Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot ping new host from remote site

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 3 Posters 887 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kk500
      last edited by

      Hi Everyone,

      I have a working Site to Site VPN. I can ping all hosts on the remote side except a new host that was added. The problem is the remote pfsense box has an entry in the ARP table and can easily ping it.

      Its just I cannot ping it across the VPN and I have no idea why?

      All other hosts are pingable.

      ME ---- SITEA ------ SITEB ----> unpingable host

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by Rico

        Unpingable Host is using site B pfSense as gateway?
        Anything in the firewall logs?
        And check this host for any own local firewall blocking your requests, windows for example does this by default.

        -Rico

        1 Reply Last reply Reply Quote 0
        • K
          kk500
          last edited by

          Yes unpingable host is using site B pfsense as gateway. Other hosts are also using site B as gateway and can be pinged by me from site A.

          All rules that block are set to log to the firewall. No entry is found for this host.

          Site B pfsense can ping the host. A similar host with same OS exists in site A as well and can be pinged from site B so cannot be issue with default firewall.

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            traceroute?
            packet capture?

            -Rico

            1 Reply Last reply Reply Quote 0
            • K
              kk500
              last edited by

              traceroute:

              Tracing route to [Unpingable Host] over a maximum of 30 hops

              1 1 ms 1 ms 1 ms [Site A]
              2 784 ms 859 ms 789 ms 10.10.8.2
              3 * * * Request timed out.

              For packet capture, it should be done on both sites?

              1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by Rico

                10.10.8.2 is the site B pfSense OpenVPN client?
                Please show the Firewall Rules site A and site B. You have the OpenVPN Interfaces assigned or not?
                Also give an idea of client site A IP and client site B IP.

                -Rico

                K 1 Reply Last reply Reply Quote 0
                • K
                  kk500 @Rico
                  last edited by

                  @rico
                  Yes 10.10.8.2 is site B client.
                  Yes OpenVPN interfaces are assigned.

                  Site A
                  0_1549112816663_cbc369ee-f68b-47b3-b808-dced56f0498b-image.png
                  Site B
                  0_1549112727400_29fe059e-31eb-48f1-ad9e-9f579b794325-image.png

                  Client Site A IP is 10.10.6.64 and Client Site B 10.10.5.202

                  1 Reply Last reply Reply Quote 0
                  • RicoR
                    Rico LAYER 8 Rebel Alliance
                    last edited by

                    LAN rules?

                    -Rico

                    1 Reply Last reply Reply Quote 0
                    • K
                      kk500
                      last edited by

                      Both LANs have pass all.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        If you can exchange traffic with other hosts on that remote network and not THAT particular host, check for a firewall on THAT host. Check the gateway settings on THAT host. Packet capture on the interface THAT host is connected to for icmp traffic to THAT host IP address and try to ping it. Look at the capture. Are echo requests sent to THAT host captured? Are there replies? No? Check THAT host for the reason.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.