Can ping OPT1 gateway IP but not a VM on OPT1 NIC?

Blade1

Hi,

I've deployed pfsense with 3 NICs - LAN, WAN, OPT1.

On OPT1 is my F5 virtual appliance, as this needs to be on a seperate subnet.

However, from a server in LAN, I can ping the OPT1 gateway IP (172.16.1.1) but not the F5 IP (172.16.1.245). Why is this?

KOM

Does your F5 usually respond to pings?  Normally, LAN is given an all-access rule that allows it to go anywhere.  By default, your OPT1 interface has no rules at all and anything on that subnet will not be able to go anywhere.  With pf being a stateful firewall, traffic from LAN destined to OPT1 will be returned, but traffic originating from OPT1 will be blocked until you add some rules.

So, to answer your question, you should be able to ping your device if it responds to pings.  Have you played with any firewall rules on LAN or OPT1?

Blade1

@KOM:

Does your F5 usually respond to pings?  Normally, LAN is given an all-access rule that allows it to go anywhere.  By default, your OPT1 interface has no rules at all and anything on that subnet will not be able to go anywhere.  With pf being a stateful firewall, traffic from LAN destined to OPT1 will be returned, but traffic originating from OPT1 will be blocked until you add some rules.

So, to answer your question, you should be able to ping your device if it responds to pings.  Have you played with any firewall rules on LAN or OPT1?

F5 does by default and I also can't load the web UI of F5. I setup the management IP in this network, to access the web UI. I did this once before when I had a different firewall and no firewall config was required in terms of rules.

I've done what you've mentioned re rules, I will re-test.

KOM

It should just work out of the box unless there is some other problem.  If you were trying to ping to LAN from OPT1, well that would be another thing altogether.

Post a screenshot of your LAN rules if you changed them at all.  Can I assume that LAN and OPT1 are on different subnets?

johnpoz

did you setup gateway on f5, and your lan doesn't overlap your opt1 segment.. I see /16 used on 172 addresses all the time and wonder why 172.16.1 and 172.16.2 are in the same network.

And you didn't setup a gateway on pfsense opt1 interface did you?  See this all the time as well

Blade1

Hi Guys,

Yep, the LAN is 10.0.0.0/8 with a gateway IP of 10.0.0.92 (PFSense LAN IP)
Opt1 is 172.16.1.0/24 with a gateway IP of 172.16.1.1 (PFSense OPT1 IP)
F5 is 172.16.1.245

Tracert from a VM in LAN reports "10.0.0.92 host destination unavailable"

PFSense can ping its own OPT1 IP and a LAN VM can ping the PFSense OPT1 IP.

Attached is a screenshot of a rule in LAN to ping OPT1.

If I place a Windows VM in this subnet and I can ping that, then that would prove its an F5 issue?

doktornotor

There should be NO gateway set up on LAN or OPT.

Blade1

Sorry, the gateway IPi for LAN is from a LAN VM and thus OPT1 Network, No gateway set on the PFsense NICs for these two.

Nonetheless, the issue is resolved as the F5 VM had to have legacy NICs. Thanks all!