Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two NICs, can't ping default gateway

    Scheduled Pinned Locked Moved Routing and Multi WAN
    12 Posts 3 Posters 10.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zookilux
      last edited by

      Hi All,

      I'm having a bit of networking trouble with my new setup.

      I'm building a VirtualBox penetration testing lab, but I want to protect my LAN from it, so I'm setting it up as follows. All of the machines are virtualised.

      pfSense machine
      2 NICs
      NIC 1 - Bridged mode, gets a 192.168.1.x/24 address from my LAN router. This is configured as the WAN interface in pfSense.
      NIC 2 - Internal. DHCP Server running on this NIC in 10.0.0.0/24 range

      Kali machine
      2 NICs
      NIC 1 - Bridged mode, gets a 192.168.1.x/24 address from my LAN. Set up as eth0
      NIC 2 - Internal. Successfully gets a 10.0.0.0/24 IP address

      Various servers
      1 NIC
      NIC 1 - Internal. Successfully get 10.0.0.0/24 IP addresses.

      Okay, so in my head, that all seems like it should work fine. and when I turn my laptop on at work, it does. But when I use it at home, I have no internet access from either my Kali machine, or my pfSense machine (haven't tested the servers, but can't imagine they'd be any different). From the Kali/pfSense machines I can ping hosts on my 192.168.1.0/24 network, but I can't ping the default gateway, dns lookups don't work etc.

      Am I setting something up wrong here?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        By default, pfSense WAN is set to ignore private address space.  If you select Interfaces - WAN, do you have Block private networks checked?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "but I can't ping the default gateway"

          You mean your router on the 192.168.1.0/24 network that gives pfsense and the kali machines its IP address via dhcp?

          That would explain why you don't have internet.  Do these machines show mac address for the gateway on the 192.168.1.0/24 network - what IP is it by the way, is it listed correctly in your dhcp lease you get?

          Does happen to be the same 192.168.1.X that is at work?  Do you have any sort of static arp setup?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • Z
            zookilux
            last edited by

            @KOM:

            By default, pfSense WAN is set to ignore private address space.  If you select Interfaces - WAN, do you have Block private networks checked?

            No I don't - I've tried with both and it doesn't seem to make a difference. The exact same setup works in my office on a 192.168.30.0/24 network, which is arguably the most confusing part of this entire endeavour :D

            1 Reply Last reply Reply Quote 0
            • Z
              zookilux
              last edited by

              @johnpoz:

              "but I can't ping the default gateway"

              You mean your router on the 192.168.1.0/24 network that gives pfsense and the kali machines its IP address via dhcp?

              Yes, that's correct

              That would explain why you don't have internet.  Do these machines show mac address for the gateway on the 192.168.1.0/24 network - what IP is it by the way, is it listed correctly in your dhcp lease you get?

              Yes, I get listings in the ARP table for 192.168.1.254, and yes, the routing lists 192.168.1.254 as the default gateway.

              Does happen to be the same 192.168.1.X that is at work?  Do you have any sort of static arp setup?

              No, no static ARP. Although back at work today, it looks like the 10.x range is being listed as the default gateway -

              root@kali:~/scripts# route
              Kernel IP routing table
              Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
              default         pfsense.localdo 0.0.0.0         UG    0      0        0 eth1
              10.0.0.0        *               255.255.255.0   U     0      0        0 eth1
              192.168.30.0    *               255.255.255.0   U     0      0        0 eth0
              
              
              
              root@kali:~/scripts# ifconfig
              eth0      Link encap:Ethernet  HWaddr 08:00:27:92:0b:f0  
                        inet addr:192.168.30.76  Bcast:192.168.30.255  Mask:255.255.255.0
                        inet6 addr: fe80::a00:27ff:fe92:bf0/64 Scope:Link
                        UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                        RX packets:65930 errors:0 dropped:0 overruns:0 frame:0
                        TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
                        collisions:0 txqueuelen:1000 
                        RX bytes:7577909 (7.2 MiB)  TX bytes:5238 (5.1 KiB)
              
              eth1      Link encap:Ethernet  HWaddr 08:00:27:e3:d7:ed  
                        inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.255.255.0
                        inet6 addr: fe80::a00:27ff:fee3:d7ed/64 Scope:Link
                        UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                        RX packets:16400 errors:0 dropped:0 overruns:0 frame:0
                        TX packets:10941 errors:0 dropped:0 overruns:0 carrier:0
                        collisions:0 txqueuelen:1000 
                        RX bytes:18391500 (17.5 MiB)  TX bytes:1028924 (1004.8 KiB)
              
              
              
              *** Welcome to pfSense 2.1.5-RELEASE-pfSense (amd64) on pfsense ***
              
               WAN (wan)       -> em0        -> v4/DHCP4: 192.168.30.79/24
               LAN (lan)       -> em1        -> v4: 10.0.0.254/24
              
              
              1 Reply Last reply Reply Quote 0
              • Z
                zookilux
                last edited by

                and the same items from home…

                I'm losing my mind.  I think the only logical next step is to drive over my Cisco 877 with the car.

                
                root@kali:~/.ssh# route
                Kernel IP routing table
                Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
                default         pfsense.localdo 0.0.0.0         UG    0      0        0 eth1
                10.0.0.0        *               255.255.255.0   U     0      0        0 eth1
                192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
                
                
                
                root@kali:~/.ssh# ifconfig
                eth0      Link encap:Ethernet  HWaddr 08:00:27:92:0b:f0  
                          inet addr:192.168.1.140  Bcast:192.168.1.255  Mask:255.255.255.0
                          inet6 addr: fe80::a00:27ff:fe92:bf0/64 Scope:Link
                          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                          RX packets:3572 errors:0 dropped:0 overruns:0 frame:0
                          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
                          collisions:0 txqueuelen:1000 
                          RX bytes:295319 (288.3 KiB)  TX bytes:2252 (2.1 KiB)
                
                eth1      Link encap:Ethernet  HWaddr 08:00:27:e3:d7:ed  
                          inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.255.255.0
                          inet6 addr: fe80::a00:27ff:fee3:d7ed/64 Scope:Link
                          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                          RX packets:541 errors:0 dropped:0 overruns:0 frame:0
                          TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
                          collisions:0 txqueuelen:1000 
                          RX bytes:62400 (60.9 KiB)  TX bytes:11092 (10.8 KiB)
                
                
                
                *** Welcome to pfSense 2.1.5-RELEASE-pfSense (amd64) on pfsense ***
                
                 WAN (wan)       -> em0        -> v4/DHCP4: 192.168.1.135/24
                 LAN (lan)       -> em1        -> v4: 10.0.0.254/24
                
                
                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  your default route shouldn't matter if you have an interface in that network, that network interface would be used to ping an IP in that network.

                  What I can tell you is that pfsense wan doesn't allow ping out of the box.. You would have to allow it on the firewall wan tab.  I would check that if you can not ping the ip from something in the same segment as it, and you showing mac in your arp table, etc.

                  But your not pinging pfsense are you?  Your pinging whatever the gateway is on that 192.168 network..  Can other boxes on the 192.168 ping it?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • Z
                    zookilux
                    last edited by

                    @johnpoz:

                    your default route shouldn't matter if you have an interface in that network, that network interface would be used to ping an IP in that network.

                    What I can tell you is that pfsense wan doesn't allow ping out of the box.. You would have to allow it on the firewall wan tab.  I would check that if you can not ping the ip from something in the same segment as it, and you showing mac in your arp table, etc.

                    But your not pinging pfsense are you?  Your pinging whatever the gateway is on that 192.168 network..  Can other boxes on the 192.168 ping it?

                    That's correct. I can ping pfSense fine, I'm trying to ping my Cisco ADSL router that is the default gateway for the LAN. I'd be surprised if it were a pfSense firewall for two reasons
                    1 - The firewall rules wouldn't change from when I'm at work to when I'm at home, so I'd expect the same behaviour at both locations
                    2 - I can ping hosts on the LAN without a problem, so that suggests the LAN is accessible using the current ruleset.

                    Thanks :)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well I would sniff, do the pings go out the wire?

                      If your saying you see the mac, but can not ping - maybe the router is just not answering you for some reason?  Or not getting there?  Without sniffing to see what goes out on the wire your kind of just in the dark of what is going on.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • Z
                        zookilux
                        last edited by

                        Yeah, so that's what I've been doing a little tonight.  In between taking my 3 year old to the hospital and going to work, I've had bugger all time to look at this.

                        There's just nothing back at all running wireshark on the Kali machine. Packets go out, nothing returns.

                        However… when I restart my Cisco router, as long as the Linux machine is already up, when the router comes back up, ping starts responding. If I restart the Linux machine, ping stops.

                        Going to try a different router on the weekend if I get a chance.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          hmmmm, can you check on the cisco arp table, does it have the kali machine mac on the wrong port or missing or something?  Are you doing anything with vlans?  Off the top I don't recall if the 877 can do any sort of capture/debug to show if it is seeing the packets and not just answering.

                          So there is nothing between right, you just plug directly into a port on the 877.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • Z
                            zookilux
                            last edited by

                            I set the WAN interface on pfSense to a static IP address in 192.168.1.0/24 range.
                            I removed the second interface on my Kali machine, so now it just has one interface with the internal network.

                            ..and everything seems to work.

                            Thanks everyone for your help. I'm still a bit confused by all of this, but I'm also relieved :)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.