Routing issues after Upgrade (2.4.4) - No (ICMP) Reply to packets

  • Hello,

    its seems i messed up somehow after upgrading to 2.4.4_2.

    Im trying to reach: (LAN Network) from openvpn Network (

    Using Diagnostics Ping it works fine from LAN Interface.
    LAN -> LAN -> ok

    Using Diagnostics Ping from OPENVPN Interface
    GCAccessVPN -> LAN -> no

    Rules are set to any/any on both interfaces. Everything is open.

    If I do Packet Capturing: I see the ECHO but no REPLY.

    Any suggestions?

  • Additional Information, which makes curious.

    LAN Interface rules:

    but are blocked?

    In addition to that:
    Only DNS request are send thru the connection:

    Anyone an Idea, what I have to check?

  • LAYER 8 Global Moderator

    You seem to have asymmetrical routing..

    The devices on your "lan" actually use pfsense as their default gateway?

    You see those SA - tells me psense seeing the Syn,Ack (answer to syn in opening connection) but never saw the syn to open the state.

    Could you draw up this network.

  • Like this? - It is virtualized on VMware ESXi 6.5

  • LAYER 8 Global Moderator

    Ok that looks pretty sane.

    So all the devices have default gateway as the IP address of pfsense in these /24s

    This is sign of out of state traffic
    0_1552302181643_outofstate.png sent syn,ack to and to .32 but got blocked because no state would be the reason SA normally blocked.

    Normally means that 101.247 got the syn without it going through pfsense so it could set up the state.. Running multiple L3 networks on the same L2 could do that. Since your saying this is VM, need to see the configuration of your vswitching.. Are you doing port groups. Is pfsense VM as well? Are you letting pfsense handle the tags for the vlans? Etc. etc..

    You say you sniffed and saw the echo request.. Where did you sniff.. If you sniffed on pfsense interface into the network, then pfsense did its job and sent the request, if you don't see a reply - the box either sent it to some other gateway, didn't answer, never got it, etc.

  • Got you... but I wasn't finish yet :-)

    the FW works with CARP IP (HA). The CARP IP is set a default GW for the clients. Maybe thats the reason for this asymmetrical rounting?

    PING from VPN Client captured on FW

    Ping direct FW -> Server

    Ping VPN Interface -> Server

  • LAYER 8 Global Moderator

    Yeah carp could have to do with it for sure..

    You sure your HA is working correctly.. If you send the syn,ack back or echo reply back to wrong pfsense then yeah you have the same sort of issue.

  • Holy shit... it seems to be something bigger...



    I only saw "The system is on the latest version"....
    Well now i have to check, why the update didn't work and it doesn't see the missing updates....

  • Ok. HA is back and online... but the initial issue still exists :-(

    Nothing arrives at .102

Log in to reply