(SOLVED) Can't have access to Google's 172.217.0.0 addresses
-
Here's the problem.
We have pfSense 2.4.4-RELEASE-p3.
WAN(dhcp) and LAN(192.168.100.0/24).
We have few rules on the firewall:On WAN, allow access from our other site and allow maintenance.
Block Not IANA and IPv6.On LAN, allow connection to other site subnets and allow LAN to any rule.
Block IPv6.These rules we have and still I can't access google site or sometimes not even ping.
From firewall I can ping these sites, but not on the PC.
The problematic addresses seems to be the 172.217.0.0/16 net.How I get the Google sites to work?
Thank You -
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
WAN(dhcp) and LAN(192.168.1.0/24).
What do you mean ?
Both WAN and LAN on the 192.168.1.0/24 network ?@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
172.217.0.0
Keep in mind : hosts on the Internet have no obligation to reply to a ping.
edit : I just tried (one) 172.217.0.1 : it replies to ICMP.
-
WAN get it's IP from ISP DHCP.
And LAN uses 192.168.1.0/24 network.Sorry if problematic to read
-
C:\Users\administrator>ping www.google.com
Ping-isäntä: www.google.com [172.217.21.164] 32 tavua tietoja:
Pyyntö aikakatkaistiin. (Time out)
Pyyntö aikakatkaistiin.
Pyyntö aikakatkaistiin.
Pyyntö aikakatkaistiin.Ping-tilastot 172.217.21.164:
Packages: Sent = 4, Received = 0, Loss = 4
(100% loss), -
pls provide screenshot of rules WAN / LAN of your pfsense
-
-
Do a traceroute to www.google.com. Are you getting past pfsense? Are you using IPS or vpn service?
Do you have any rule rules in floating?
Your allow subnet rule? So you have downstream networks of your lan?
You do understand that allow rule to 172.19/16 is pointless right, since you have any any rule.. Allow subnet rules since your any any rule source is any... vs say lan net.
-
@johnpoz
No rules in floating
Subnets are at the other site.
I try to fix the previous guys problems.
I had to change to gmail.com, because www.google.com IP changed to 216.58.207.228 which works fine.C:\Users\administrator>tracert gmail.com seurataan reitti isäntään gmail.com [172.217.20.37] enintään 30 siirräntävälillä: 1 <1 ms <1 ms <1 ms 192.168.100.1 2 * * * Pyyntö aikakatkaistiin. (time out) 3 * * * Pyyntö aikakatkaistiin. 4 * * * Pyyntö aikakatkaistiin. 5 * * * Pyyntö aikakatkaistiin. 6 * * * Pyyntö aikakatkaistiin. 7 * * * Pyyntö aikakatkaistiin. 8 * * * Pyyntö aikakatkaistiin. 9 * * * Pyyntö aikakatkaistiin. 10 * * * Pyyntö aikakatkaistiin. 11 * * * Pyyntö aikakatkaistiin. 12 * * * Pyyntö aikakatkaistiin. 13 * * * Pyyntö aikakatkaistiin. 14 * * * Pyyntö aikakatkaistiin. 15 * * * Pyyntö aikakatkaistiin. 16 * * * Pyyntö aikakatkaistiin. 17 * * * Pyyntö aikakatkaistiin. 18 * * * Pyyntö aikakatkaistiin. 19 * * * Pyyntö aikakatkaistiin. 20 * * * Pyyntö aikakatkaistiin. 21 * * * Pyyntö aikakatkaistiin. 22 * * * Pyyntö aikakatkaistiin.
-
And what is this 192.168.100? You stated your pfsense lan is 192.168.1
-
@johnpoz
Fingers type before I think.
We have 192.168.100.0 network at the site. -
Ok...So pfsense is 192.168.100.1
What does the routing table look like on pfsense? Do a traceroute from pfsense for that 172 IP.
-
@johnpoz
Traceroute
1 * * *
2 62.78.124.34 9.949 ms 11.144 ms 9.942 ms
3 62.78.107.148 18.192 ms 9.792 ms 9.891 ms
4 62.78.107.202 14.443 ms 10.692 ms 9.342 ms
5 * * *
6 62.78.107.194 17.179 ms 13.994 ms 16.244 ms
7 62.78.104.85 28.543 ms
62.78.108.37 137.688 ms 14.744 ms
8 * 72.14.211.94 13.255 ms *
9 * 108.170.254.49 18.219 ms *
10 209.85.246.26 17.006 ms
72.14.236.4 17.444 ms
108.170.232.35 14.894 ms
11 172.217.20.37 18.042 ms
108.170.232.35 22.542 ms
172.217.20.37 15.499 ms -
For me
Microsoft Windows [version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. Tous droits réservés. C:\Users\Réception-Gauche>ping 172.217.21.164 Envoi d'une requête 'Ping' 172.217.21.164 avec 32 octets de données : Réponse de 172.217.21.164 : octets=32 temps=57 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=57 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=56 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=56 ms TTL=45 Statistiques Ping pour 172.217.21.164: Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%), Durée approximative des boucles en millisecondes : Minimum = 56ms, Maximum = 57ms, Moyenne = 56ms
"Your mileage may vary ...."
All this means that "172.217.21.164" want to reply to me (my WAN IP).
Not a big issue if ICMP won't come back. -
@Gertjan
Me too but not on the other siteU:\>ping 172.217.21.164 Ping-isäntä: 172.217.21.164 32 tavua tietoja: Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Ping-tilastot 172.217.21.164: Paketit: Lähetetty = 4, Vastaanotettu = 4, Kadonnut = 0 (0% hävikki), Arvioitu kiertoaika millisekunteina: Pienin = 7 ms, Suurin = 7 ms, Keskiarvo = 7 ms
-
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
7 62.78.104.85 28.543 ms
62.78.108.37 137.688 ms 14.744 msThat trace looks odd, are you getting back multiple IPs on the same hop?
From your trace looks like your problem is upstream of pfsense.. To prove this too yourself - just sniff on wan of pfsense when you ping that IP... Do you see pfsense send the ping request with its public IP as source.. If you do not get an answer that is on your isp or upstream..
-
So, here a ping to "172.217.21.164" replies :
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:U:>ping 172.217.21.164
Ping-isäntä: 172.217.21.164 32 tavua tietoja:
Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57Here it doesn't :
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
Ping-isäntä: www.google.com [172.217.21.164] 32 tavua tietoja:
Pyyntö aikakatkaistiin. (Time out)Is that the question : it doesn't work all the times ?
-
@Gertjan
It doesn't work when Google change it's sites IP addresses to 172.217.0.0 net -
He has 2 sites.. Only 1 site is unable to ping that netblock.
-
The site with no result (no ICMP returned) uses an upstream router with differnet settings ?
Another ISP ?Also : "Google" uses firewalls. When some networks (read : ISP clients) ping to much, it would not surprises me that Google throttles ICMP a bit for that network. It's just a free service ;)
-
There is a cable modem connected to pfsense that is connected to LAN switch.
No another ISP, unless IPsec VPN between sites? -
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
unless IPsec VPN between sites?
Ah !! Even more factors to check !!
You've got more such details ? -
@Gertjan
I don't know all the things the previous guy has established. -
whats the network settings on the ipsec - are you sending that netblock over the ipsec?
-
@johnpoz
Where can I find it? -
in the vpn, ipsec section - what is setup on the phase 2? This will have tunnel networks and remote networks and local networks defined.
-
-
well there is your problem a 172/8 - that is not correct for damn sure ;)
-
@johnpoz
We use 172.18.., 172.19.. on the other site -
that is great - then that should reflect the actual cidr for the networks over there - not the whole 172.everything /8 mask.
rfc1918 space for the 172 would be 172.16/12
with that /8 your telling pfsense 172.217 is over there.
If you only have 172.18 and .19 over there then 172.18/15 would be the correct mask
-
-
Great! Are you just using the .18/15 over there or is bigger block?
-
@johnpoz
I tried the .18/15 in the phase2 and it worked.
Could I just add subnets to additional phase 2 section?
We have 172.18.1 and 2 and 3 and 172.19.1 and 2. -
with 172.18.0.0 /15 (Netmask 255.254.0.0 = 15) First IP is 172.18.0.1 and Last IP is 172.19.255.254 so you should have it already in phase 2. there should be no need to do any other mods
-
@kiokoman
thanks