Pfsense block ICMP echo reply from WAN to OPT1



  • Hello,

    Pfsense block ICMP echo reply from WAN to OPT1

    MyLinux VM IP 192.168.10.99 <==> 192.168.10.1 OPT1 (pfsense) WAN 172.16.0.11 <==> 172.16.0.1 router

    Ping from 192.168.10.99 to Pfsense OPT1 192.168.10.1 => OK

    Ping from 192.168.10.99 to Router 172.16.0.1 => OK

    Ping from 192.168.10.99 to Google DNS 8.8.8.8 => Not Working

    I have make a Firewall rules to allow OPT1 Network any protocol to connect to Any IP/Protocol but problem persists

    But the replay exists:
    I made the capture of the packets in pfsense:
    11:12:06.795326 IP 172.16.0.12 > 172.16.0.1: ICMP echo request, id 3097, seq 1922, length 8
    11:12:06.798038 IP 172.16.0.1 > 172.16.0.12: ICMP echo reply, id 3097, seq 1922, length 8
    11:12:07.312546 IP 172.16.0.12 > 172.16.0.1: ICMP echo request, id 3097, seq 1923, length 8
    11:12:07.314024 IP 172.16.0.1 > 172.16.0.12: ICMP echo reply, id 3097, seq 1923, length 8

    Please Help Me !



  • First, you might want to put your router in bridge mode - hand off your public IP to your pfsense WAN interface. Second, try running packet capture on the WAN interface. It could be your ISP router blocking ICMP echo replies. Running it that way I think you are, you will have double NAT.


  • Rebel Alliance Global Moderator

    @tmedtcom said in Pfsense block ICMP echo reply from WAN to OPT1:

    11:12:06.795326 IP 172.16.0.12 > 172.16.0.1: ICMP echo request, id 3097, seq 1922, length 8

    You list pfsense wan as .11, why is your sniff showing from .12

    Did you setup a vip on your wan? Did you mess with outbound nat?



  • Yes Normally I have a double Nat, since I have a Cisco router that is NAT and has a single public IP WAN then I have in my VMWARE ESXI the PfSense which is NAT too.
    Does double nat not work?
    A solution?


  • Rebel Alliance Global Moderator

    double nat will work just fine.. Not optimal choice - but works for pretty much everything.. But again you state pfsense wan is .11 and your sniff of pings shows source of .12



  • Double NAT works, unless of course it doesn't... I was just pointing that out in case you weren't aware. Have you checked the Cisco router if it's blocking the reply? Try pinging the WAN interface of the Cisco device.



  • LAN interface 172.16.0.11

    WAN interface 172.16.0.12

    OPT1 interface 192.168.10.1

    Virtual machine connected to pfsense have Ip address 192.168.10.99

    The PFSENSE graphical interface accessible from the LAN ip 172.16.0.11

    Also I ping from the pfsense to 8.8.8.8 it passes well through the CISCO router



  • So pfSense can ping 8.8.8.8 but not your device at 192.168.10.99? I'm assuming you have no other connectivity issue from this device - you can browse and stuff? Is there a firewall service running in this VM?



  • Ping from INTERNAL (OPT1) to 8.8.8.8:
    The result:
    0_1543325543441_pfs1.png

    Ping from WAN to 8.8.8.8:
    The result:
    0_1543325622878_pfs2.PNG



  • @tmedtcom
    Interface rules? Floating rules?



  • @bhjitsense said in Pfsense block ICMP echo reply from WAN to OPT1:

    Interface rules
    The interface is INTERNAL (OPT1)
    0_1543326100409_interface rules.PNG
    FLOATING RULES/
    0_1543326172013_FLOATING.PNG


  • Rebel Alliance Global Moderator

    @tmedtcom said in Pfsense block ICMP echo reply from WAN to OPT1:

    LAN interface 172.16.0.11
    WAN interface 172.16.0.12

    What? Sorry it doesn't work that way you can not have the same network on wan and lan interface..

    And those rules on your internal are just BORKED..

    When would internal need to talk to pfsense to talk to other internal?



  • @johnpoz
    LAN interface: this interface it is configured to just connecting to pfsense (ssh/web interface) just for admin.
    WAN interface to allow users to connect to many VMs via NAT.
    INTERNAL OPT1 this network is reserved to VMs servers on my VMware ESXI HOST.


  • Rebel Alliance Global Moderator

    And AGAIN you can not have the same network on 2 different interfaces... This basic routing 101... I don't even think pfsense will let you do that..



  • @tmedtcom
    You don't nee the third rule if you have that first rule. Also, change the first rule to be INTERNAL net > INTERNAL address. Or ANY > INTERNAL address.

    Also, post your WAN rules.


  • Rebel Alliance Global Moderator

    WAN interface to allow users to connect to many VMs via NAT.

    Huh? Why would you be natting between local rfc1918 networks or vm networks?

    I have run pfsense on esxi for many years through multiple versions of esxi going back to 4.. Before that even ran it on the old school vmware server 1 and 2..

    Please draw up how you have this stuff connected in esxi with your vswitches and connected to pfsense and how your vswitches are connected to your physical network.. Port groups, are you doing any vlan tagging anywhre or different vswitches - are they standard or distributed switches, etc. etc.



  • My bet is on NAT being borked. You are allowing the ICMP traffic out of INTERNAL, but it doesn't know its way back for the reply.



  • @bhjitsense said in Pfsense block ICMP echo reply from WAN to OPT1:

    @tmedtcom
    You don't nee the third rule if you have that first rule. Also, change the first rule to be INTERNAL net > INTERNAL address. Or ANY > INTERNAL address.

    Also, post your WAN rules.

    WAN Rules:
    0_1543328192521_WAN rules.PNG



  • @johnpoz said in Pfsense block ICMP echo reply from WAN to OPT1:

    Huh? Why would you be natting between local rfc1918 networks or vm networks?

    In the internal Network I have multiple web servers and in the WAN network I have a users on laptop connected to Cisco for Internet and I would like to allow users to access to my Web servers via NAT on WAN: 172.16.0.12:8080
    So pfsense it is the intermidiate router between 2 network 172.16.0.0/24 (WAN) and 192.168.10.0/24

    Also in ESXI 6.5 I have a standard virtual switch with 2 group port:

    • VM network bridget to phisical card
    • VLAN 10 => this is my Internal network


  • @bhjitsense said in Pfsense block ICMP echo reply from WAN to OPT1:

    My bet is on NAT being borked. You are allowing the ICMP traffic out of INTERNAL, but it doesn't know its way back for the reply.

    Yes I also see that there is no return in the logs:
    0_1543329183190_state ping ICMP.png
    But why and how to solve it?


  • Rebel Alliance Global Moderator

    well if you want to access from rfc1918 to networks behind pfsense via your going to have to remove that rfc1918 block for starters.

    If you want to use pfsense as a downstream network from your cisco then there should be a transit network and nat should only happen then talking to the internet and your cisco should nat all your downstream networks, etc.

    Or you should just double nat everything behind pfsense, etc.

    Why are you using vlan 10? Are you setting the vlans up in pfsense - what does your vswitch/port group do with the vlan(s) what do you have set on this port group, etc. etc..

    But you do NOT put the same network on multiple interfaces... And if your wanting to nat from rfc1918 to rfc1918 you going to have to remove that rfc1918 block.



  • 0_1543329526320_VM Network.PNG

    0_1543329539231_VLAN10.PNG



  • I tried to disable the blocking of rfc1918 but here is the error message:
    0_1543330335881_rfc.PNG
    0_1543330346338_rfc error.PNG


  • Rebel Alliance Global Moderator

    Dude why do you have so many physical interfaces?

    And you firewall 2 with how many interfaces? All in the same network?

    Then you have all of those same interfaces in firewall 2 also in vlan port group..

    Yeah that screams a MESS!!

    And yeah told you pfsense shouldn't even let you put overlapping networks on multiple interfaces!!