Wrong Route



  • Hi,

    I'm using 4 Wans, and some local subnet. Since my upgrade to 2.4.2, I'm unable to use my wifi device to accesss local subnets.

    I've try to use ICMP to determine whats was wrong, with packet capture, and I see my wifi device sending ICMP, PfSense addressing correctly ICMP to pointed device, but pointed device reply via WAN connection instead of localy.

    My wifi device (Android Phone) : 192.168.17.25 used as ICMP source
    My WAN IP : 24.11.84.23

    If I'm trying to ping my device from a wired device I can reach them without problem, this is why I assume it's a rules problem with my wifi subnet. I've try to disable all firewall rules (pfctl -d) to see what happen, and problem still present, but as it's a crossing subnet I assume it's normal as no rules permit accessing another subnet as default.
    I'm using one firewall rules with an alias fro authorized IP devices to access this targeted device.

    Prior my upgrade ALL was fine ….

    I've see too, using outbound NAT rules (I have a lot with 4 WANs, 8 VPN, 24 Subnets) as Manual (switched from Hybrid to Manual) did solve my problem temporarily, but suddently, some days after, it was no longer working. Using as Automatic, Hybrid or Manual didn't change anything ATM.

    What can I do to solve my problem ? I have for each subnet load balancing and fail over rules to use and specify which gateway should be accessible or used.

    On my ping tests, the only one IP I can ping is the one of my switch used to plug my all 4 WANs, here to I assume it's a normal side effect of gateway route problem ?!?

    Thanks in advance for your help !
    Best regards,
    Alex.

    Packet capture show this :

    08:03:49.166763 IP (tos 0x0, ttl 64, id 42100, offset 0, flags [DF], proto ICMP (1), length 1500)
        192.168.17.25 > 192.168.17.1: ICMP echo request, id 5023, seq 1, length 1480
    08:03:49.166941 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 1500)
        192.168.17.1 > 192.168.17.25: ICMP echo reply, id 5023, seq 1, length 1480
    08:03:49.223903 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.194.249 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 62407, offset 0, flags [DF], proto UDP (17), length 60)
        192.168.17.25.39292 > 192.168.194.249.53: 33670+[|domain]
    08:03:55.653028 IP (tos 0x0, ttl 64, id 17548, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 14, seq 1, length 64
    08:04:00.693558 IP (tos 0x0, ttl 64, id 17936, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 15, seq 1, length 64
    08:04:00.761300 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.10 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 17936, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 15, seq 1, length 64
    08:04:01.920057 IP (tos 0x0, ttl 64, id 18107, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 16, seq 1, length 64
    08:04:02.031258 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.10 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 18107, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 16, seq 1, length 64
    08:04:03.142354 IP (tos 0x0, ttl 64, id 18235, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 17, seq 1, length 64
    08:04:03.373767 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.10 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 18235, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 17, seq 1, length 64
    08:04:04.437067 IP (tos 0x0, ttl 64, id 18351, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 18, seq 1, length 64
    08:04:04.909235 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.10 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 18351, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.10: ICMP echo request, id 18, seq 1, length 64
    08:04:09.286775 IP (tos 0x0, ttl 64, id 2030, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 19, seq 1, length 64
    08:04:09.479409 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.1 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 2030, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 19, seq 1, length 64
    08:04:10.535835 IP (tos 0x0, ttl 64, id 2319, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 20, seq 1, length 64
    08:04:10.750137 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.1 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 2319, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 20, seq 1, length 64
    08:04:11.801964 IP (tos 0x0, ttl 64, id 2339, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 21, seq 1, length 64
    08:04:16.842183 IP (tos 0x0, ttl 64, id 2923, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 22, seq 1, length 64
    08:04:16.863879 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.1 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 2923, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 22, seq 1, length 64
    08:04:17.910625 IP (tos 0x0, ttl 64, id 3087, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 23, seq 1, length 64
    08:04:17.984189 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.1 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 3087, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 23, seq 1, length 64
    08:04:19.018762 IP (tos 0x0, ttl 64, id 3280, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 24, seq 1, length 64
    08:04:19.283103 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.19.1 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 3280, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.19.1: ICMP echo request, id 24, seq 1, length 64
    08:04:27.292651 IP (tos 0x0, ttl 64, id 53690, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 25, seq 1, length 64
    08:04:31.092348 IP (tos 0x0, ttl 64, id 54126, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 26, seq 1, length 64
    08:04:36.130500 IP (tos 0x0, ttl 64, id 54746, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 27, seq 1, length 64
    08:04:41.182690 IP (tos 0x0, ttl 64, id 55096, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 28, seq 1, length 64
    08:04:46.199682 IP (tos 0x0, ttl 64, id 55475, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 29, seq 1, length 64
    08:04:48.544593 IP (tos 0x0, ttl 63, id 25977, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.191.245 > 192.168.17.25: ICMP echo request, id 1052, seq 0, length 64
    08:04:48.548939 IP (tos 0x0, ttl 64, id 31753, offset 0, flags [none], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.191.245: ICMP echo reply, id 1052, seq 0, length 64
    08:04:49.327317 IP (tos 0x0, ttl 64, id 37811, offset 0, flags [DF], proto ICMP (1), length 1500)
        192.168.17.25 > 192.168.17.1: ICMP echo request, id 52914, seq 1, length 1480
    08:04:49.327511 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 1500)
        192.168.17.1 > 192.168.17.25: ICMP echo reply, id 52914, seq 1, length 1480
    08:04:51.253899 IP (tos 0x0, ttl 64, id 56411, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 30, seq 1, length 64
    08:04:55.534770 IP (tos 0x0, ttl 64, id 56632, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 31, seq 1, length 64
    08:04:57.521570 IP (tos 0x0, ttl 64, id 56933, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 32, seq 1, length 64
    08:04:59.601423 IP (tos 0x0, ttl 64, id 57204, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 33, seq 1, length 64
    08:05:04.652441 IP (tos 0x0, ttl 64, id 57814, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 34, seq 1, length 64
    08:05:09.679402 IP (tos 0x0, ttl 64, id 58409, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.4: ICMP echo request, id 35, seq 1, length 64
    08:05:10.055349 IP (tos 0x0, ttl 64, id 47089, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 36, seq 1, length 64
    08:05:10.059843 IP (tos 0x0, ttl 254, id 28, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 36, seq 1, length 64
    08:05:11.108026 IP (tos 0x0, ttl 64, id 47302, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 37, seq 1, length 64
    08:05:11.111577 IP (tos 0x0, ttl 254, id 29, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 37, seq 1, length 64
    08:05:12.157652 IP (tos 0x0, ttl 64, id 47551, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 38, seq 1, length 64
    08:05:12.161322 IP (tos 0x0, ttl 254, id 30, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 38, seq 1, length 64
    08:05:13.195765 IP (tos 0x0, ttl 64, id 47784, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 39, seq 1, length 64
    08:05:13.199310 IP (tos 0x0, ttl 254, id 31, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 39, seq 1, length 64
    08:05:14.230520 IP (tos 0x0, ttl 64, id 48023, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 40, seq 1, length 64
    08:05:14.234325 IP (tos 0x0, ttl 254, id 32, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 40, seq 1, length 64
    08:05:14.732560 IP (tos 0x0, ttl 64, id 48141, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 41, seq 1, length 64
    08:05:14.736613 IP (tos 0x0, ttl 254, id 33, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 41, seq 1, length 64
    08:05:15.758349 IP (tos 0x0, ttl 64, id 48290, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 42, seq 1, length 64
    08:05:15.761866 IP (tos 0x0, ttl 254, id 34, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 42, seq 1, length 64
    08:05:16.802049 IP (tos 0x0, ttl 64, id 48447, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 43, seq 1, length 64
    08:05:16.805592 IP (tos 0x0, ttl 254, id 35, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 43, seq 1, length 64
    08:05:17.839642 IP (tos 0x0, ttl 64, id 48701, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 44, seq 1, length 64
    08:05:17.844086 IP (tos 0x0, ttl 254, id 36, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 44, seq 1, length 64
    08:05:18.877538 IP (tos 0x0, ttl 64, id 48875, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 45, seq 1, length 64
    08:05:18.881081 IP (tos 0x0, ttl 254, id 37, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 45, seq 1, length 64
    08:05:19.907500 IP (tos 0x0, ttl 64, id 49037, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 46, seq 1, length 64
    08:05:19.911324 IP (tos 0x0, ttl 254, id 38, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 46, seq 1, length 64
    08:05:20.942302 IP (tos 0x0, ttl 64, id 49234, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 47, seq 1, length 64
    08:05:20.945814 IP (tos 0x0, ttl 254, id 39, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 47, seq 1, length 64
    08:05:21.967807 IP (tos 0x0, ttl 64, id 49377, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 48, seq 1, length 64
    08:05:21.972316 IP (tos 0x0, ttl 254, id 40, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 48, seq 1, length 64
    08:05:23.000542 IP (tos 0x0, ttl 64, id 49631, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 49, seq 1, length 64
    08:05:23.004059 IP (tos 0x0, ttl 254, id 41, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 49, seq 1, length 64
    08:05:24.027784 IP (tos 0x0, ttl 64, id 49752, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 50, seq 1, length 64
    08:05:24.031459 IP (tos 0x0, ttl 254, id 42, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 50, seq 1, length 64
    08:05:25.075785 IP (tos 0x0, ttl 64, id 49930, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 51, seq 1, length 64
    08:05:25.079801 IP (tos 0x0, ttl 254, id 43, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 51, seq 1, length 64
    08:05:26.109338 IP (tos 0x0, ttl 64, id 49960, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.26.21: ICMP echo request, id 52, seq 1, length 64
    08:05:26.113425 IP (tos 0x0, ttl 254, id 44, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.26.21 > 192.168.17.25: ICMP echo reply, id 52, seq 1, length 64
    08:05:26.272791 IP (tos 0x0, ttl 64, id 46667, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 53, seq 1, length 64
    08:05:31.306871 IP (tos 0x0, ttl 64, id 47847, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 54, seq 1, length 64
    08:05:36.343922 IP (tos 0x0, ttl 64, id 49053, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 55, seq 1, length 64
    08:05:41.383904 IP (tos 0x0, ttl 64, id 49664, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 56, seq 1, length 64
    08:05:46.417448 IP (tos 0x0, ttl 64, id 50089, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 57, seq 1, length 64
    08:05:46.927549 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.21 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 50089, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 57, seq 1, length 64
    08:05:47.494580 IP (tos 0x0, ttl 64, id 50292, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 58, seq 1, length 64
    08:05:48.108552 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.21 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 50292, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 58, seq 1, length 64
    08:05:49.135807 IP (tos 0x0, ttl 64, id 50673, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 59, seq 1, length 64
    08:05:49.564650 IP (tos 0x0, ttl 64, id 44560, offset 0, flags [DF], proto ICMP (1), length 1500)
        192.168.17.25 > 192.168.17.1: ICMP echo request, id 31432, seq 1, length 1480
    08:05:49.564838 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 1500)
        192.168.17.1 > 192.168.17.25: ICMP echo reply, id 31432, seq 1, length 1480
    08:05:49.811579 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.21 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 50673, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 59, seq 1, length 64
    08:05:49.986339 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.194.249 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 10590, offset 0, flags [DF], proto UDP (17), length 60)
        192.168.17.25.59260 > 192.168.194.249.53: 2388+[|domain]
    08:05:50.836980 IP (tos 0x0, ttl 64, id 51005, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 60, seq 1, length 64
    08:05:50.929421 IP (tos 0x0, ttl 64, id 8922, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 61, seq 1, length 64
    08:05:51.352742 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.21 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 51005, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.21: ICMP echo request, id 60, seq 1, length 64
    08:05:55.964194 IP (tos 0x0, ttl 64, id 9606, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 62, seq 1, length 64
    08:06:00.984704 IP (tos 0x0, ttl 64, id 10813, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 63, seq 1, length 64
    08:06:01.531884 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.22 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 10813, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 63, seq 1, length 64
    08:06:02.564085 IP (tos 0x0, ttl 64, id 11068, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 64, seq 1, length 64
    08:06:03.145660 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.22 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 11068, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 64, seq 1, length 64
    08:06:04.178184 IP (tos 0x0, ttl 64, id 11275, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 65, seq 1, length 64
    08:06:04.785242 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.22 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 11275, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 65, seq 1, length 64
    08:06:05.828327 IP (tos 0x0, ttl 64, id 11490, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 66, seq 1, length 64
    08:06:10.859040 IP (tos 0x0, ttl 64, id 11823, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 67, seq 1, length 64
    08:06:11.271509 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.22 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 11823, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 67, seq 1, length 64
    08:06:12.301979 IP (tos 0x0, ttl 64, id 12141, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 68, seq 1, length 64
    08:06:12.809125 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none], proto ICMP (1), length 80)
        24.11.84.23 > 192.168.17.25: ICMP host 192.168.34.22 unreachable - admin prohibited filter, length 60
    	IP (tos 0x0, ttl 62, id 12141, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.17.25 > 192.168.34.22: ICMP echo request, id 68, seq 1, length 64
    
    


  • Hi again !

    Nobody can give me a beginning of explanation on how to solve the problem?

    I hope someone with a charitable soul will want to take a few minutes to try to help me!

    Thanks in advance.

    Alex.


  • Rebel Alliance Global Moderator

    post up you rules.. If your going to force traffic out a gateway, you have to put in rules above the force gateway rule to allow access to your local networks.



  • Hi Johnpoz,

    thank you for your reply !

    This is my rules for this Subnet "OuiFi" :




  • Rebel Alliance Global Moderator

    Your going to have to give some context to go along with that - you have a shit ton of aliases that XXX net as dest, have no idea what networks are tied to that and what you say is not working.. from source to dest..



  • Hi Johnpoz,

    sorry for my late reply (I was at hospital during 2 days) and sorry for my post, I've past just the first part and miss the second …. below are explication :

    My wifi device is in aliases The_Kings_Of_OuiFi
    My Subnet for wifi is named : "OuiFi"
    My destination subnet tested with ping are : SERVEURS, LAN, ADMIN, DOMOTIQUE, VOiP, HOMECINEMA, CAMERAS

    Reachable subnet : LAN, DOMOTIQUE, HOMECINEMA, OUIFI,
    Blocked Subnet (wanted like this) : ADMIN, CAMERAS
    Not reachable subnet (and normaly it should) : SERVEURS

    Why when I'm pinging, my source ping come to dest device and can't come back by the same interface ?

    Thanks in advance for your help !


  • Rebel Alliance Global Moderator

    "Why when I'm pinging, my source ping come to dest device and can't come back by the same interface ?"

    No idea since you again have given no context..

    If your saying you can not ping servers? Maybe your box is no longer in your alias - how do you have that defined.. By IP by name?  Maybe the devices IP changed?  Maybe the name didn't resolve?  Your rule that lets all of OuiFi talk to servers is grayed out.

    Maybe your server is using different gateway, maybe its firewall got turned on and doesn't allow ping from anything outside its network.

    I would suggest you validate your alias to make sure your device is listed..  Get a ping going.. Sniff on the pfsense server interface for the ping… Do you see your ping - do you not see an anwser?



  • Hi Johnpoz,

    I've check Aliases, and IP of concerned device still in, correct, and fixed as static IP. I've try to add the exact same rules with IP of my source device, and it's not working too.

    My device can respond accross subnet, no firewall problem, subnet are add as trusted network. I can ping from other subnet to the same destination device, it's only in OuiFi Subnet that ping can't back to source device.

    I've finally moved my two rules IPv4 and IPv6 allowing SERVEURS Net to OuiFi Net at the top of the list, it's working ONLY after reboot. When I'm trying to move back the rules it work again, just where it wasn't working before …. I've reboot my PfSense Box and it's no longer working, move again rules at the top, it works, and after some minutes it's no longer working ....

    I assume after some research, one of my rules poiting servers to use VPN can be the problem, but why when I've put my subnet crossing access BEFORE rules concerning VPN can interfere ?

    What can cause random problem of this kind ? I don't have floating rules.

    Thanks in advance.

    Best regards.


  • Rebel Alliance Global Moderator

    You have a lot of rules, with lots of alias.. So everything is obscured to what is what.

    Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.  If you have something not working you have to walk through your rules to why.

    Then you have rules that are disabled as well..

    As to rules working after reboot - points to state in place already.  Maybe sending traffic out a vpn?  You can always kill a state don't have to reboot.  If something is not working look in the state table for source dest, etc.. this might show you what is wrong..



  • Thanks for your help Johnpoz, I'll investigate on this way (state table) to see if i can solve the problem ….

    why are Aliases so unloved by the PfSense guru, where this feature has been touted as one of the strengths of PfSense, and what is the negative impact of their use?

    Does PfBlocker NG derogate from this malaise with its Aliases hijacked features?

    Thank you in advance for your answers.