Unable to PING test pfSense box



  • I'm in the process of trying to set up a test pfSense box and have trouble figuring out routing….

    The box is a ThinkPad T60 running pfSense 2.3.5-RELEASE (i386) which has a NIC (em0) configured as LAN interface (192.168.1.4) and a USB 4G modem (ue0) configured as WAN interface (192.168.3.10) via DHCP from ISP.

    I do have another pfSense box which has been running reliably for a number of years providing my normal gateway to the Internet via ADSL but the service provided by the ADSL ISP is really slow so I'm looking to move to 4G.

    I'm unable to PING the new pfSense box from elsewhere on the LAN, however I am able to access the GUI via http. This makes no sense to me and I can't explain this behaviour.

    Can anyone suggest why there is a problem?

    I'm sure there is a problem with the routing.



  • @Balanga:

    I'm sure there is a problem with the routing.

    Why do you think it's a routing problem?
    You have a rule in place which allows ICMP to LAN interface (that's not covered by anti-lockout rule)?



  • @jahonix:

    @Balanga:

    I'm sure there is a problem with the routing.

    Why do you think it's a routing problem?
    You have a rule in place which allows ICMP to LAN interface (that's not covered by anti-lockout rule)?

    Not sure that I understand… I just installed pfSense straight out of the box and have hardly touched the configuration....

    I looked at Firewall -> Rules -> LAN

    It mentions Anti-Lockout Rule and ports 80 443 are specified. Is this what I need to change? I just enabled Secure Shell Server and port 22 was added, but am unable to login via ssh so it looks like I'm missing something...


  • Netgate Administrator

    There would normally also be a 'Default allow LAN to any' rule on the LAN which would pass pings from the LAN subnet. If you don't have that for some reason though you will need a firewall rule to allow pings.

    Steve



  • @stephenw10:

    There would normally also be a 'Default allow LAN to any' rule on the LAN which would pass pings from the LAN subnet. If you don't have that for some reason though you will need a firewall rule to allow pings.

    Steve

    There are three rules, an Ant-Lock Rule and two Default allow to any LAN rules. These are default rules provided, although I have just added SSHD, but that doesn't work.

    I've tried both ping and ssh from two different FreeBSD machines but neither get any response, although I am able to ping and ssh both machines from the pfSense box.


  • Rebel Alliance Global Moderator

    "I'm sure there is a problem with the routing."

    Please draw up your network - you mention another pfsense.  Going to need to understand how you connected everything if you want help.



  • @johnpoz:

    "I'm sure there is a problem with the routing."

    Please draw up your network - you mention another pfsense.  Going to need to understand how you connected everything if you want help.

    pfSense (main) DHCP Server
        eth0 (WAN) –--- Broadband - connected to Internet via ADSL router
        eth1 (LAN)  192.168.1.1

    sys1

    sys2

    sysx

    pfSense-test
        eth0 (LAN)  192.168.1.4
        ue0 (WAN)  ----- Broadband - connected to Internet via 4G USB modem

    Everything is connect via cable - no WiFi.

    pfSense-test can ping all systems on the LAN.
    No system on the LAN can ping pfSense-test

    When pfSense boots ue0 does not exist. I need to run usb_modeswitch first

    Now after rebooting I am unable to access the webConfigurator so am restricted to the operators console.  I'm not aware of what I may have changed.


  • Rebel Alliance Global Moderator

    Why would there be any routing in such a setup?

    So you have dumb switch that inter connects all devices on the common 192.168.1/24 lan?

    I know you said you have default rules on the lan - but lets see a screenshot of them and the interface mask.. Maybe you set it to /32 vs /24.. When you change IPs on an interface in the gui the gui dropdown likes to default to /32 which many users do not notice.

    So some weird stuff could happen with that…



  • @johnpoz:

    Why would there be any routing in such a setup?

    So you have dumb switch that inter connects all devices on the common 192.168.1/24 lan?

    I know you said you have default rules on the lan - but lets see a screenshot of them and the interface mask.. Maybe you set it to /32 vs /24.. When you change IPs on an interface in the gui the gui dropdown likes to default to /32 which many users do not notice.

    So some weird stuff could happen with that…

    There are a couple of switches but everything works as expected apart from this test pfsense box. I can't do a screenshot because I can no longer connect to the webConfigurator after removing my USB modem and rebooting…

    Maybe I'll try a reinstall, although the problem appears to be something fundamental and should be easily fixable...


  • Rebel Alliance Global Moderator

    Yeah such a setup with a shared lan would bet up and running out of the box.. You could have 100 pfsenses all on the same shared lan and connect to any of them from that lan network.

    Did you put a gateway on the lan interface or do something else sine you thought there was some sort of routing required?

    The only routing you would need is on the clients on which IP to use if you wanted to use the other pfsense.  Or if the pfsense was downstream vs a shared lan. That is going to be a problem with asymmetrical routing if you want to bounce traffic from 1 pfsense to the other to use the wan connection.

    If your going to want leverage a different wan connection on the 2nd pfsense then you would connect it to the first via a transit network, not your shared lan setup.  To have a client use a specific pfsense then you would have to do routing on the clients.


  • Netgate Administrator

    @Balanga:

    …I can no longer connect to the webConfigurator after removing my USB modem and rebooting...

    Like we've been saying on your other threads, if you assign ue0 as WAN then disconnected it pfSense won't boot fully because one of it's NICs is missing. If you check the console it's probably waiting at the interfaces assign screen.

    Steve



  • @stephenw10:

    @Balanga:

    …I can no longer connect to the webConfigurator after removing my USB modem and rebooting...

    Like we've been saying on your other threads, if you assign ue0 as WAN then disconnected it pfSense won't boot fully because one of it's NICs is missing. If you check the console it's probably waiting at the interfaces assign screen.

    Steve

    I'm doing some testing with devd on a FreeBSD box to see if I can get the USB modem configured during boot up. In the meanwhile I will be using a USB/Ethernet adapter on the test pfSense box so that ue0 is available on boot.


  • Netgate Administrator

    Hmm, never tried it but I'm wondering of one of the usb device quirks could work directly here.
    https://www.freebsd.org/cgi/man.cgi?query=usb_quirk&sektion=4&n=1

    It looks like you're using the standard Huawei mode switch message currently so one of those might.

    If that does work you can just add it in loader.conf.local.

    Steve