Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can ping other machines on subnet, but not the gateway

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AvKARE IT
      last edited by

      I have two firewalls setup in High Availability. I have WAN, LAN, VPL (connecting two data centers), High Availability port and OPT3.

      LAN works just fine. From anything on the LAN, I can ping anything else on the LAN subnet, as well as the OPT3 subnet. However from a two different servers on the OPT3 subnet, I cannot ping the OPT3 gateway or anything on the LAN subnet. However, I CAN ping each server on the OPT3 subnet…and I can ping anything on the internet. What gives??

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        There are no rules on any of your OPT interfaces.  Only LAN gets a default Allow any rule.  All other LAN interfaces (OPT1, OPT2, etc) must have at least one rule added to enable access.

        1 Reply Last reply Reply Quote 0
        • A
          AvKARE IT
          last edited by

          But there ARE rules. I added them manually. Like I mentioned..I can ping google.com or any other server on the OPT3 subnet. I'm getting out. I even have a rule on LAN to allow the OPT3 subnet.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            AH sorry, I missed that.  People complaining about missing default rules on OPT interfaces happens almost every day.

            Post a screen of your rules and that will remove the guesswork.

            1 Reply Last reply Reply Quote 0
            • A
              AvKARE IT
              last edited by

              Screenshots of my rules. The "RSS_LAN" is the OPT3 subnet.

              ![Screen Shot 2017-11-06 at 3.32.57 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.32.57 PM.png)
              ![Screen Shot 2017-11-06 at 3.32.57 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.32.57 PM.png_thumb)
              ![Screen Shot 2017-11-06 at 3.33.06 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.33.06 PM.png)
              ![Screen Shot 2017-11-06 at 3.33.06 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.33.06 PM.png_thumb)

              1 Reply Last reply Reply Quote 0
              • A
                AvKARE IT
                last edited by

                Oh, and let me add….this was working fine on Friday. Just stopped over the weekend.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Oh, and let me add….this was working fine on Friday. Just stopped over the weekend.

                  That's kind of a critical piece to forget  ;D

                  Your rules look fine.  They aren't perfect but you should not be having these problems.  When your traffic is being blocked, what does the firewall log say about it?  What is really being blocked?

                  1 Reply Last reply Reply Quote 0
                  • A
                    AvKARE IT
                    last edited by

                    So here's what happens when I try to ping the OPT3 gateway from one of my KV servers on the OPT3 subnet. It says it is passing the traffic….however the server doesn't receive any reply and reports 100% packet loss. Although, I can ping freakin' google.com from that box without any problem.

                    ![Screen Shot 2017-11-06 at 12.56.49 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-06 at 12.56.49 PM.png)
                    ![Screen Shot 2017-11-06 at 12.56.49 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-06 at 12.56.49 PM.png_thumb)

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      Have you tried the universal fix, rebooting it?

                      What about local client firewalls?  Some OSes will automagically block traffic from outside the local subnet.  You said it was working before the weekend.  Did you apply any OS patches?  Did anything change between when it was last working and now?  Anything weird in the System log?

                      1 Reply Last reply Reply Quote 0
                      • A
                        AvKARE IT
                        last edited by

                        Nothing changed. No patches applied. This is all being setup from scratch. New firewalls, new supermicro servers. I was able to mount a virtual disk hosted on an SMB share on 192.168.100.20 onto a supermicro using IPMI on Friday. I did this from two physical supermicro servers on the OPT3 subnet. On each, I installed Debian Stretch and KVM. From Debian, I cannot ping the gateway from either box, and I can no longer mount that SMB share in IPMI. I see nothing strange in the logs.

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          Any other network equipment in between anything?  I'm starting to run out of ideas.  If you know Wireshark, you could try packet-capturing from each end and see what's going on.  That might help isolate the prob;em.

                          If you're desperate, you could try backing up your configurations, reinstalling from scratch and then restoring and see if it just fixes itself.  Normally I wouldn't suggest random actions like that with hopes & prayers, but like you said it used to work.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            What other rules are on those interfaces? Please provide a complete picture instead of cropping everything out.

                            It makes no sense to have rules sourcing from LAN network on the RSS_NET interface. That will never happen.

                            Please also provide captures of the interfaces in question from Status > Interfaces.

                            Any IPsec? Any policy routing?

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • A
                              AvKARE IT
                              last edited by

                              @Derelict:

                              What other rules are on those interfaces? Please provide a complete picture instead of cropping everything out.

                              It makes no sense to have rules sourcing from LAN network on the RSS_NET interface. That will never happen.

                              Please also provide captures of the interfaces in question from Status > Interfaces.

                              Any IPsec? Any policy routing?

                              The only rules on the LAN subnet are the default anti-lockout rule and the default any protocol on LAN to any. On the RSS_LAN subnet, the only rule is any protocol on RSS_LAN to any (changed since yesterday).

                              Yes, there are IPSec VPN tunnels, but I'm not sure why you're asking. Absolutely no policy routing in place.

                              ![Screen Shot 2017-11-07 at 11.04.15 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.15 AM.png)
                              ![Screen Shot 2017-11-07 at 11.04.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.15 AM.png_thumb)
                              ![Screen Shot 2017-11-07 at 11.04.24 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.24 AM.png)
                              ![Screen Shot 2017-11-07 at 11.04.24 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.24 AM.png_thumb)
                              ![Screen Shot 2017-11-07 at 11.07.47 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.07.47 AM.png)
                              ![Screen Shot 2017-11-07 at 11.07.47 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.07.47 AM.png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • A
                                AvKARE IT
                                last edited by

                                It seems I found the issue. I had a misconfiguration in IPSec, which was apparently affecting the routing. I fixed that, and all seems well. Thanks to Derelict for mentioning IPSec…I probably wouldn't have looked.

                                1 Reply Last reply Reply Quote 0
                                • KOMK
                                  KOM
                                  last edited by

                                  I had a misconfiguration in IPSec

                                  This misconfiguration had been there all along and just decided to act up now/  Or was this something you manually did between when it was last working and now?

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    AvKARE IT
                                    last edited by

                                    I'm pretty sure that misconfiguration happened over the weekend when I was trying to work on it from home. My IPSec tunnel was connected to LAN, but I needed a Phase 2 to the RSS_LAN…I just set it up ass backwards and that screwed me. I guess that's what I get for trying to work at home when my wife and kids are present.

                                    1 Reply Last reply Reply Quote 0
                                    • KOMK
                                      KOM
                                      last edited by

                                      I did specifically ask you if you changed anything between when it was working and when it stopped…

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        AvKARE IT
                                        last edited by

                                        Yes, and I failed to remember that I had messed with the VPN tunnel from home. I thought I had added the Phase 2 earlier in the week when I was installing the servers at the datacenter.

                                        1 Reply Last reply Reply Quote 0
                                        • KOMK
                                          KOM
                                          last edited by

                                          OK I'm done breaking your balls  ;D

                                          Glad it's working.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.