ICMP pings still timing out despite ICMP traffic being reported as passed

johnpoz

And why would it be doing that, when its not doing it on mine other people in the thread that says it works.

Clearly you see from sniff the replies are there, if you ping from cmd line on your client they work.  If you traceroute from cmd line on your client it works.  Its this software that is not seeing them.

Why I have no idea currently - the software works on my machine, and I am running through pfsense 2.1

I would have to think its something your doing in your os setup, security software your running?  Do you run any security software?  Maybe something to do with icmp rate limiting?

If you think what this software is doing - it could look malicious to me, pinging what could look like random IPs very quickly.

Take a look at the details of the packets when you do a normal ping from your command line that works.  And what you get sent back in the reply.  Then look at the packets the tool sends out and what you get back - do you see any thing odd.

From my quick look it was your typical ping..  But when I get home I can do that test and compare what sent and recv'd when normally ping and what that tool sends and what is sent back.

Then repeat the sniffs while directly connected to your modem and see..  I would be curious what firewall profile you get, what does windows identify the network as when your directly connected to the modem vs when your connected to pfsense.  Or what some other software your running - are you running anything, antivirus sort of tools?  Many of them contain firewalls or firewall like features, etc.

edit: as a side note and for completeness - here is why I say not to disable the firewall service.

http://technet.microsoft.com/en-us/library/cc766337%28v=ws.10%29.aspx
Do not disable Windows Firewall by stopping the service. Instead, use one of the preceding procedures (or an equivalent Group Policy setting) to turn the firewall off.  If you turn off the Windows Firewall with Advanced Security service, you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, Windows Service Hardening, and network protection from attacks that employ network fingerprinting.

I have never seen a reason why this service should be disabled.  I personally don't see a need for the windows firewall on my machines - they are on my secure private lan.  But I just turn off the firewall vs turning off the service.  If for some strange reason my machine got connected to different network say wireless or something - then it would not be identified as home network, but public - and in that case I would want the software firewall.  Laptops for example - they don't need the firewall while connected to my network. But when they get taken outside my secure network - then yes that network should be public and firewall ON..

JacktheSmack

@johnpoz:

And why would it be doing that, when its not doing it on mine other people in the thread that says it works.

This baffles me more than anyone. I know it should be working, I'm hosting a website, teamspeak, and I've hosted plenty of gaming servers. Why a simple ICMP packet cannot get through is confusing.

@johnpoz:

Clearly you see from sniff the replies are there, if you ping from cmd line on your client they work.  If you traceroute from cmd line on your client it works.  Its this software that is not seeing them.

Why I have no idea currently - the software works on my machine, and I am running through pfsense 2.1

I would have to think its something your doing in your os setup, security software your running?  Do you run any security software?  Maybe something to do with icmp rate limiting?

If you think what this software is doing - it could look malicious to me, pinging what could look like random IPs very quickly.

The only software I have INSTALLED (not running) is Kaspersky Anti-Virus 2013, which doesn't have firewalling. I had Spybot Search and Destroy which blocked tens of thousands of IP addresses, but I reversed its changes and uninstalled it. I also have Peer Block, but it is not running AND it blocks IP addresses, not specific packets. Other than windows firewall which is disabled, and which I have always hated since Windows XP had it install automatically in a service pack years ago, there is nothing running on this PC that interferes with network traffic.

@johnpoz:

Take a look at the details of the packets when you do a normal ping from your command line that works.  And what you get sent back in the reply.  Then look at the packets the tool sends out and what you get back - do you see any thing odd.

From my quick look it was your typical ping..  But when I get home I can do that test and compare what sent and recv'd when normally ping and what that tool sends and what is sent back.

Then repeat the sniffs while directly connected to your modem and see..  I would be curious what firewall profile you get, what does windows identify the network as when your directly connected to the modem vs when your connected to pfsense.  Or what some other software your running - are you running anything, antivirus sort of tools?  Many of them contain firewalls or firewall like features, etc.

OK I did that. Here is the log file. I've slightly altered it to show when and where I disconnect my pfsense and connect my modem. The first 3 lines of the log tell you what lines the parts of the log are on. I can't really understand what it says myself.

Here's a comparison from a poll to the same IP address. These first two resulted in a 100% loss, while behind my pfsense router:

No.     Time           Source                Destination           Protocol Length Info
     18 1.429306000    192.168.1.139         4.69.201.38           ICMP     42     Echo (ping) request  id=0x0001, seq=2323/4873, ttl=64 (reply in 21)

Frame 18: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0
Ethernet II, Src: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd), Dst: Trendnet_26:b9:d8 (00:14:d1:26:b9:d8)
Internet Protocol Version 4, Src: 192.168.1.139 (192.168.1.139), Dst: 4.69.201.38 (4.69.201.38)
Internet Control Message Protocol

No.     Time           Source                Destination           Protocol Length Info
     21 1.514691000    4.69.201.38           192.168.1.139         ICMP     60     Echo (ping) reply    id=0x0001, seq=2323/4873, ttl=53 (request in 18)

Frame 21: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Trendnet_26:b9:d8 (00:14:d1:26:b9:d8), Dst: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd)
Internet Protocol Version 4, Src: 4.69.201.38 (4.69.201.38), Dst: 192.168.1.139 (192.168.1.139)
Internet Control Message Protocol

Now here's to the same IP when connected to my modem, which resulted in a successful polling in this tool:

No.     Time           Source                Destination           Protocol Length Info
   1935 80.618835000   67.180.200.247        4.69.201.38           ICMP     42     Echo (ping) request  id=0x0001, seq=27944/10349, ttl=64 (reply in 1940)

Frame 1935: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0
Ethernet II, Src: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd), Dst: Cadant_63:ce:46 (00:01:5c:63:ce:46)
Internet Protocol Version 4, Src: 67.180.200.247 (67.180.200.247), Dst: 4.69.201.38 (4.69.201.38)
Internet Control Message Protocol

No.     Time           Source                Destination           Protocol Length Info
   1940 80.697383000   4.69.201.38           67.180.200.247        ICMP     60     Echo (ping) reply    id=0x0001, seq=27944/10349, ttl=55 (request in 1935)

Frame 1940: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Cadant_63:ce:46 (00:01:5c:63:ce:46), Dst: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd)
Internet Protocol Version 4, Src: 4.69.201.38 (4.69.201.38), Dst: 67.180.200.247 (67.180.200.247)
Internet Control Message Protocol

wireshark.txt

bob314

To bob314 - I see no point in forwarding ICMP into something behind your pfsense..  Why can pfsense not just answer the pings, just allow icmp to your wan interface and you should be fine.  If your going to forward icmp to something behind pfsense - then you need to make sure that something answers and does not have some firewall running or in an odd state like the OP.

At first I just created the rule to allow ICMP to the WAN. When that didn't work I decided to try the NAT rule, but I agree with you that I shouldn't have had to do that I was just trying to see if it would work. I have verified that windows firewall is off. I have no other security software running except for windows defender.

johnpoz

Ok only things I see as different in those are the ttl is 53 vs 55 – this makes sense you have an extra hop when your behind pfsense.  But I would think it should be 54 not 55?  Hmmm have to think about that for a second?

Other thing is your source mac is different..  Neither of these should matter at all.

Sounds like you got a bunch of security software even if not running.. Do you install all that stuff on all your machines?

Why don't do install clean - or how about real simple just boot windows in safe mode with network and see if the software then.  That Kaspersky hooks its self into alot of stuff - I know you can just enable the firewall features can you not, so the hooks must already be in play..  I would try the safe mode boot and test, I would if possible do a clean install of windows.. At min uninstall all of that stuff you have installed that hooks into your networking of the OS.

Here is the thing - clearly your seeing the reply with a simple sniff - so what is causing the problem really points to something your running on that machine.

Why does the os ping work?  But not this software when clearly the traffic is going through and coming back through pfsense just fine.

JacktheSmack

@johnpoz:

Ok only things I see as different in those are the ttl is 53 vs 55 – this makes sense you have an extra hop when your behind pfsense.  But I would think it should be 54 not 55?  Hmmm have to think about that for a second?

Other thing is your source mac is different..  Neither of these should matter at all.

Sounds like you got a bunch of security software even if not running.. Do you install all that stuff on all your machines?

No, one of the machines actually has a clean boot of windows 8. Besides Firefox, Libre Office, and Google Chrome, nothing else has been installed on that machine. The other has a 2 year old install of Windows 7 with Spybot and CCleaner.

@johnpoz:

Why don't do install clean - or how about real simple just boot windows in safe mode with network and see if the software then.  That Kaspersky hooks its self into alot of stuff - I know you can just enable the firewall features can you not, so the hooks must already be in play..  I would try the safe mode boot and test, I would if possible do a clean install of windows.. At min uninstall all of that stuff you have installed that hooks into your networking of the OS.

Here is the thing - clearly your seeing the reply with a simple sniff - so what is causing the problem really points to something your running on that machine.

Why does the os ping work?  But not this software when clearly the traffic is going through and coming back through pfsense just fine.

I just did a test in safe mode and still the same issue. No anti virus program or blockers runs then. I'm led to believe it's still pfsense, despite what wireshark says.

johnpoz

So how is wireshark lying?  the packets are there dude - so why does this software not see them?  Your OS clearly sees them when you just ping from the cmd line, etc.

So what could pfsense be doing that your OS doesn't care about, but this software doesn't like??

Make No sense at all other than this software is flaky!

timthetortoise

OP, what's the Trendnet device between your machine and pfSense?

Derelict

@JacktheSmack:

I'm led to believe it's still pfsense, despite what wireshark says.

Facepalm.

OP, as was asked before, what device on your network is "Trendnet_26:b9:d8 (00:14:d1:26:b9:d8)"

If it's not your pfSense LAN NIC, what is it?

JacktheSmack

@timthetortoise:

OP, what's the Trendnet device between your machine and pfSense?

There is none.

Edit: Trendnet_26:b9:d8 (00:14:d1:26:b9:d8) is the same MAC address as my router: 192.168.1.1 00:14:d1:26:b9:d8 pfsense.localdomain

JacktheSmack

@johnpoz:

Make No sense at all other than this software is flaky!

I agree, I've contacted the developers already and I'm waiting for a response. I will keep everyone posted.

virtualliquid

Any results yet? I have been trying to figure out this problem as well with no luck.

JacktheSmack

_12/11/13 at 10:07 am ADVISOR: My name is Wayne and I am one of the Specialists working on your case with regards your disconnecting issue with Battlefield 3 and Battlefield 4.

Firstly I am sorry to hear that you have been experiencing this issue. I play Battlefield myself and know how annoying it is when something like this happens.

I have now escalated your case to our studio liaison team so they can work with the studio to get this issue resolved for you. Once the studio has completed their investigation they will be in contact with you.

Again, I apologize for the inconvenience this issue must have caused you. Should there be anything else you might require assistance with, please don't hesitate to let me know._

makesense

This thread just fizzled out? Would have been nice to know what the resolution was.

JacktheSmack

Just got this message:

My name is Andrew and I am part of the EA Worldwide Customer Experience team working alongside Wayne. After reviewing your case it would appear that the issue you are encountering is linked with your firewall settings on your router as you state that the ping displays correctly when the computer is patched directly to the modem without the router in place.

As every router is different and in fact as many modems include them as well we are unable to provide direct support for configuring their internal firewalls. As such I would recommend checking with both your modem and router manufacturers for guides on how to forward your ports correctly on those pieces of hardware and ensure that they are forwarded in both cases so as to prevent any clashes.

Should you need such you can find a list of which ports need to be forwarded to access all Battlefield 4 Functionality at http://answers.ea.com/t5/Battlefield-4/Battlefield-4-Ports/td-p/1861045

As always should after doing this there still be any issues please do not hesitate to contact us and we will be happy to address your ongoing concerns.

So…where do we go from here? I think we've tried everything. Is it just a bug in pfsense?

timthetortoise

It works fine for everyone else. Not a pfSense bug.

JacktheSmack

@timthetortoise:

It works fine for everyone else. Not a pfSense bug.

But I've reset all the settings to default in pfsense and it's still having the issue. Could it be a hardware problem with the router?

timthetortoise

Could be an issue with your OS, your NIC, your pfSense box's NIC, your modem, your ISP, one of the routes leading to EA, a huge number of things could cause it. It worked fine for me with relatively strict rules, and it works fine for other people as well.

JacktheSmack

@timthetortoise:

Could be an issue with your OS, your NIC, your pfSense box's NIC, your modem, your ISP, one of the routes leading to EA, a huge number of things could cause it. It worked fine for me with relatively strict rules, and it works fine for other people as well.

OK well it works fine when I disconnect my pfsense box and connect directly to my modem. It also worked fine with a DIR-655 from D-Link. The problem is definitely inside pfsense.

The only thing I can see doing is posting our NICs. How would I figure out, through pfsense, what NIC I'm using?

autotalon

I'm having the same problem as well.  All i've done is create a firewall rule to allow ICMP echo request and echo reply, as the dslreports ping test was failing without that.  Screenshot of above, and this is what determines whether the ping test works.  I tried disabling them and with them off, it says im not pingable.  with it on, the ping test works fine.  However even though I can pass a ping test I still cant see my ping in game.  Its just as others have described, shows only a dash. My UOtool results are similar to the OP.  The only thing I can think of is that static outbound may be required.  I have it enabled for half of my lan, I may try setting to an IP in that half and see if it makes a difference.


alphainfinity

Same problem here. I have a cable AND dsl connection. When inside BF4, I can see pings on one connection, and no ping on the other connection. Same computer, different PFsense firewalls. When ssh'd into the firewall, ping works fine, ICMP returns data. It also works fine from the UI:
Ping output:
PING yahoo.com (98.139.183.24): 56 data bytes
64 bytes from 98.139.183.24: icmp_seq=0 ttl=49 time=91.734 ms
64 bytes from 98.139.183.24: icmp_seq=1 ttl=50 time=91.349 ms
64 bytes from 98.139.183.24: icmp_seq=2 ttl=49 time=92.091 ms
64 bytes from 98.139.183.24: icmp_seq=3 ttl=49 time=93.887 ms
64 bytes from 98.139.183.24: icmp_seq=4 ttl=49 time=93.650 ms
64 bytes from 98.139.183.24: icmp_seq=5 ttl=50 time=93.424 ms
64 bytes from 98.139.183.24: icmp_seq=6 ttl=49 time=92.195 ms
64 bytes from 98.139.183.24: icmp_seq=7 ttl=49 time=91.472 ms
64 bytes from 98.139.183.24: icmp_seq=8 ttl=50 time=91.790 ms
64 bytes from 98.139.183.24: icmp_seq=9 ttl=50 time=92.047 ms

–- yahoo.com ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 91.349/92.364/93.887/0.886 ms