Two NICs, can't ping default gateway

zookilux · Dec 2, 2014, 4:59 AM

Hi All,

I'm having a bit of networking trouble with my new setup.

I'm building a VirtualBox penetration testing lab, but I want to protect my LAN from it, so I'm setting it up as follows. All of the machines are virtualised.

pfSense machine
2 NICs
NIC 1 - Bridged mode, gets a 192.168.1.x/24 address from my LAN router. This is configured as the WAN interface in pfSense.
NIC 2 - Internal. DHCP Server running on this NIC in 10.0.0.0/24 range

Kali machine
2 NICs
NIC 1 - Bridged mode, gets a 192.168.1.x/24 address from my LAN. Set up as eth0
NIC 2 - Internal. Successfully gets a 10.0.0.0/24 IP address

Various servers
1 NIC
NIC 1 - Internal. Successfully get 10.0.0.0/24 IP addresses.

Okay, so in my head, that all seems like it should work fine. and when I turn my laptop on at work, it does. But when I use it at home, I have no internet access from either my Kali machine, or my pfSense machine (haven't tested the servers, but can't imagine they'd be any different). From the Kali/pfSense machines I can ping hosts on my 192.168.1.0/24 network, but I can't ping the default gateway, dns lookups don't work etc.

Am I setting something up wrong here?

KOM · Dec 2, 2014, 4:39 PM

By default, pfSense WAN is set to ignore private address space. If you select Interfaces - WAN, do you have Block private networks checked?

johnpoz · Dec 2, 2014, 8:28 PM

"but I can't ping the default gateway"

You mean your router on the 192.168.1.0/24 network that gives pfsense and the kali machines its IP address via dhcp?

That would explain why you don't have internet. Do these machines show mac address for the gateway on the 192.168.1.0/24 network - what IP is it by the way, is it listed correctly in your dhcp lease you get?

Does happen to be the same 192.168.1.X that is at work? Do you have any sort of static arp setup?

zookilux · Dec 3, 2014, 3:42 AM

@KOM:

By default, pfSense WAN is set to ignore private address space. If you select Interfaces - WAN, do you have Block private networks checked?

No I don't - I've tried with both and it doesn't seem to make a difference. The exact same setup works in my office on a 192.168.30.0/24 network, which is arguably the most confusing part of this entire endeavour :D

zookilux · Dec 3, 2014, 3:53 AM

@johnpoz:

"but I can't ping the default gateway"

You mean your router on the 192.168.1.0/24 network that gives pfsense and the kali machines its IP address via dhcp?

Yes, that's correct

That would explain why you don't have internet. Do these machines show mac address for the gateway on the 192.168.1.0/24 network - what IP is it by the way, is it listed correctly in your dhcp lease you get?

Yes, I get listings in the ARP table for 192.168.1.254, and yes, the routing lists 192.168.1.254 as the default gateway.

Does happen to be the same 192.168.1.X that is at work? Do you have any sort of static arp setup?

No, no static ARP. Although back at work today, it looks like the 10.x range is being listed as the default gateway -

root@kali:~/scripts# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         pfsense.localdo 0.0.0.0         UG    0      0        0 eth1
10.0.0.0        *               255.255.255.0   U     0      0        0 eth1
192.168.30.0    *               255.255.255.0   U     0      0        0 eth0


root@kali:~/scripts# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:92:0b:f0  
          inet addr:192.168.30.76  Bcast:192.168.30.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe92:bf0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:65930 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7577909 (7.2 MiB)  TX bytes:5238 (5.1 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:e3:d7:ed  
          inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee3:d7ed/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16400 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18391500 (17.5 MiB)  TX bytes:1028924 (1004.8 KiB)


*** Welcome to pfSense 2.1.5-RELEASE-pfSense (amd64) on pfsense ***

 WAN (wan)       -> em0        -> v4/DHCP4: 192.168.30.79/24
 LAN (lan)       -> em1        -> v4: 10.0.0.254/24

zookilux · Dec 3, 2014, 12:44 PM

and the same items from home…

I'm losing my mind. I think the only logical next step is to drive over my Cisco 877 with the car.


root@kali:~/.ssh# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         pfsense.localdo 0.0.0.0         UG    0      0        0 eth1
10.0.0.0        *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0


root@kali:~/.ssh# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:92:0b:f0  
          inet addr:192.168.1.140  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe92:bf0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3572 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:295319 (288.3 KiB)  TX bytes:2252 (2.1 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:e3:d7:ed  
          inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee3:d7ed/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:541 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:62400 (60.9 KiB)  TX bytes:11092 (10.8 KiB)


*** Welcome to pfSense 2.1.5-RELEASE-pfSense (amd64) on pfsense ***

 WAN (wan)       -> em0        -> v4/DHCP4: 192.168.1.135/24
 LAN (lan)       -> em1        -> v4: 10.0.0.254/24

johnpoz · Dec 3, 2014, 2:54 PM

your default route shouldn't matter if you have an interface in that network, that network interface would be used to ping an IP in that network.

What I can tell you is that pfsense wan doesn't allow ping out of the box.. You would have to allow it on the firewall wan tab. I would check that if you can not ping the ip from something in the same segment as it, and you showing mac in your arp table, etc.

But your not pinging pfsense are you? Your pinging whatever the gateway is on that 192.168 network.. Can other boxes on the 192.168 ping it?

zookilux · Dec 4, 2014, 12:07 AM

@johnpoz:

your default route shouldn't matter if you have an interface in that network, that network interface would be used to ping an IP in that network.

What I can tell you is that pfsense wan doesn't allow ping out of the box.. You would have to allow it on the firewall wan tab. I would check that if you can not ping the ip from something in the same segment as it, and you showing mac in your arp table, etc.

But your not pinging pfsense are you? Your pinging whatever the gateway is on that 192.168 network.. Can other boxes on the 192.168 ping it?

That's correct. I can ping pfSense fine, I'm trying to ping my Cisco ADSL router that is the default gateway for the LAN. I'd be surprised if it were a pfSense firewall for two reasons
1 - The firewall rules wouldn't change from when I'm at work to when I'm at home, so I'd expect the same behaviour at both locations
2 - I can ping hosts on the LAN without a problem, so that suggests the LAN is accessible using the current ruleset.

Thanks :)

johnpoz · Dec 4, 2014, 12:46 PM

Well I would sniff, do the pings go out the wire?

If your saying you see the mac, but can not ping - maybe the router is just not answering you for some reason? Or not getting there? Without sniffing to see what goes out on the wire your kind of just in the dark of what is going on.

zookilux · Dec 4, 2014, 1:44 PM

Yeah, so that's what I've been doing a little tonight. In between taking my 3 year old to the hospital and going to work, I've had bugger all time to look at this.

There's just nothing back at all running wireshark on the Kali machine. Packets go out, nothing returns.

However… when I restart my Cisco router, as long as the Linux machine is already up, when the router comes back up, ping starts responding. If I restart the Linux machine, ping stops.

Going to try a different router on the weekend if I get a chance.

johnpoz · Dec 4, 2014, 3:13 PM

hmmmm, can you check on the cisco arp table, does it have the kali machine mac on the wrong port or missing or something? Are you doing anything with vlans? Off the top I don't recall if the 877 can do any sort of capture/debug to show if it is seeing the packets and not just answering.

So there is nothing between right, you just plug directly into a port on the 877.

zookilux · Dec 6, 2014, 3:38 PM

I set the WAN interface on pfSense to a static IP address in 192.168.1.0/24 range.
I removed the second interface on my Kali machine, so now it just has one interface with the internal network.

..and everything seems to work.

Thanks everyone for your help. I'm still a bit confused by all of this, but I'm also relieved :)