Can ping other machines on subnet, but not the gateway



  • I have two firewalls setup in High Availability. I have WAN, LAN, VPL (connecting two data centers), High Availability port and OPT3.

    LAN works just fine. From anything on the LAN, I can ping anything else on the LAN subnet, as well as the OPT3 subnet. However from a two different servers on the OPT3 subnet, I cannot ping the OPT3 gateway or anything on the LAN subnet. However, I CAN ping each server on the OPT3 subnet…and I can ping anything on the internet. What gives??



  • There are no rules on any of your OPT interfaces.  Only LAN gets a default Allow any rule.  All other LAN interfaces (OPT1, OPT2, etc) must have at least one rule added to enable access.



  • But there ARE rules. I added them manually. Like I mentioned..I can ping google.com or any other server on the OPT3 subnet. I'm getting out. I even have a rule on LAN to allow the OPT3 subnet.



  • AH sorry, I missed that.  People complaining about missing default rules on OPT interfaces happens almost every day.

    Post a screen of your rules and that will remove the guesswork.



  • Screenshots of my rules. The "RSS_LAN" is the OPT3 subnet.

    ![Screen Shot 2017-11-06 at 3.32.57 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.32.57 PM.png)
    ![Screen Shot 2017-11-06 at 3.32.57 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.32.57 PM.png_thumb)
    ![Screen Shot 2017-11-06 at 3.33.06 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.33.06 PM.png)
    ![Screen Shot 2017-11-06 at 3.33.06 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-06 at 3.33.06 PM.png_thumb)



  • Oh, and let me add….this was working fine on Friday. Just stopped over the weekend.



  • Oh, and let me add….this was working fine on Friday. Just stopped over the weekend.

    That's kind of a critical piece to forget  ;D

    Your rules look fine.  They aren't perfect but you should not be having these problems.  When your traffic is being blocked, what does the firewall log say about it?  What is really being blocked?



  • So here's what happens when I try to ping the OPT3 gateway from one of my KV servers on the OPT3 subnet. It says it is passing the traffic….however the server doesn't receive any reply and reports 100% packet loss. Although, I can ping freakin' google.com from that box without any problem.

    ![Screen Shot 2017-11-06 at 12.56.49 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-06 at 12.56.49 PM.png)
    ![Screen Shot 2017-11-06 at 12.56.49 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-06 at 12.56.49 PM.png_thumb)



  • Have you tried the universal fix, rebooting it?

    What about local client firewalls?  Some OSes will automagically block traffic from outside the local subnet.  You said it was working before the weekend.  Did you apply any OS patches?  Did anything change between when it was last working and now?  Anything weird in the System log?



  • Nothing changed. No patches applied. This is all being setup from scratch. New firewalls, new supermicro servers. I was able to mount a virtual disk hosted on an SMB share on 192.168.100.20 onto a supermicro using IPMI on Friday. I did this from two physical supermicro servers on the OPT3 subnet. On each, I installed Debian Stretch and KVM. From Debian, I cannot ping the gateway from either box, and I can no longer mount that SMB share in IPMI. I see nothing strange in the logs.



  • Any other network equipment in between anything?  I'm starting to run out of ideas.  If you know Wireshark, you could try packet-capturing from each end and see what's going on.  That might help isolate the prob;em.

    If you're desperate, you could try backing up your configurations, reinstalling from scratch and then restoring and see if it just fixes itself.  Normally I wouldn't suggest random actions like that with hopes & prayers, but like you said it used to work.


  • LAYER 8 Netgate

    What other rules are on those interfaces? Please provide a complete picture instead of cropping everything out.

    It makes no sense to have rules sourcing from LAN network on the RSS_NET interface. That will never happen.

    Please also provide captures of the interfaces in question from Status > Interfaces.

    Any IPsec? Any policy routing?



  • @Derelict:

    What other rules are on those interfaces? Please provide a complete picture instead of cropping everything out.

    It makes no sense to have rules sourcing from LAN network on the RSS_NET interface. That will never happen.

    Please also provide captures of the interfaces in question from Status > Interfaces.

    Any IPsec? Any policy routing?

    The only rules on the LAN subnet are the default anti-lockout rule and the default any protocol on LAN to any. On the RSS_LAN subnet, the only rule is any protocol on RSS_LAN to any (changed since yesterday).

    Yes, there are IPSec VPN tunnels, but I'm not sure why you're asking. Absolutely no policy routing in place.

    ![Screen Shot 2017-11-07 at 11.04.15 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.15 AM.png)
    ![Screen Shot 2017-11-07 at 11.04.15 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.15 AM.png_thumb)
    ![Screen Shot 2017-11-07 at 11.04.24 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.24 AM.png)
    ![Screen Shot 2017-11-07 at 11.04.24 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.04.24 AM.png_thumb)
    ![Screen Shot 2017-11-07 at 11.07.47 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.07.47 AM.png)
    ![Screen Shot 2017-11-07 at 11.07.47 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-07 at 11.07.47 AM.png_thumb)



  • It seems I found the issue. I had a misconfiguration in IPSec, which was apparently affecting the routing. I fixed that, and all seems well. Thanks to Derelict for mentioning IPSec…I probably wouldn't have looked.



  • I had a misconfiguration in IPSec

    This misconfiguration had been there all along and just decided to act up now/  Or was this something you manually did between when it was last working and now?



  • I'm pretty sure that misconfiguration happened over the weekend when I was trying to work on it from home. My IPSec tunnel was connected to LAN, but I needed a Phase 2 to the RSS_LAN…I just set it up ass backwards and that screwed me. I guess that's what I get for trying to work at home when my wife and kids are present.



  • I did specifically ask you if you changed anything between when it was working and when it stopped…



  • Yes, and I failed to remember that I had messed with the VPN tunnel from home. I thought I had added the Phase 2 earlier in the week when I was installing the servers at the datacenter.



  • OK I'm done breaking your balls  ;D

    Glad it's working.


Log in to reply