Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual IP - ping: sendto: Permission denied

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 3.7k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AWeidner
      last edited by

      The setup:

      igb2
inet 172.20.0.1 netmask 0xffff0000 broadcast 172.20.255.255
inet 192.168.1.99 netmask 0xffffff00 broadcast 255.255.255.0 (Virtual IP)

      When i try to ping the physically connected host 192.168.1.254, the output is

      PING 192.168.1.254 (192.168.1.254): 56 data bytes
ping: sendto: Permission denied

      whereas nmap is able to reach this host

      Nmap scan report for 192.168.1.254
Host is up (0.00039s latency).

      This happens on 2.4.3-RELEASE-p1 as well as on 2.4.4-RELEASE.

      Disabling PF (pfctl -d) does not help and adding firewall rules allowing to and from everything does neither. I run out of ideas at this point.

      TL;DR
      I can't ping a physically connected host from a virtual IP assigned to the NIC the host is connected to.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.

        If you want a 192.168.1/24 network then set it up as a vlan and run it on its own L2..

        Did you try ping with [-S src_addr]

        Ok I just tested this without any issues

        [2.4.4-RELEASE][root@sg4860.local.lan]/root: ping 172.20.0.100
PING 172.20.0.100 (172.20.0.100): 56 data bytes
64 bytes from 172.20.0.100: icmp_seq=0 ttl=128 time=0.461 ms
64 bytes from 172.20.0.100: icmp_seq=1 ttl=128 time=0.199 ms
64 bytes from 172.20.0.100: icmp_seq=2 ttl=128 time=0.234 ms

        Created a vip on pfsense 172.20.0.1

        0_1542203912143_vip.png

        And created another IP on my PC.
        0_1542203959123_pcIP.png

        As you can see can ping it from pfsense without any issues. Are you logged in with some other account other than admin/root on pfsense?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 1
        • A Offline
          AWeidner
          last edited by AWeidner

          Entirely my fault 😬

          I should have mentioned, that there is a Captive Portal running on that interface, too. This prevented communication between the Virtual IP and the host even when PF was disabled. After setting an exception for the IP address 192.168.1.254 in the Captive Portal, i could access the host.

          @johnpoz said in Virtual IP - ping: sendto: Permission denied:

          So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.

          I know, i just needed this configuration temporarily.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Ok if just a temp thing - then very understandable.. Useful when migrating to new IP scheme, etc. etc. There are use cases for it sure.

            Glad you got it sorted, and also glad you understand its borked doing such a thing ;) heheheeh

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.