WANs and DHCP and PING

tixe

Hi, someone know why pfsense only listen or attend just on the default interface ?

I have 3 interfaces (physical) and the three have DHCP to take the IP address, and only on the default interface I can use to NAT, or attend requests from outside, (ping as example).

If I ping to no default interface from outside, the ping do not answer, if I ping to the default interface the ping is answered

It is not a problem of rules or NAT questions, because i just change the default interface for the first one that not answer the request, and it start to answer the requests.

And its happen only with WANs with DHCP, if the WAN has a static IP, it issue not happen.

Someone know why ? and how fix it, with out need a static IP address ?

Thanks and regards all

johnpoz

So you have multiple wans with dhcp, and they all get IPs in the same network?  Different ISPs?  They are in rfc1918 space?

Helping us understand your setup better will lead to us being able to help you.

Where are you pinging from?  Internet, or some other rfc1918 network in your "wan" setup?  What are these wan interfaces connected to some switch?  You have 3 interfaces connected to same switch in the same network?

bootable

Hi think that he is talking about that have 2 or more Cable Modem or xDSL Internet ISP providers connected to the pfSense box, and all of these WANs are using DHCP obtaining a public Internet IP address.

And wen want to ping to each of these public ip address ( pinging out side from teh pfSense box as example from the Smartphone across the CDMA carrier to one of the IP address captured on the pfSense box), only has response from the IP that are as a default gateway on the pfSense box.

WAN1 IP = 200.200.200.1
WAN2 IP = 220.220.220.2
WAN3 IP = 230.230.230.3 (it is the default gateway for pfSense box)

If ping to 200.200.200.1 or 220.220.220.2 it has no response or time out, if ping to 230.230.230.3 its response alive.

If change default gatewat from WAN3 to WAN1 and ping WAN1 ip address its alive and if ping to WAN3 it not response or time out.

But if use a static ip address on these wans, and ping any of these its will repsonse alive.

So, why pfSense do not response ping alive on the WANs with DHCP that not are the default gateway ?

If you want to NAT something to a WAN with DHCP IP address and not are the default gateway it not work., only work when the WAN that have a DHCP are the default gateway.

I hope to be clear :)

Regards.

@johnpoz:

So you have multiple wans with dhcp, and they all get IPs in the same network?  Different ISPs?  They are in rfc1918 space?

Helping us understand your setup better will lead to us being able to help you.

Where are you pinging from?  Internet, or some other rfc1918 network in your "wan" setup?  What are these wan interfaces connected to some switch?  You have 3 interfaces connected to same switch in the same network?

bootable

All the ping are from the Internet

johnpoz

are they in the same network?  What are they set for in your gateways?  Please post up your interface details..

tixe

Here I attach a image to show the WAN configuration and the Routing options too.

Only response the ICMP ping and/or attend the request from outside ( from Internet ) on the default Gateway.

All  the WAN interfaces are with DHCP.

If the WAN interface has a static IP no problem, if all the interfaces (WANs) have a static IP no problem too, but for the interfaces with DHCP, only answer from the default.

Some know why ? No rules i found to can attend form any WAN interface when it has a DHCP ip address.

tixe

Here I add the screens for the interface INTERNET (a interface group that contents all the WANs ) and the Floating rules.

johnpoz

Well your only showing your wan rule in floating and internet.  Your floating rule has icmp rules that look to be disabled for all your other addresses.  The one with "this firewall" seems to show some traffic to it.  But what interface(s) is that floating rule assigned?  Do you have it set for inbound or outbound?

Pfsense doesn't give 2 shits if its IP is set static or dhcp for it to answer ping.  It comes down to if there is a firewall rule that allows it, and if the IP is actually valid and it sees a request for ping, etc.

Show the details of your floating rule if your going to place a floating rule for icmp that you want to allow it on all your interfaces.  The only IP you post that pings is 190.55 address

tixe

Yes, I only show the rules on the floating and interface group called Internet.

The floating rule show a rule that say ICPM from any, any port, to this firewall accept.
Why you say that my floating rule is for deny all my other addresses?
If when you put THIS FIREWALL on the destination option it apply for ALL THE INTERFACES.
If you see the rules (some ones that are not in use) it show also for each interfaces the same rule.

I tested all the variants.
I use the same rules in a firewall that have 3 WANs with static IP address and works fine.
I  use the same rules in a firewall that have 4 WANs with 2 static IP address and 2 DHCP address, and if I put as default gateway one of the DHCP WAN, i can ping to 3 of 4 WANs, if I put as default Gateway one of the 2 static WAN i just can ping to the 2 static WANs.

The order to apply the rules if Im not wrong is from UP to Down (on the screen, pfSense do not show a rule number order) and first apply the floating rules, then the interface groups and then the interfaces.

I tested too to delete the rules on the floating, and the interface groups, delete the interface group, and apply the rules in each WAN interfaces, same thing, I only can ping and attend request on a interface that is the default gateway (when it has a DHCP ip address) i doing it in a virtual LAB and is the same thing).

What other information is needed to perform an analysis?

John Poz if you want i can give you access to the virtual lab to put hand on.

Regards and thanks for you invaluable time John