Can't ping from the pfsense system to other systems on the network

topzy2000

Thanks johnpoz for your response.

I am trying to run some tests now on pfsense before i can present it to my company as a firewall solution.

For the WAN and LAN am using private IP addresses (172.x.x.x and 192.x.x.x). From your reply you propose I turn off the "block private networks" since am using a private IP on the WAN side. Is that correct? and if so how do I do that?

Also I can't also ping on the LAN side from the pfsense system. I have attached my setup diagram so you could have a good view.

Thanks again..

![PfSense Project Setup.JPG](/public/imported_attachments/1/PfSense Project Setup.JPG)
![PfSense Project Setup.JPG_thumb](/public/imported_attachments/1/PfSense Project Setup.JPG_thumb)

johnpoz

Yes if your using rfc1918 on wan you have to disable the block – this is done on the interface settings. Main menu on the top, interfaces click the wan interface and on the bottom of the screen will be checkbox you can uncheck.

If you can not ping the LAN side that you have something else going on. Can 192.168.1.2 ping 192.168.1.3 ?

What are you lan firewall rules? The default lan rules would be any any and would allow you to ping your pfsense lan interface from anything on the lan network.

topzy2000

Yes… 192.168.1.2 can ping 192.168.1.3 but neither can ping 192.168.1.1(pfSense) server.

No rules were set. I just setup the switches and they are working.

What is awkward is the pfsense server can't ping any other computer and any other computer can't ping the pfsense server. The computers on the 172.16.1.x lan can ping themselves.

Is there a setting on the pfsense server that is blocking requests in and out? I can't even access the web interface to do anything.

Thanks...

johnpoz

"I can't even access the web interface to do anything."

Well if you can not PING - its unlikely you could access the web gui ;)

Again - on the WAN side your not going to be able to ping pfsense because default rules bock all unsolicited traffic anyway. If your going to use rfc1918 addressing then you need to disable the default block on the wan interface of these addresses.

On the LAN, by default it would be a any any rule and should be able to ping it. So either your interface did not come up, you did something with the default rules. You have your interfaces reversed? And what you think is your wan is really connected to your lan, etc.

Do you see the mac address of pfsense lan interface from one of your 192.168.1.2 or .3 machines after you try pinging it?

simple arp -a should show you this.

I would validate via mac on pfsense that your lan is really your lan, and your wan is really your wan.

topzy2000

Thanks a lot for all your replies johnpoz..

I will go to the Lab and check all these out and get back to you.

stephenw10

I would have to suggest an odd switch setup with that behaviour.
You should still be able to ping systems in the 172.16.1.* subnet from the pfSense console even with the 'block rfc1928' rule still enabled. That rule doesn't prevent packets returning corresponding with an existing active state nor outgoing packets.

Weird. :-\ Are the NICs actually UP? Wiring problem?

Steve

johnpoz

Agreed - pfsense pinging a resource on the wan side should not be a problem, even with the default block rfc1918 in place. But devices on that network would not be able to ping pfsense wan. Even if you created a firewall to allow it because of the rfc1918 rule that would be first in the list.

I kind of think maybe he has wan/lan interfaces reversed.

stephenw10

That would explain it. ;)

topzy2000

Thanks for all the feedback guys and maybe ladies if there are :)

Now, I could get pfsense to ping the 2 systems on the LAN and viceversa. This was achieved by making pfsense a dhcp server on the LAN side.

One question I have now is why couldn't I connect using static IP addresses ??? In a real network, does pfsense get IP from the DHCP server on the LAN ntwk or is it supposed to act as a DHCP server to the LAN. I would like to know the best practice.

Again the WAN side in this setup is not working yet because all the IPs are static. In a real network, the WAN side of pfsense typically gets IP through DHCP from the ISP. So what would you guys recommend I use for testing before applying on a real network ?

Thanks a lot.

stephenw10

There is no reason why it shouldn't work with static IPs. There are many people using just such a setup. Using pfSense as a dhcp server does reduce the possibility of making a configuration error on an individual client.
The most common configuration would be to use pfSense as a DHCP server though it's possible to have the LAN as static or to receive it's address from some other DHCP server on the LAN side.
For testing you can set the WAN interface to dhcp and set it up behind some other router. You will probably be double NATing and you have to ensure that the WAN and LAN subnets are different but for basic connectivity testing that's fine.

Steve