Virtual IP - ping: sendto: Permission denied



  • The setup:

    igb2
    inet 172.20.0.1 netmask 0xffff0000 broadcast 172.20.255.255
    inet 192.168.1.99 netmask 0xffffff00 broadcast 255.255.255.0 (Virtual IP)
    

    When i try to ping the physically connected host 192.168.1.254, the output is

    PING 192.168.1.254 (192.168.1.254): 56 data bytes
    ping: sendto: Permission denied
    

    whereas nmap is able to reach this host

    Nmap scan report for 192.168.1.254
    Host is up (0.00039s latency).
    

    This happens on 2.4.3-RELEASE-p1 as well as on 2.4.4-RELEASE.

    Disabling PF (pfctl -d) does not help and adding firewall rules allowing to and from everything does neither. I run out of ideas at this point.

    TL;DR
    I can't ping a physically connected host from a virtual IP assigned to the NIC the host is connected to.


  • Rebel Alliance Global Moderator

    So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.

    If you want a 192.168.1/24 network then set it up as a vlan and run it on its own L2..

    Did you try ping with [-S src_addr]

    Ok I just tested this without any issues

    [2.4.4-RELEASE][root@sg4860.local.lan]/root: ping 172.20.0.100
    PING 172.20.0.100 (172.20.0.100): 56 data bytes
    64 bytes from 172.20.0.100: icmp_seq=0 ttl=128 time=0.461 ms
    64 bytes from 172.20.0.100: icmp_seq=1 ttl=128 time=0.199 ms
    64 bytes from 172.20.0.100: icmp_seq=2 ttl=128 time=0.234 ms
    

    Created a vip on pfsense 172.20.0.1

    0_1542203912143_vip.png

    And created another IP on my PC.
    0_1542203959123_pcIP.png

    As you can see can ping it from pfsense without any issues. Are you logged in with some other account other than admin/root on pfsense?



  • Entirely my fault 😬

    I should have mentioned, that there is a Captive Portal running on that interface, too. This prevented communication between the Virtual IP and the host even when PF was disabled. After setting an exception for the IP address 192.168.1.254 in the Captive Portal, i could access the host.

    @johnpoz said in Virtual IP - ping: sendto: Permission denied:

    So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.

    I know, i just needed this configuration temporarily.


  • Rebel Alliance Global Moderator

    Ok if just a temp thing - then very understandable.. Useful when migrating to new IP scheme, etc. etc. There are use cases for it sure.

    Glad you got it sorted, and also glad you understand its borked doing such a thing ;) heheheeh