• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot ping through AWS pfSense Instance

Scheduled Pinned Locked Moved IPsec
8 Posts 3 Posters 977 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    ryannel86
    last edited by Mar 11, 2019, 7:29 PM

    We are busy evaluating pfSense for our requirements and have spent 2 days attempting to resolve an issue:

    • We have 2 instances on AWS: SERVER1 and PFSENSE
    • We connect to an external network, SERVER2 via an IPSec Tunnel (Tunnel is connected)

    PFSENSE AWS Instance can ping SERVER2 (ipsec) and can ping SERVER1 (eth):
    SERVER 1 <--- PFSENSE can ping---> SERVER2

    SERVER1 Can Ping PFSENSE
    SERVER2 can Ping PFSENSE

    SERVER1 cannot ping through PFSENSE to SERVER2: SERVER1 cant ping ------> SERVER2
    SERVER2 cannot ping through PFSENSE to SERVER1: SERVER2 cant ping ------> SERVER1

    We have added icmp request rules to security groups on AWS and checked security groups
    Turned off firewalls for testing (including the SERVER1 Firewalls)
    Disabled source destination checks on AWS

    Issue is pinging through the AWS / PFSENSE Instance

    Any assistance would be greatly appreciated - thanks

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Mar 12, 2019, 12:40 AM

      I, for one, am going to need a diagram with more specifics to even hazard a guess as to where the problem is. Please be as specific as possible including subnets, what host IP addresses cannot connect to what, etc.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • M
        MeCJay12
        last edited by Mar 12, 2019, 2:46 AM

        In AWS, by default, an instance cannot act as a router (forward traffic). To change this, right-click the instance in EC2, mouse over Networking, then click "Change Source/Dest. IP Check". A window will come up. Click "Yes, disable". This just allows different IPs to come from the instance than the one(s) assigned.

        1 Reply Last reply Reply Quote 0
        • R
          ryannel86
          last edited by Mar 12, 2019, 12:30 PM

          Thanks for the prompt responses - I have attempted a diagram, please find attached - does this assist?

          Thanks
          0_1552393814985_PFSense.png

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Mar 12, 2019, 3:05 PM

            Does the VPC know to route traffic for 192.168.X.X to the pfSense LAN1 interface?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • R
              ryannel86
              last edited by Mar 12, 2019, 4:01 PM

              @derelict said in Cannot ping through AWS pfSense Instance:

              192.168.X.X

              Thanks Derelict,

              On the VPC I have the following Routes:
              Destination =Target

              172.31.0.0/16 = local
              0.0.0.0/0 = IGW
              SERVER2 IP (192.168.x.x) = PFSENSE LAN2 ENI (LAN2)

              Does that look right?

              Thanks

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Mar 12, 2019, 4:03 PM

                Seems right. So packet capture on the pfSense LAN2 and see what you see when you ping both ways.

                Be sure source/dest check isn't enabled on the interface too. It has always been a little unclear to me what happens when it is enabled on the instance and not on the interfaces, vice versa, etc. I generally just disable it everywhere I see it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • R
                  ryannel86
                  last edited by Mar 12, 2019, 4:35 PM

                  3 days of troubleshooting, you are a legend!! The issue was source/dest on the interface level (thought it was only on instance level).

                  Thanks heaps - much appreciated!

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received