Why pfSense can ping gateway but not its monitor ip?



  • I'm facing a very strange problem (at least for me!).
    I have 4 internet connections, each one on its subnet and connected to a dedicated nic on pfSense.
    One of these connections is the default, and is the first i created and is perfectly working.

    The others three connections were installed some weeks later, so i made them configured in pfSense.
    I want to balance all them.

    Each new connection is perfectly working if i connect directly to modem-router with my laptop.
    For each new connection I set up a new interface on pfSense with its subnet and its upstream gateway. The upstream gateway is reachable from pfSense and also from lan. So no problem to access to the modem-routers interfaces from pfSense and from Lan.

    THE PROBLEM: when i put an external monitor ip on a new gateway, i get an "offline" status on that interface. And if i try to execute a diagnostic ping from pfSense to an external ip address using the new wan interface, I get a very beautiful "Dest unreachable".

    I really don’t understand why i can’t surfing web from the three new internet connections from pfSense, but i can if i connect directly to their modem-routers. I have also set my firewall to allow all traffic on wan interfaces.

    Have you suggestions about this kind of problem?
    Thank you


  • Rebel Alliance Global Moderator

    "I have also set my firewall to allow all traffic on wan interfaces."

    That is a big NO NO!!  Rules are evaluated inbound to an interface.. So your saying with rules on WAN let everything in from the public internet unsolicited traffic

    Your going to have to give us more details of how you have these 4 wans setup..  You state modem-routers, so your pfsense has rfc1918 space on it?  They are not public IPs..  You sure don't have some overlap in IPs on your different wans?



  • @johnpoz:

    "I have also set my firewall to allow all traffic on wan interfaces."

    That is a big NO NO!!  Rules are evaluated inbound to an interface.. So your saying with rules on WAN let everything in from the public internet unsolicited traffic

    Your going to have to give us more details of how you have these 4 wans setup..  You state modem-routers, so your pfsense has rfc1918 space on it?  They are not public IPs..  You sure don't have some overlap in IPs on your different wans?

    Yes i know that is a big hole to allow all traffic on wan, but i really don't know what to do anymore.

    My wan and associated gateways are attached to this post;) You can see also monitor status :-\

    ![Schermata 2017-10-11 alle 12.03.09.png](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.03.09.png)
    ![Schermata 2017-10-11 alle 12.03.09.png_thumb](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.03.09.png_thumb)



  • I also put a monitor on the first gateway, the default one, that is working, to avoid that the monitor reports a fake state pinging the same wan interface ip.

    ![Schermata 2017-10-11 alle 12.07.06.png](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.07.06.png)
    ![Schermata 2017-10-11 alle 12.07.06.png_thumb](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.07.06.png_thumb)



  • I put in this post screenshots with the configuration of each wan interface, and also the NAT configuration (maybe it helps…)

    ![Schermata 2017-10-11 alle 12.12.21.png](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.12.21.png)
    ![Schermata 2017-10-11 alle 12.12.21.png_thumb](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.12.21.png_thumb)
    ![Schermata 2017-10-11 alle 12.12.42.png](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.12.42.png)
    ![Schermata 2017-10-11 alle 12.12.42.png_thumb](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.12.42.png_thumb)
    ![Schermata 2017-10-11 alle 12.13.01.png](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.13.01.png)
    ![Schermata 2017-10-11 alle 12.13.01.png_thumb](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.13.01.png_thumb)
    ![Schermata 2017-10-11 alle 12.13.15.png](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.13.15.png)
    ![Schermata 2017-10-11 alle 12.13.15.png_thumb](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.13.15.png_thumb)
    ![Schermata 2017-10-11 alle 12.13.32.png](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.13.32.png)
    ![Schermata 2017-10-11 alle 12.13.32.png_thumb](/public/imported_attachments/1/Schermata 2017-10-11 alle 12.13.32.png_thumb)


  • Rebel Alliance Global Moderator

    Dude where did you get those STATIC ips your setting on your wan?  Did you pull them out of the air??  You can just make up IPs to use on your wan connections..

    And why does all your outbound nat list a 217.59.162.219/32 address on them for outbound nat?



  • @johnpoz:

    Dude where did you get those STATIC ips your setting on your wan?  Did you pull them out of the air??  You can just make up IPs to use on your wan connections..

    And why does all your outbound nat list a 217.59.162.219/32 address on them for outbound nat?

    Static ip on wan interfaces are choosen by me to create different subnets for each internet connection. I don't unterstand, what is wrong exactly? The first wan is also configured in this way and is working correctly. Obviously on my modem routers there is NAT and the ip set on the LAN side is the same subnet of wan ip of pfSense. There is no subnet overlapping, as you can see.

    On the second question, the NAT is listing the ip 217.59.162.218/32 beacause this is a temporary workaround to redirect this public ip to a server in our LAN. You think this can be related to the problem of offline status on gateways?


  • Rebel Alliance Global Moderator

    So where do these wans go?  To the same device?  So you setup IPs on it in those ranges, and set it up to nat those?  Why would you have multiple connections if going to the same place?  Confused at what your doing with your multiple wans

    Please example your wan setup in more detail..

    So you have a public IP inside your network that your natting to some different IP on your wans that are also rfc1918, which are then being natted somewhere else as well.



  • @johnpoz:

    So where do these wans go?  To the same device?  So you setup IPs on it in those ranges, and set it up to nat those?  Why would you have multiple connections if going to the same place?  Confused at what your doing with your multiple wans

    Please example your wan setup in more detail..

    So you have a public IP inside your network that your natting to some different IP on your wans that are also rfc1918, which are then being natted somewhere else as well.

    The four WANs go to four different ISP connections. Each connection has a modem-router given by the provider and a single public ip address. Each modem-router is configured to NAT its own public ip address to internal LAN subnet and has its DCHP disabled. Each of these subnet is different from the others, there is no overlapping. Subnets are:
    192.168.1.0/24
    192.168.2.0/24
    192.168.10.0/24
    192.168.11.0/24

    Each modem-router has a dedicated connection to pfSense, so pfSense has 4 WAN interfaces with a static ip address, coherently with the modem router it connects to:

    pfSense WAN -> Modem router interface
    192.168.1.2 -> 192.168.1.1
    192.168.2.2 -> 192.168.2.1
    192.168.10.2 -> 192.168.10.1
    192.168.11.2 -> 192.168.11.1

    From pfSense a make a simple test to check internet connectivity on each of the four connections: i go to Diagnostics -> Ping, then i select the wan interface connected to the internet connection that i want to check, and i try to ping the Google DNS 8.8.8.8.

    On the first of the four wan connections the ping executes correctly. This is also the default connection in pfSense.
    On the other three wan connections the ping to 8.8.8.8 fails, even if the ping to the modem router private ip goes well.

    If with a laptop i connect directly to each modem router (one at a time), i can ping correctly 8.8.8.8 from the laptop and surfing web.

    I have upload some screenshot of my configuration in some previous post.

    A thing related to this problem can be that the working connection was the first one installed by the ISP. The other three connections were installed later and the modem routers of these connections are the same identical model, that is different from the first one modem router. Could this be related to my problem  in your opinion?

    I hope to find a solution to this strange problem…


  • Rebel Alliance Global Moderator

    "even if the ping to the modem router private ip goes well."

    If the router was answering ping - then your gateway settings would show UP..

    You have some basic connectivity wrong here.. If your saying pfsense can ping the IP of the gateway - then the monitor would show the gateway online.  All that test is simple ping!  You have a mask wrong, you have bad cable, the interface on pfsense is bad?

    If pfsense can not ping the IP of the router.. Its basic connectivity issue, or the router set to not answer ping..

    Does pfsense show the mac of the router in its arp table after you try and ping the IP of one of these routers?  When you go to diag ping, and ping one of these wan router IP in that wan network..  You get an answer or not??  For source address you picked the pfsense interface tied to that router in the drop down?



  • you could try to uncheck the 'block private networks' on your interface config …...



  • The strange problem is solved.

    It was new modem-routers fucking bug. Putting them in bridge mode (modem only) all goes ok.


  • Rebel Alliance Global Moderator

    Glad to hear - better in bridge mode anyway ;)