PfSense 2.3.3 - no outbound ICMP past WAN but everything else working



  • Hello all,

    This is my first post as I'm a new pfSense user (for a couple weeks now). I'm really enjoying the product so far and have implemented a lot of the features available (squid proxy, pfblockerng, VLANs, OpenVPN server, OpenVPN client, etc).  My original base install was setup on ESXi 6.0 and was working well but a few days ago I decided to switch to a dedicated hardware install for various reasons.

    I was running version 2.3.2 and everything appeared to be working correctly so I upgraded to version 2.3.3 a few days ago.  I checked the Gateway status last night and noticed my WAN gateway was showing offline while my OpenVPN client was showing online.  I did change the WAN gateway monitor IP to 8.8.8.8 but it still reported offline Internet browsing, my OpenVPN server, my OpenVPN client, dns lookups, routing between my VLANs are all working fine but I can't ping or traceroute out through the WAN.  It's worth noting that I can ping and traceroute out through my VPN client connection.  I didn't notice this being a problem before 2.3.3 but I've changed a LOT of stuff in the last few days so it's difficult to pinpoint exactly what's changed.

    I did do a packet capture on the WAN interface to watch for ICMP traffic and did see my ping request to 8.8.8.8 but it said there was no reply from the WAN gateway.  Does this sound like an ISP issue or something up with my configuration?  I did restore a config file from a few days ago before I setup my OpenVPN client but experienced the same results.  I can include a lot more tech details of my setup but didn't want to clutter up this post from the start.

    Any help you can offer is greatly appreciated!

    Thanks,
    Jon



  • I've read of a few people having dpinger issues with 2.3.3.  You could try disabling gateway monitoring via System - Routing - Gateways.



  • Thanks.  Yes I did look at disabling the dpinger monitoring of the gateway until I discovered that I can't ping past the WAN from any of my physical or virtual devices on the network(s).  I can only ping or traceroute out to the Internet if connected to my VPN client.  I'm going to plug a dlink router/ap or a laptop in to the cable modem to rule out the ISP as soon as I get a chance as well.

    edit: I should mention that I also brought the VPN client down for testing to ensure it wasn't conflicting ..WAN gateway was still showing offline and no device on the network could ping 8.8.8.8 or anything else on the Internet.  I did an nslookup on my laptop and it did resolve - ftp also worked when testing.  Traceroute and Ping = no dice

    update: I was able to pop home and connect the backup TP-Link router/access point for testing - same results with pfSense out of the equation.  I'll be calling the ISP later to discuss and will report back here with details.


  • Banned

    Must be a top-notch ISP, blocking ICMP altogether is a great idea.  ::) :o >:(



  • Alright - problem resolved.  My ISP uses the cable infrastructure of another local ISP.  The local ISP had some issue going on that was preventing ICMP for some users.  They must have made some changes to fix things up - just had to reset my modem after and all is well.    It's being discussed over at DSLReports as well.