Keep alive and Ping..

froussy

I know it's been a long time :)

But, i still need help :(

I tried to add routing, but I cant seem to find the proper way to do it :(

Any suggestion please ?

Thanks

Bjørkum

Can you clarify this a bit?

It looks like the device you're trying to ping (192.168.2.1) is probably a router/pfSense?  Are you sure it's allowing incoming ICMP on the interface that receives the packet?  Does it have a return route?  Does the return path also permit ICMP?

Can you be more precise about what you can / cannot ping?

Can you not ping anything on the remote subnets from pfSense—or is it just certain hosts?

My guess is that you need to add a rule somewhere to allow ICMP.

Keep in mind:

• pfSense blocks all traffic arriving at an interface (including the IPsec virtual interface) unless a rule explicitly permits it.

• ICMP is its own protocol, it doesn't fall under TCP or UDP

froussy

Good day,

sure. There it is:

1. See my rules, attached.

My pfsense box have the IP 10.35.1.1. So my home network is 10.35.1.0/24
192.168.x.x/24 and the 172.16.1.1/24 are my works place (one subnet by location). All of them have a Fortigate as they router.

From any store, I can ping any machine on my home lan
From my home, I can ping any machine on my stores lan (inbluding the IP of the remote routers (192.168.x.1)

From my pfsense box, I can ping my home lan, but I can't ping any of my store lan

Frank

Bjørkum

Thanks, that makes more sense, and the rules certainly help!

My bet is that the Fortigates are blocking ICMP.

froussy

I dont think the fortigate block them because on my lan (10.35.1.x) I can ping any fortigte IP (192.168.x.1)

Bjørkum

Have you tried changing the source interface when pinging from pfSense?

Maybe it's using a source IP that the remote Fortigates are blocking?

froussy

there is no way to change the interface used for pinging in the keep alive

and no, the fortigate does not block the ip as it was working with my previous router

Bjørkum

I'm sorry, I wasn't clear.  I know you cannot change the interface used by the keep alive, I was suggesting using the ping tool in Diagnostics –> Ping to see if you can determine which source IP is not working.  A protocol analyzer may also work (tcpdump from the command line, for example.)

froussy

Dawm.. I finally got it..

I need to do that:
Create a gateway pointing to the Lan IP
Add a route using that gateway

Fiew.. it was not an easy one!

thanks

luckman212

Froussy
can you please show some screenshots of how you configured this?
I think I might be having a similar problem with my site-to-site vpn… thanks