LAN pings and External IP

KOM

You probably need to add the rules that allow ICMP on each LAN interface that you have.  By default, only the first LAN has such a rule called the Default allow LAN to any rule.  All other LANs will not have such a rule and no traffic will pass from that LAN to any other.  I'm guessing because you haven't really provided enough information to tell what you mean.  You can't ping which LAN IPs?  From where?  You can ping external IPs, from where?  How many LANs do you have?  Have you added or modified any default rules?

tux100

Proto  Source  Port      Destination        Port      Gateway  Queue Schedule Description
–------------------------------------------------------------------------------------------------

• *       * LAN Address 80 22 * *                   Rule1
  IPv4    *       * *                 *   * * none     Default allow LAN to any rule

Here are the first 2 rules on LAN.
I am guessing it is matches on the first rule, and since the first rule says port 80 and 22 only then ICMP is not allowed and it never gets to RULE2 ?

kejianshi

It may not be a pfsense problem at all.  Perhaps your LAN clients are not allowing ICMP on their individual firewalls?

Derelict

@tux100:

I cannot ping pfsense LAN IPs.  When I ping external IPs, I do get ICMP replies.

What part of pfsense do I need to enable to get ICMP replies on the LAN ips ?

TIA

Where are you trying to ping from?

kejianshi

Derelict

What I often see is a guy with a couple of windows machines running on his LAN assuming that machine A  should automatically be able to ping machine B if pfsense is "allowing all" on the LAN.  But this isn't always the case since most of the time windows isn't allowing ICMP and even linux distros with firewall on default to block it usually.

If this isn't the case, then maybe start tinkering with pfsense.

Derelict

Yeah.  I get that.  I'm just wondering from the OP if he's not trying to ping LAN interface IPs from outside.  Chances are if the LAN rules allow pings to WAN IPs, pings to LAN address would also be allowed.

stephenw10

Assuming you are trying to ping the LAN address from a client in the LAN subnet.
The default configuration should allow that. However it looks like you've changed the protocol from 'any' to TCP. Try changing it back or adding a rule to allow ICMP.

Steve

kejianshi

Really?  I'm not seeing TCP.  I just see IPV4.
Am I missing something simple?

stephenw10

Doh!  :-[

kejianshi

haha - well take comfort in knowing that your simple mistakes are the only mistakes I could spot (-;