After upgrade to 2.3.1 ICMP only exits via the default route



  • This all worked fine on version 2.2.6 and only an upgrade has been done.

    On a setup with 3 PPPoE ASDL connections:

    • I can only ping the WAN interface that is set to default

    • I can only ping from the WAN interface that is set to default

    If the default interface is WAN01

    When I ping the WAN02 IP from a remote location.  Packet Capture shows the ping request come in on WAN02 and the reply then leaves on WAN01 with the source IP of the packet being the WAN02 IP.

    When I ping using 'Diagnostics > Ping' setting the source address to WAN02.  Packet Capture shows the ping request leaving on WAN01 with the source IP of the packet being the WAN02 IP.

    net.inet.icmp.reply_from_interface is still set to 1 which I would assume would only affect my first scenario if it was set to 0. Pinging from the pfSence box should not be affected by that setting.

    Obviously my ISPs are blocking spoofed IPs which makes it important that all packets leave the correct interface.  TCP connections to each WAN interface is working fine but I do not have any UDP services on the non default interface to test.

    Has anybody else seen this behaviour or have a way to force the packets to leave via the correct interface.



  • reply-to directs traffic back out the interface it came in on, same as it always has. The traffic can't be passed with a floating rule or an interface group rule, or a rule with reply-to disabled. Guessing you're probably doing one of those?



  • Thank you heaps cmb!!!

    Removed the WANs from a floating rule, recreated the rule on each interface and it now all works as expected.

    I am pretty sure it was working before the upgrade because the ISPs have only shutdown the links because they were not responding to pings since the upgrade.  Or it could have been something the ISPs changed on their end, don't know but I am happy it is working now.

    Thanks again cmb



  • That never would have worked. Interface group rules don't have reply-to because they can't by their nature. One rule applies to multiple interfaces. So your non-default WAN wouldn't have gotten replies out, unless it was sourced from the IP facing you on on the PPPoE concentrator, where it'd know how to reply. It might have changed to a diff source IP on the ISP side that needed reply-to to route back.