(SOLVED) Can't have access to Google's 172.217.0.0 addresses
-
The site with no result (no ICMP returned) uses an upstream router with differnet settings ?
Another ISP ?Also : "Google" uses firewalls. When some networks (read : ISP clients) ping to much, it would not surprises me that Google throttles ICMP a bit for that network. It's just a free service ;)
-
There is a cable modem connected to pfsense that is connected to LAN switch.
No another ISP, unless IPsec VPN between sites? -
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
unless IPsec VPN between sites?
Ah !! Even more factors to check !!
You've got more such details ? -
@Gertjan
I don't know all the things the previous guy has established. -
whats the network settings on the ipsec - are you sending that netblock over the ipsec?
-
@johnpoz
Where can I find it? -
in the vpn, ipsec section - what is setup on the phase 2? This will have tunnel networks and remote networks and local networks defined.
-
-
well there is your problem a 172/8 - that is not correct for damn sure ;)
-
@johnpoz
We use 172.18.., 172.19.. on the other site -
that is great - then that should reflect the actual cidr for the networks over there - not the whole 172.everything /8 mask.
rfc1918 space for the 172 would be 172.16/12
with that /8 your telling pfsense 172.217 is over there.
If you only have 172.18 and .19 over there then 172.18/15 would be the correct mask
-
-
Great! Are you just using the .18/15 over there or is bigger block?
-
@johnpoz
I tried the .18/15 in the phase2 and it worked.
Could I just add subnets to additional phase 2 section?
We have 172.18.1 and 2 and 3 and 172.19.1 and 2. -
with 172.18.0.0 /15 (Netmask 255.254.0.0 = 15) First IP is 172.18.0.1 and Last IP is 172.19.255.254 so you should have it already in phase 2. there should be no need to do any other mods
-
@kiokoman
thanks