Virtual IP - ping: sendto: Permission denied
-
The setup:
igb2 inet 172.20.0.1 netmask 0xffff0000 broadcast 172.20.255.255 inet 192.168.1.99 netmask 0xffffff00 broadcast 255.255.255.0 (Virtual IP)
When i try to ping the physically connected host 192.168.1.254, the output is
PING 192.168.1.254 (192.168.1.254): 56 data bytes ping: sendto: Permission denied
whereas nmap is able to reach this host
Nmap scan report for 192.168.1.254 Host is up (0.00039s latency).
This happens on 2.4.3-RELEASE-p1 as well as on 2.4.4-RELEASE.
Disabling PF (pfctl -d) does not help and adding firewall rules allowing to and from everything does neither. I run out of ideas at this point.
TL;DR
I can't ping a physically connected host from a virtual IP assigned to the NIC the host is connected to. -
So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.
If you want a 192.168.1/24 network then set it up as a vlan and run it on its own L2..
Did you try ping with [-S src_addr]
Ok I just tested this without any issues
[2.4.4-RELEASE][root@sg4860.local.lan]/root: ping 172.20.0.100 PING 172.20.0.100 (172.20.0.100): 56 data bytes 64 bytes from 172.20.0.100: icmp_seq=0 ttl=128 time=0.461 ms 64 bytes from 172.20.0.100: icmp_seq=1 ttl=128 time=0.199 ms 64 bytes from 172.20.0.100: icmp_seq=2 ttl=128 time=0.234 ms
Created a vip on pfsense 172.20.0.1
And created another IP on my PC.
As you can see can ping it from pfsense without any issues. Are you logged in with some other account other than admin/root on pfsense?
-
Entirely my fault
I should have mentioned, that there is a Captive Portal running on that interface, too. This prevented communication between the Virtual IP and the host even when PF was disabled. After setting an exception for the IP address 192.168.1.254 in the Captive Portal, i could access the host.
@johnpoz said in Virtual IP - ping: sendto: Permission denied:
So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.
I know, i just needed this configuration temporarily.
-
Ok if just a temp thing - then very understandable.. Useful when migrating to new IP scheme, etc. etc. There are use cases for it sure.
Glad you got it sorted, and also glad you understand its borked doing such a thing ;) heheheeh