(SOLVED) Can't have access to Google's 172.217.0.0 addresses
-
For me
Microsoft Windows [version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. Tous droits réservés. C:\Users\Réception-Gauche>ping 172.217.21.164 Envoi d'une requête 'Ping' 172.217.21.164 avec 32 octets de données : Réponse de 172.217.21.164 : octets=32 temps=57 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=57 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=56 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=56 ms TTL=45 Statistiques Ping pour 172.217.21.164: Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%), Durée approximative des boucles en millisecondes : Minimum = 56ms, Maximum = 57ms, Moyenne = 56ms"Your mileage may vary ...."
All this means that "172.217.21.164" want to reply to me (my WAN IP).
Not a big issue if ICMP won't come back. -
@Gertjan
Me too but not on the other siteU:\>ping 172.217.21.164 Ping-isäntä: 172.217.21.164 32 tavua tietoja: Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Ping-tilastot 172.217.21.164: Paketit: Lähetetty = 4, Vastaanotettu = 4, Kadonnut = 0 (0% hävikki), Arvioitu kiertoaika millisekunteina: Pienin = 7 ms, Suurin = 7 ms, Keskiarvo = 7 ms -
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
7 62.78.104.85 28.543 ms
62.78.108.37 137.688 ms 14.744 msThat trace looks odd, are you getting back multiple IPs on the same hop?
From your trace looks like your problem is upstream of pfsense.. To prove this too yourself - just sniff on wan of pfsense when you ping that IP... Do you see pfsense send the ping request with its public IP as source.. If you do not get an answer that is on your isp or upstream..
-
So, here a ping to "172.217.21.164" replies :
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:U:>ping 172.217.21.164
Ping-isäntä: 172.217.21.164 32 tavua tietoja:
Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57Here it doesn't :
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
Ping-isäntä: www.google.com [172.217.21.164] 32 tavua tietoja:
Pyyntö aikakatkaistiin. (Time out)Is that the question : it doesn't work all the times ?
-
@Gertjan
It doesn't work when Google change it's sites IP addresses to 172.217.0.0 net -
He has 2 sites.. Only 1 site is unable to ping that netblock.
-
The site with no result (no ICMP returned) uses an upstream router with differnet settings ?
Another ISP ?Also : "Google" uses firewalls. When some networks (read : ISP clients) ping to much, it would not surprises me that Google throttles ICMP a bit for that network. It's just a free service ;)
-
There is a cable modem connected to pfsense that is connected to LAN switch.
No another ISP, unless IPsec VPN between sites? -
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
unless IPsec VPN between sites?
Ah !! Even more factors to check !!
You've got more such details ? -
@Gertjan
I don't know all the things the previous guy has established. -
whats the network settings on the ipsec - are you sending that netblock over the ipsec?
-
@johnpoz
Where can I find it? -
in the vpn, ipsec section - what is setup on the phase 2? This will have tunnel networks and remote networks and local networks defined.
-
-
well there is your problem a 172/8 - that is not correct for damn sure ;)
-
@johnpoz
We use 172.18.., 172.19.. on the other site -
that is great - then that should reflect the actual cidr for the networks over there - not the whole 172.everything /8 mask.
rfc1918 space for the 172 would be 172.16/12
with that /8 your telling pfsense 172.217 is over there.
If you only have 172.18 and .19 over there then 172.18/15 would be the correct mask
-
-
Great! Are you just using the .18/15 over there or is bigger block?
-
@johnpoz
I tried the .18/15 in the phase2 and it worked.
Could I just add subnets to additional phase 2 section?
We have 172.18.1 and 2 and 3 and 172.19.1 and 2.
