[SOLVED] pfSense with a rare networking issue
-
I had a pfSense server running on Proxmox, the physical server was a HP Proliant ML350 Gen9 with 3 NICs. One for WAN, another for LAN and the last one for a subnet called SERVERS. After finishing the pfSense installation, from LAN, I was able to access internet without any further configuration. The problem was between LAN and SERVERS subnet. From LAN I'm able to PING on server (Proxy squid) but can't ping FreeNAS. However, pfSense can PING the FreeNAS. How can be this possible? Why can pfSense PING FreeNAS and can't forward my PING packets from LAN subnet? pfSense was created for that. I didn't config any rules nor NATing nor routing, all by default. And by default rules say allow LAN to ALL. I have only one WAN some I don't guess any additional routing rules should be add. My problem could be very low-detailed by I already posted it here (https://superuser.com/questions/1269104/pfsense-or-proxmox-with-a-rare-networking-issue) VERY DETAILED. Sorry for not repeating it in here but it is very large. I apologize for any inconvenience. Thanks in advance!
PS: I tested it on a different hardware (physical server) and got the same results. There are no switch in between, all connections are point-to-point type using regular UTP Cat5e wire.
EDIT: I'm seeing my post is being checked but nobody replies. Just let me know what you think. Is this alright for you? Something similar happened to you? Maybe this is not entirely wrong or maybe I'm having some concept mistakes. Why do you think firewall can PING the server and I'm not able to do the same thing. Thanks again in advance.
LAST EDIT: This issue has been solved by putting the same LAN default rules but on SERVERS tab and later setting pfSense (172.16.10.254) as firewall on every server. The "rare networking" issue was due to I defined a gateway for Proxy and Proxmox on Proxmox initial setup so I was getting an ICMP reply from both. This confused me because FreeNAS was unable to reply ICMP and both before were. Finally as I said was a simple mistake but the title I used for this post was first knowing the problem. Now I know what the problem was the title is not suitable.
-
At first glance, it look like you have no rules on 'servers' interface. Create a rule allowing source 'servers lan' to destination any, similar to the LAN default rule.
-
First of all, thanks for your reply. Your idea sounds good, but if Proxy server is replying ping without problem shouldn't FreeNAS do the same? pfSense (172.16.10.254) can ping FreeNAS then why LAN can't? Anyway I'm going to set the same rules on SERVERS subnet and then will feed the post. Only for clearance, there is no way pfSense could be acting "weird"?
-
Only for clearance, there is no way pfSense could be acting "weird"?
It generally does exactly what you tell it to do. So in most cases, if it's acting 'weird', it's because your rules are 'weird'.
-
What interface is the packet capture picture on? Did you run a packet capture on both your LAN and SERVER interfaces? Do you see the packet on both interfaces?
-
Hi @wussupi83 I did it on SERVERS only, the ICMP request packets are not getting troubles to reach pfSense, even from LAN packets are reaching two servers (Proxy and Proxmox) in that subnet. It just doesn't make any sense to me when pfSense can ping FreeNAS and any LAN device can not. Just to be sure I'm setting the same rules in SERVERS tab than LAN.
-
So does this server your trying to ping have pfsense IP as its gateway on this 172 network?
Does it run a firewall as asked already?
-
So does this server your trying to ping have pfsense IP as its gateway on this 172 network?
Oh boy, now I want to delete the entire post because now it works and I spent your time guys for a simple thing. I had to clone the allow all LANs rules first but everything works now. Was a combination of both steps, rules first. Well, this is the end of a long story and now i can keep going thanks to you guys and you @johnpoz. Thanks again and shame on me!
-
Your rules on the server tab would only be needed for the server to start conversations outbound… No rules would be needed if they would just be answering conversations started by the lan..
But yeah big one for the host to know how to get back to the lan network ;)
Glad you got it sorted.. Sometimes it just takes a second pair of eyes to look at the issue.. You thread was very detailed on the setup, and once you stated you could ping the pfsense IP on the servers network, and other servers really looked to be just missing a gateway..
-
Thats was the problem, I detailed the issue my best and got no idea at all. And sometimes those litle details can be really difficult to find because you are not thinking about them, I was even preparing my bags to travel the land of hardware malfunction XD XD!!
-
Wow 10 days on that other forum and not one response..
Sorry I did not see your post earlier ;) I saw it this morning before heading to work..
-
:( :( Yeah but I have to say I have higher reputation on that one, but that site is more focused on regular users doing tweaks or somehow managing small networks. The proper site to post on that platform is serverfault, which is more advanced I guess, more professional. Anyway the proper site to post was always this one (pfSenses) I initially posted there because I have to say the way you are posting and at the same time you are watching how users are going to see the post is awesome.