(SOLVED) Can't have access to Google's 172.217.0.0 addresses
-
@johnpoz
Fingers type before I think.
We have 192.168.100.0 network at the site. -
Ok...So pfsense is 192.168.100.1
What does the routing table look like on pfsense? Do a traceroute from pfsense for that 172 IP.
-
@johnpoz
Traceroute
1 * * *
2 62.78.124.34 9.949 ms 11.144 ms 9.942 ms
3 62.78.107.148 18.192 ms 9.792 ms 9.891 ms
4 62.78.107.202 14.443 ms 10.692 ms 9.342 ms
5 * * *
6 62.78.107.194 17.179 ms 13.994 ms 16.244 ms
7 62.78.104.85 28.543 ms
62.78.108.37 137.688 ms 14.744 ms
8 * 72.14.211.94 13.255 ms *
9 * 108.170.254.49 18.219 ms *
10 209.85.246.26 17.006 ms
72.14.236.4 17.444 ms
108.170.232.35 14.894 ms
11 172.217.20.37 18.042 ms
108.170.232.35 22.542 ms
172.217.20.37 15.499 ms -
For me
Microsoft Windows [version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. Tous droits réservés. C:\Users\Réception-Gauche>ping 172.217.21.164 Envoi d'une requête 'Ping' 172.217.21.164 avec 32 octets de données : Réponse de 172.217.21.164 : octets=32 temps=57 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=57 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=56 ms TTL=45 Réponse de 172.217.21.164 : octets=32 temps=56 ms TTL=45 Statistiques Ping pour 172.217.21.164: Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%), Durée approximative des boucles en millisecondes : Minimum = 56ms, Maximum = 57ms, Moyenne = 56ms
"Your mileage may vary ...."
All this means that "172.217.21.164" want to reply to me (my WAN IP).
Not a big issue if ICMP won't come back. -
@Gertjan
Me too but not on the other siteU:\>ping 172.217.21.164 Ping-isäntä: 172.217.21.164 32 tavua tietoja: Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57 Ping-tilastot 172.217.21.164: Paketit: Lähetetty = 4, Vastaanotettu = 4, Kadonnut = 0 (0% hävikki), Arvioitu kiertoaika millisekunteina: Pienin = 7 ms, Suurin = 7 ms, Keskiarvo = 7 ms
-
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
7 62.78.104.85 28.543 ms
62.78.108.37 137.688 ms 14.744 msThat trace looks odd, are you getting back multiple IPs on the same hop?
From your trace looks like your problem is upstream of pfsense.. To prove this too yourself - just sniff on wan of pfsense when you ping that IP... Do you see pfsense send the ping request with its public IP as source.. If you do not get an answer that is on your isp or upstream..
-
So, here a ping to "172.217.21.164" replies :
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:U:>ping 172.217.21.164
Ping-isäntä: 172.217.21.164 32 tavua tietoja:
Vastaus isännältä 172.217.21.164: tavuja=32 aika=7 ms TTL=57Here it doesn't :
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
Ping-isäntä: www.google.com [172.217.21.164] 32 tavua tietoja:
Pyyntö aikakatkaistiin. (Time out)Is that the question : it doesn't work all the times ?
-
@Gertjan
It doesn't work when Google change it's sites IP addresses to 172.217.0.0 net -
He has 2 sites.. Only 1 site is unable to ping that netblock.
-
The site with no result (no ICMP returned) uses an upstream router with differnet settings ?
Another ISP ?Also : "Google" uses firewalls. When some networks (read : ISP clients) ping to much, it would not surprises me that Google throttles ICMP a bit for that network. It's just a free service ;)
-
There is a cable modem connected to pfsense that is connected to LAN switch.
No another ISP, unless IPsec VPN between sites? -
@torisevt said in Can't have access to Google's 172.217.0.0 addresses:
unless IPsec VPN between sites?
Ah !! Even more factors to check !!
You've got more such details ? -
@Gertjan
I don't know all the things the previous guy has established. -
whats the network settings on the ipsec - are you sending that netblock over the ipsec?
-
@johnpoz
Where can I find it? -
in the vpn, ipsec section - what is setup on the phase 2? This will have tunnel networks and remote networks and local networks defined.
-
-
well there is your problem a 172/8 - that is not correct for damn sure ;)
-
@johnpoz
We use 172.18.., 172.19.. on the other site -
that is great - then that should reflect the actual cidr for the networks over there - not the whole 172.everything /8 mask.
rfc1918 space for the 172 would be 172.16/12
with that /8 your telling pfsense 172.217 is over there.
If you only have 172.18 and .19 over there then 172.18/15 would be the correct mask
-
-
Great! Are you just using the .18/15 over there or is bigger block?
-
@johnpoz
I tried the .18/15 in the phase2 and it worked.
Could I just add subnets to additional phase 2 section?
We have 172.18.1 and 2 and 3 and 172.19.1 and 2. -
with 172.18.0.0 /15 (Netmask 255.254.0.0 = 15) First IP is 172.18.0.1 and Last IP is 172.19.255.254 so you should have it already in phase 2. there should be no need to do any other mods
-
@kiokoman
thanks