ICMP pings still timing out despite ICMP traffic being reported as passed

JacktheSmack · Nov 8, 2013, 9:33 PM

@timthetortoise:

Second hop is very likely his public IP.

It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21 So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)

It is my WAN IP that I did block out of the picture. My pfSense router is connected to a Motorola SURFboard SB 6121 modem, which should have no routing or firewalling of any kind.

I made the rule exactly as you said, and here it is under pfsense firewall logs.

Edit: While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem. Immediatly I started getting responses. It's not my ISP or modem, it's pfsense. I just need to know what setting I have wrong in my router.

johnpoz · Nov 8, 2013, 10:21 PM

"While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."

Really – normally you need to power cycle a cable modem. I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.

Power cycle your modem after you connect pfsense.

Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.

As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop. So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.

JacktheSmack · Nov 9, 2013, 12:51 AM

@johnpoz:

"While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."

Really – normally you need to power cycle a cable modem. I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.

Power cycle your modem after you connect pfsense.

Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.

As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop. So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.

Oh you're right. That's a different IP address. The more I know….

I am gonna power cycle everything once people aren't using the Teamspeak server.

Edit: Power cycled, removed the MAC Address spoofing, but still having the issue.

axis-frank · Nov 12, 2013, 2:53 PM

I too am having this issue.

Have 2 WAN connections, both PPPoE on pfSense.
WAN 1 has an interface address (DHCP) with 5 Static IPs configured as Virtual IP Alias.
WAN 2 has a single Static IP, assigned via DHCP from the ISP.

I can ping WAN 2 on it's static IP just fine, as it's the same IP as the Interface address.
WAN 1 however, will only respond to a ping on it's interface address, but not on any of the IP Aliases. In the system logs, it shows this traffic as a pass entry (I specified to log it), but the machine is not getting a response.

Makes no sense!!

Any suggestions would be much appreciated. Please let me know if I can help by providing any more information.

Thanks in advance.

johnpoz · Nov 12, 2013, 9:10 PM

Your issue is not anything like the OP, not you have described it not.

The OP can not ping or traceroute to outside IPs.

Your talking about pinging your wans virtual IPs - not even in the same ballpark. Start your own thread!

axis-frank · Nov 12, 2013, 9:23 PM

My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.

Good luck OP

timthetortoise · Nov 13, 2013, 3:31 AM

@axis-frank:

My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.

Good luck OP

Try adding individual firewall rules for each IP on the interface, that was my fix in your case.

georgeman · Nov 13, 2013, 7:20 PM

I downloaded the utility and ran it, no issues with the polling function behind pfSense. Furthermore, I ran a wireshark capture on its traffic and all it generates is ICMP pings. I really can't see why it wouldn't just work ???

JacktheSmack · Nov 14, 2013, 5:38 AM

I disabled all packet filtering temporarily and despite NAT being completely off, it's still not working. Also I polled a couple of computers on the network just fine, with 0% loss.

So if it's not the firewall that's stopping it, what is?

georgeman · Nov 14, 2013, 5:13 PM

What if you get one of those hops and ping it from a console? Do you get replies?

johnpoz · Nov 14, 2013, 6:15 PM

can we see your wan and lan rules.. And are you nats automatic - and your floating tab is empty?

and you only have wan and lan interfaces on pfsense right?

This should just work out of the box, bing bang zoom.. You have something odd going on that is for sure - but without seeing your wan and lan rules and any nats you might have setup its hard to tell where your issue is.

Please post screen shots of these screens so we can see your full set.

JacktheSmack · Nov 14, 2013, 9:32 PM

@georgeman:

What if you get one of those hops and ping it from a console? Do you get replies?

Yes, pinging the hops individually works fine.

@johnpoz:

can we see your wan and lan rules.. And are you nats automatic - and your floating tab is empty?

and you only have wan and lan interfaces on pfsense right?

This should just work out of the box, bing bang zoom.. You have something odd going on that is for sure - but without seeing your wan and lan rules and any nats you might have setup its hard to tell where your issue is.

Please post screen shots of these screens so we can see your full set.

I've attached all the firewall rules and LAN/WAN settings.

http://imgur.com/a/MM8a8

![firewall nat 1 to 1.PNG](/public/imported_attachments/1/firewall nat 1 to 1.PNG)
![firewall nat 1 to 1.PNG_thumb](/public/imported_attachments/1/firewall nat 1 to 1.PNG_thumb)

johnpoz · Nov 14, 2013, 9:41 PM

Ok why and the hell do you have a 192.168.1.50 address as vip for a 1:1 to your wan?

What do you think that 1:1 nat is doing?

Your LAN rules say if your coming from 192.168.1.50 you can talk to 192.168.1.234?? When would that rule ever come into play? A box on 192.168.1.0/24 ie your lan would never even send a packet to 192.168.1.1 because 192.168.1.234 is its own network. And isn't .50 the vip you created?

I would suggest you remove all that stuff. I would then delete your nat rules since seems your currently set to auto but must at one time set it to manual.. So those should be deleted.

Your best best would be to prob just from the console do a
4) Reset to factory defaults

And then see what happens.

JacktheSmack · Nov 14, 2013, 10:00 PM

Reset to factory defaults, haven't changed a single option, and still getting timeout when I do a Poll.

johnpoz · Nov 14, 2013, 10:06 PM

dude your rules make no sense.. Why do you have rules for lan to lan traffic - you do understand that pfsense has nothing to do with boxes talking to each other on 192.168.1.0/24 – it is a gateway OFF that network..

You clearly created a VIP for a 1:1 - 192.168.1.50

You have setup a 1:1 NAT to what??

Simple just reset to factory and all that nonsense goes away. Then ask how to do what you want to do.. What is the purpose of 192.168.1.50 on your WAN interface in a 1:1 nat? What do you expect to accomplish with that?

JacktheSmack · Nov 14, 2013, 10:11 PM

@johnpoz:

dude your rules make no sense.. Why do you have rules for lan to lan traffic - you do understand that pfsense has nothing to do with boxes talking to each other on 192.168.1.0/24 – it is a gateway OFF that network..

You clearly created a VIP for a 1:1 - 192.168.1.50

You have setup a 1:1 NAT to what??

Simple just reset to factory and all that nonsense goes away. Then ask how to do what you want to do.. What is the purpose of 192.168.1.50 on your WAN interface in a 1:1 nat? What do you expect to accomplish with that?

I just reset, as I have said in my earlier post.

Also I didn't have that rule there 15 minutes before this post, as I was trying to figure out how to do an emulation of an IP address so if a computer requests 192.168.1.50, it will redirect them to 192.168.1.234. This is due to a limitation of Apple Computers where a Hostname cannot be used for a network printer, only an IP address, and every once in a while the IP will change. The only way to change the IP of an installed network printer on a Mac is to reinstall the printer software. It would be ten times easier just to have all the Macs point to a virtual IP, which redirects them to the printer's real IP.

johnpoz · Nov 14, 2013, 10:37 PM

so you have reset or have not reset with out those 1:1 without the manual nat rules showing up?

So your saying if you do ping to those hops from pfsense, or from box behind pfsense they work?

If they do not work from pfsense then its not pfsense causing the problem. If they work from pfsense console, but dont' work behind pfsense then there is something wrong with pfsense.

JacktheSmack · Nov 15, 2013, 2:41 AM

@johnpoz:

so you have reset or have not reset with out those 1:1 without the manual nat rules showing up?

I reset all settings in the entire box. There is no rules, except for the default LAN rules ones that allow networked PCs to communicate. All NAT settings are empty.

@johnpoz:

So your saying if you do ping to those hops from pfsense, or from box behind pfsense they work?

If they do not work from pfsense then its not pfsense causing the problem. If they work from pfsense console, but dont' work behind pfsense then there is something wrong with pfsense.

If I ping them behind pfsense in windows command line, it works. Same with tracert. If I poll them in this tool, I have 100% loss.

If I unplug my pfsense router and connect to my modem directly, I can poll everything just fine.

I can also poll other computers on the same network fine.

Edit: I can also tracert from pfsense fine.

johnpoz · Nov 15, 2013, 1:37 PM

Well that makes absolutely no sense - all the tool is doing is icmp pings.

And you say if you do the same tracert and ping command work from windows directly.

So look here is sniff of the traffic, all its sending is pings in the poll

did you tweak anything in the tool settings.. what is your ping TTL set too?

johnpoz · Nov 15, 2013, 7:09 PM

As to your printer stuff - what are you trying to accomplish. Why would your printers not be discovered with airprint/bonour/mdns/dns-sd?

Seems to be they are the same segment. If not on same segment then you can do look up cross segments support for printers with apple, etc.

I don't have any apple to play with other than my ipad - but I shared out my printer via cups and finds it by name no problem.

dnssd://Samsung%20ML-2570%20Series%20(samsung)._printer._tcp.local/

Trying to setup via IP I agree would be a pain to be sure.. I find it hard to believe you can not setup FQDN when adding a printer to apples? Do you not have normal dns services on your network.. Pfsense can for sure hand out say printer1.somedomain.tld to your network. Then if IP changes just update your host over ride in pfsense to point to new IP, etc.