Virtual IP - ping: sendto: Permission denied

  • The setup:

    inet netmask 0xffff0000 broadcast
    inet netmask 0xffffff00 broadcast (Virtual IP)

    When i try to ping the physically connected host, the output is

    PING ( 56 data bytes
    ping: sendto: Permission denied

    whereas nmap is able to reach this host

    Nmap scan report for
    Host is up (0.00039s latency).

    This happens on 2.4.3-RELEASE-p1 as well as on 2.4.4-RELEASE.

    Disabling PF (pfctl -d) does not help and adding firewall rules allowing to and from everything does neither. I run out of ideas at this point.

    I can't ping a physically connected host from a virtual IP assigned to the NIC the host is connected to.

  • Rebel Alliance Global Moderator

    So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.

    If you want a 192.168.1/24 network then set it up as a vlan and run it on its own L2..

    Did you try ping with [-S src_addr]

    Ok I just tested this without any issues

    [2.4.4-RELEASE][root@sg4860.local.lan]/root: ping
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=128 time=0.461 ms
    64 bytes from icmp_seq=1 ttl=128 time=0.199 ms
    64 bytes from icmp_seq=2 ttl=128 time=0.234 ms

    Created a vip on pfsense


    And created another IP on my PC.

    As you can see can ping it from pfsense without any issues. Are you logged in with some other account other than admin/root on pfsense?

  • Entirely my fault 😬

    I should have mentioned, that there is a Captive Portal running on that interface, too. This prevented communication between the Virtual IP and the host even when PF was disabled. After setting an exception for the IP address in the Captive Portal, i could access the host.

    @johnpoz said in Virtual IP - ping: sendto: Permission denied:

    So your running multiple layer 3 on the same layer 2? Why?? To be honest this is just borked out of the gate.

    I know, i just needed this configuration temporarily.

  • Rebel Alliance Global Moderator

    Ok if just a temp thing - then very understandable.. Useful when migrating to new IP scheme, etc. etc. There are use cases for it sure.

    Glad you got it sorted, and also glad you understand its borked doing such a thing ;) heheheeh