Unable to ping LAN machines from Opt5
-
version 2.2.4
I feel dumb for asking this, but I must be glancing over something.
Users on LAN can get to all machines on OPT5, they can ping them also.
Machines on OPT5 can ping the gateway for the LAN interface but can not ping any machines on the LAN.
Machines on OPT5 can talk to machines on the LAN (example: browse to a web server on a machine on the LAN) so it is just that ICMP is not coming through.I do not see anything in the system logs for this being blocked.
Can someone point me in the right direction ?
-
Show us your OPT5 FW Rules (Screenshot) ;)
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
My guess is that your allow rule on OPT5 is for TCP/UDP and not *. Ping = ICMP != TCP/UDP.
-
OPT5 = servers Picture attached. These are what we have had for quite some time and pretty sure that this worked before.
Destination LenovoMachines is a range of ip numbers that go out to a cisco asa.
-
Go out to a cisco asa, and you can not long ping stuff behind it?? Don't you think prob want to look there for your reason?
-
My main goal is to be able to ping from SERVERS(opt5) to machines on LAN, but using the pfsense diag - ping and doing some tests between the various ports.
ping address in SERVERS from LAN works.
ping address in SERVERS from Lenovo fails.ping address in LAN from SERVERS fails
ping address in LAN from LENOVO fails.ping address in LENOVO from LAN works.
ping address in LENOVO from Servers works.ping 8.8.8.8 from LAN works
ping 8.8.8.8 from SERVERS works
ping 8.8.8.8 from LENOVO works -
Servers and Lenovo and Lan are all meaningless to anyone other than you..
How about you actually give us some details to work with.. You talk about a cisco asa - so is this connected via a transit network?
-
LAN - 172.16.7.254 /22 Gateway: none - user machines
SERVERS - 127.16.3.254 /22 - Gateway: none - servers
LENOVO - 192.168.52.1 /24 Gateway: 192.168.52.254 This interface hooks into a cisco ASA that has a site to site vpn to offsite network.
Sitting on 172.16.1.15 / mask : 255.255.252.0 GW: 172.16.3.254 trying to ping 172.16.5.69 mask 255.255.252.0 GW 172.16.7.254 fails but the reverse works fine.
Please let me know what other info you would find helpful.
-
So those are you pfsense host addresses, since they are not networks.. Taking 127.16 is a typo for 172.16.3
So your lenovo's are on a 172.16.1/22 ?? Which is the same as your servers network? 172.16.3/22 and 172.16.1/22 are the same network.. since /22 would be 172.16.0.0 - 172.16.3.255
So why do you have the same network sitting on different sides of a asa with transit network of 192.168.52.0/24 ??
Why don't you draw up this mess it seems you have..
-
Sorry for the typo, you are correct 172 not 127.
LAN - SERVERS - LENOVO are all separate interfaces on the pfsense box (pictures attached)
What indication was that lenovo are on 172.16.1/22
If I disable all Lenovo rules and the Lenovo interface, the problem of pinging between SERVERS and LAN still exists.
The picture of the "mess" attached.
-
So your lenovo boxes point to your asa as their gateway? Or are they on the other side of your site to site?
if on that 192 segment, why would you think they would be able to ping stuff on your server segment? So you have a route on asa? Pointing back to pfsense? Your going to create a asymmetrical route issue with that, and its just bad practice and hair pinning.
If have to set it up like this then use host routing on your devices.. But better solution would be to connect your asa with transit network..
Why are you creating a gateway on this lenovo segment?? You just turned it into a wan, and most likely NAT is happening as well. Where exactly are these boxes??
"Sitting on 172.16.1.15 / mask : 255.255.252.0 GW: 172.16.3.254 trying to ping 172.16.5.69 mask 255.255.252.0 GW 172.16.7.254 fails but the reverse works fine."
Your saying your pinging from 172.16.1.15 – where exactly is that in your drawing?? That is the same network as your server segment..
-
Your saying your pinging from 172.16.1.15 – where exactly is that in your drawing??
Bottom-right on OPT5.
-
The Lenovo stuff was all configured that way years ago with the help of the PFSense support team to get things to work with PFSense and the capabilities it had 4 years ago. I have not had any need to change that as of yet. All of the machines that we access are on the other side of the ASA. I can ping and access those perfectly fine from the LAN interface and can access the resources they serve up with no problems.
If your though process going down the road of the LENOVO interface and network behind this is preventing pings to go from the SERVER interface to the LAN interface, I disabled that interface and all the rules as a test and pings from the SERVER interface to the LAN interface still fail.
As pointed out by someone else, 172.16.1.15 is on the picture bottom - right and I am trying to ping the picture of the workstation just to the right of it.
-
Apologies to all who took time to look at this…
I just needed to go home, go to bed and start this day over. Turns out I was not seeing the icmp to the machines on the LAN due to a windows 10 policy getting changed to turn back on the firewall and block ICMP after it being opened up previously.
I had checked mine and several other machines to make sure the windows firewall was not on, those all happen to be win 10 and after that the policy went out turning it back on and I failed to re check that before posting this.
Everything is working as it should and as it has been for many years.
-
Why does he even freaking mention lenovo here when all he was doing is being servers to lan??
-
What am I not shocked to see you felt the need to reply with another condescending remark. Why did I mention Lenovo because it was in the screen shot that was asked for. The original question was between the server interface and Lan and you are he one that insisted on going down the why in the hell are you doing the Cisco Asa this way.
We all can't be as smart as you are. I am sure you have never made an honest mistake and asked for some suggestions.
I am sure there will be yet another reply showing your superiority.
-
a windows 10 policy getting changed to turn back on the firewall and block ICMP
Yes, mistakes happen, but you can't fault people for getting testy when it's the same rookie mistake over and over and over and over again. Not that you did it multiple times, but it's the same thing all day every day. Windows firewall. They post rules, get indignant that THEY know WTF, when everyone here knows that the rules posted always work, it's NOT a bug in pfSense, and there's something wrong with the OP's network.
I guess those who get testy should just stop responding or take a break.
-
Not sure where I got testy other than trying to understand his setup??
"ping address in SERVERS from Lenovo fails."
"LAN - SERVERS - LENOVO are all separate interfaces on the pfsense box (pictures attached)"
"Destination LenovoMachines is a range of ip numbers that go out to a cisco asa."WTF does lenovo have to do with anything is my question.. It seems he has a lan 172.16.4/22 segment and a server 172.16.0/22 segment.. WTF does lenovo have to do with these 2 segments talking to each other?? But seems I am a dick for asking…