here with polling.

                I have no special rules other than the default lan rules.. Nat is automatic - you really should not have to do anything for pings to work.

                So curious - are you behind a double nat.. You hide that second hop in your trace..

                nosuchproblem.png
                nosuchproblem.png_thumb
                lanrules.png
                lanrules.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • T
                  timthetortoise
                  last edited by

                  Second hop is very likely his public IP.

                  1 Reply Last reply Reply Quote 0
                  • T
                    timthetortoise
                    last edited by

                    @JacktheSmack:

                    I made any to any in the WAN rules

                    Well there's your problem. You're allowing anyone from anywhere into your WAN interface. Firewall rules apply to inbound packets. The ones from you are inbound on your LAN interface, outbound on your WAN interface. Once they've traversed your WAN interface, for all intents and purposes they're considered an established session, and you don't need any rules on your WAN interface to keep it working. Take the any to any rule off of your WAN interface, that's extremely dangerous.

                    Create a rule like this:

                    only with your IP instead of mine, and let me know what happens. Make sure that in the "protocol" section you select "any."

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      @timthetortoise:

                      Second hop is very likely his public IP.

                      It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21  So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • T
                        timthetortoise
                        last edited by

                        Yeah, meant gateway. Slow brain day. I've got a /28, so exposing my gateway would not be a great idea. Most people don't get /21s to play around with.

                        1 Reply Last reply Reply Quote 0
                        • J
                          JacktheSmack
                          last edited by

                          @johnpoz:

                          @timthetortoise:

                          Second hop is very likely his public IP.

                          It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21  So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)

                          It is my WAN IP that I did block out of the picture. My pfSense router is connected to a Motorola SURFboard SB 6121 modem, which should have no routing or firewalling of any kind.

                          I made the rule exactly as you said, and here it is under pfsense firewall logs.

                          Edit: While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem. Immediatly I started getting responses. It's not my ISP or modem, it's pfsense. I just need to know what setting I have wrong in my router.

                          dsdsfd.PNG
                          dsdsfd.PNG_thumb

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            "While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."

                            Really – normally you need to power cycle a cable modem.  I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.

                            Power cycle your modem after you connect pfsense.

                            Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.

                            As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop.  So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • J
                              JacktheSmack
                              last edited by

                              @johnpoz:

                              "While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."

                              Really – normally you need to power cycle a cable modem.  I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.

                              Power cycle your modem after you connect pfsense.

                              Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.

                              As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop.  So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.

                              Oh you're right. That's a different IP address. The more I know….

                              I am gonna power cycle everything once people aren't using the Teamspeak server.

                              Edit: Power cycled, removed the MAC Address spoofing, but still having the issue.

                              1 Reply Last reply Reply Quote 0
                              • A
                                axis-frank
                                last edited by

                                I too am having this issue.

                                Have 2 WAN connections, both PPPoE on pfSense.
                                WAN 1 has an interface address (DHCP) with 5 Static IPs configured as Virtual IP Alias.
                                WAN 2 has a single Static IP, assigned via DHCP from the ISP.

                                I can ping WAN 2 on it's static IP just fine, as it's the same IP as the Interface address.
                                WAN 1 however, will only respond to a ping on it's interface address, but not on any of the IP Aliases. In the system logs, it shows this traffic as a pass entry (I specified to log it), but the machine is not getting a response.

                                Makes no sense!!

                                Any suggestions would be much appreciated. Please let me know if I can help by providing any more information.

                                Thanks in advance.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Your issue is not anything like the OP, not you have described it not.

                                  The OP can not ping or traceroute to outside IPs.

                                  Your talking about pinging your wans virtual IPs - not even in the same ballpark.  Start your own thread!

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    axis-frank
                                    last edited by

                                    My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.

                                    Good luck OP

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      timthetortoise
                                      last edited by

                                      @axis-frank:

                                      My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.

                                      Good luck OP

                                      Try adding individual firewall rules for each IP on the interface, that was my fix in your case.

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        georgeman
                                        last edited by

                                        I downloaded the utility and ran it, no issues with the polling function behind pfSense. Furthermore, I ran a wireshark capture on its traffic and all it generates is ICMP pings. I really can't see why it wouldn't just work ???

                                        If it ain't broke, you haven't tampered enough with it

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          JacktheSmack
                                          last edited by

                                          I disabled all packet filtering temporarily and despite NAT being completely off,  it's still not working. Also I polled a couple of computers on the network just fine, with 0% loss.

                                          So if it's not the firewall that's stopping it, what is?

                                          1 Reply Last reply Reply Quote 0
                                          • G
                                            georgeman
                                            last edited by

                                            What if you get one of those hops and ping it from a console? Do you get replies?

                                            If it ain't broke, you haven't tampered enough with it

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.