Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot ping through AWS pfSense Instance

    IPsec
    3
    8
    970
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ryannel86
      last edited by

      We are busy evaluating pfSense for our requirements and have spent 2 days attempting to resolve an issue:

      • We have 2 instances on AWS: SERVER1 and PFSENSE
      • We connect to an external network, SERVER2 via an IPSec Tunnel (Tunnel is connected)

      PFSENSE AWS Instance can ping SERVER2 (ipsec) and can ping SERVER1 (eth):
      SERVER 1 <--- PFSENSE can ping---> SERVER2

      SERVER1 Can Ping PFSENSE
      SERVER2 can Ping PFSENSE

      SERVER1 cannot ping through PFSENSE to SERVER2: SERVER1 cant ping ------> SERVER2
      SERVER2 cannot ping through PFSENSE to SERVER1: SERVER2 cant ping ------> SERVER1

      We have added icmp request rules to security groups on AWS and checked security groups
      Turned off firewalls for testing (including the SERVER1 Firewalls)
      Disabled source destination checks on AWS

      Issue is pinging through the AWS / PFSENSE Instance

      Any assistance would be greatly appreciated - thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I, for one, am going to need a diagram with more specifics to even hazard a guess as to where the problem is. Please be as specific as possible including subnets, what host IP addresses cannot connect to what, etc.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          MeCJay12
          last edited by

          In AWS, by default, an instance cannot act as a router (forward traffic). To change this, right-click the instance in EC2, mouse over Networking, then click "Change Source/Dest. IP Check". A window will come up. Click "Yes, disable". This just allows different IPs to come from the instance than the one(s) assigned.

          1 Reply Last reply Reply Quote 0
          • R
            ryannel86
            last edited by

            Thanks for the prompt responses - I have attempted a diagram, please find attached - does this assist?

            Thanks
            0_1552393814985_PFSense.png

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Does the VPC know to route traffic for 192.168.X.X to the pfSense LAN1 interface?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • R
                ryannel86
                last edited by

                @derelict said in Cannot ping through AWS pfSense Instance:

                192.168.X.X

                Thanks Derelict,

                On the VPC I have the following Routes:
                Destination =Target

                172.31.0.0/16 = local
                0.0.0.0/0 = IGW
                SERVER2 IP (192.168.x.x) = PFSENSE LAN2 ENI (LAN2)

                Does that look right?

                Thanks

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Seems right. So packet capture on the pfSense LAN2 and see what you see when you ping both ways.

                  Be sure source/dest check isn't enabled on the interface too. It has always been a little unclear to me what happens when it is enabled on the instance and not on the interfaces, vice versa, etc. I generally just disable it everywhere I see it.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R
                    ryannel86
                    last edited by

                    3 days of troubleshooting, you are a legend!! The issue was source/dest on the interface level (thought it was only on instance level).

                    Thanks heaps - much appreciated!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.