• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cannot Ping WAN Interface

General pfSense Questions
3
13
4.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    andy10
    last edited by Jun 11, 2020, 2:24 AM

    Hello. I have pfsense installed on a VM (ESXI 6.5). Pfsense version is 2.4.5-RELEASE (amd64).

    I have configured 2 Interfaces.
    LAN: 10.1.12.160/24 (no gateway)
    WAN: 10.1.100.130/24 - Gateway: 10.1.100.1

    Of course the Interfaces are on the right VM network.

    I can ping the LAN interface but I cannot ping the WAN IP, and i cannot ping the WAN gateway from the WAN Interface.

    I have created any-any rules on the LAN and WAN.

    I don't have any NAT configured (1:1, port forward). The outbound NAT is set to auto (i tried all options there with no luck).

    WAN gateway is the default. I don't have any static routes.
    I can ping Internet addresses.

    Block private networks and loopback addresses on the WAN interface is disabled.!login-to-view login-to-view
    Thoughts?

    G 1 Reply Last reply Jun 11, 2020, 6:06 AM Reply Quote 0
    • S
      SteveITS Galactic Empire
      last edited by Jun 11, 2020, 3:16 AM

      In Status/System Logs/Settings, check "Log packets matched from the default block rules in the ruleset" and see if the default block rule is blocking you. If so you need a firewall rule to match your traffic.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote πŸ‘ helpful posts!

      A 1 Reply Last reply Jun 11, 2020, 3:18 AM Reply Quote 0
      • A
        andy10 @SteveITS
        last edited by Jun 11, 2020, 3:18 AM

        @teamits Thank you for your answer...I have a any-any rule under WAN...do I still need to create another rule?

        S 1 Reply Last reply Jun 11, 2020, 4:07 PM Reply Quote 0
        • G
          Gertjan @andy10
          last edited by Jun 11, 2020, 6:06 AM

          @andy10 said in Cannot Ping WAN Interface:

          Thoughts?

          Your "any to any rule on WAN" is just temporary to make ICMP work, right ? What about, at least, limiting this "IPv4*" protocols to "ICMP" ?
          DO NOT keep it rule.
          Or change pfSense for a switch to have close to identical results, and zero admin efforts.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          A 1 Reply Last reply Jun 11, 2020, 6:12 AM Reply Quote 0
          • A
            andy10 @Gertjan
            last edited by Jun 11, 2020, 6:12 AM

            @Gertjan yes it’s a temp rule...i need to figure out first why i cannot ping my WAN IP...

            1 Reply Last reply Reply Quote 0
            • G
              Gertjan
              last edited by Jun 11, 2020, 8:00 AM

              Using what ? From where ? Through which other upstream devices - the ones between you and pfSense ?

              @andy10 said in Cannot Ping WAN Interface:

              I can ping the LAN interface but I cannot ping the WAN IP

              From where ?

              You have already a pass all rule - that's ok for testing purposes.
              You know now that ant traffic coming into WAN will be 'seen' by the network stack. At that level, ICMP is handled.
              You should fire up tcpdump (packet capture), select WAN as the interface and ICMP for the type of protocol.
              Now you ping from where ever you ping.
              Stop the capturing : if it's empty, the traffic never reached pfSense.

              Most often this is explained easily : right after you discover that the ISP router is also a router (...) it becomes clear that router should a) also reply to ICMP (because this router has the actual WAN IP, not pfSense, which uses a RFC1819 type IP), or b) pass the ICMP requests through.

              Are you trying to ping from pfSense's LAN the WAN IP ? What are your LAN rule(s) ?
              Your WAN IP is a RFC1918 type ?

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              A 1 Reply Last reply Jun 11, 2020, 4:45 PM Reply Quote 0
              • S
                SteveITS Galactic Empire @andy10
                last edited by Jun 11, 2020, 4:07 PM

                @andy10 I was assuming you were pinging from LAN. If no block is logged by the default block rule then it's not being blocked, meaning it's generally a routing or some other issue.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote πŸ‘ helpful posts!

                1 Reply Last reply Reply Quote 0
                • A
                  andy10
                  last edited by Jun 11, 2020, 4:42 PM

                  I am pinging from another server on the LAN network.

                  login-to-view

                  S 1 Reply Last reply Jun 11, 2020, 5:29 PM Reply Quote 0
                  • A
                    andy10 @Gertjan
                    last edited by Jun 11, 2020, 4:45 PM

                    @Gertjan
                    From where ?

                    You have already a pass all rule - that's ok for testing purposes.
                    You know now that ant traffic coming into WAN will be 'seen' by the network stack. At that level, ICMP is handled.
                    You should fire up tcpdump (packet capture), select WAN as the interface and ICMP for the type of protocol.
                    Now you ping from where ever you ping.
                    Stop the capturing : if it's empty, the traffic never reached pfSense. colored text please see screenshot

                    login-to-view

                    Most often this is explained easily : right after you discover that the ISP router is also a router (...) it becomes clear that router should a) also reply to ICMP (because this router has the actual WAN IP, not pfSense, which uses a RFC1819 type IP), or b) pass the ICMP requests through.

                    ISP is not involved here...it's installed on a VM which is behind a Palo Alto firewall...

                    Are you trying to ping from pfSense's LAN the WAN IP ? What are your LAN rule(s) ? trying to ping from 2 servers on the LAN and WAN networks...both fail
                    Your WAN IP is a RFC1918 type ?colored text 10.1.100.110/24

                    1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @andy10
                      last edited by Jun 11, 2020, 5:29 PM

                      @andy10 Does the server you're pinging from have a firewall rule that is blocking the replies?
                      If you're pinging from LAN the WAN rule shouldn't be used.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote πŸ‘ helpful posts!

                      A 1 Reply Last reply Jun 11, 2020, 5:31 PM Reply Quote 0
                      • A
                        andy10 @SteveITS
                        last edited by Jun 11, 2020, 5:31 PM

                        @teamits no..the windows firewall is off....the weird thing is that when i reboot pfsense...and run a continuous ping to the WAN interface...i get responses right before it shuts down ...could it be a bug ?

                        1 Reply Last reply Reply Quote 0
                        • A
                          andy10
                          last edited by Jun 12, 2020, 10:51 PM

                          I reinstalled pfsense on another VM and i can ping the interfaces now...could be a bug! Issue resolved. Thanks!

                          1 Reply Last reply Reply Quote 0
                          • G
                            Gertjan
                            last edited by Jun 13, 2020, 7:29 AM

                            Bug ?
                            Setup !

                            pfSense handles ICMP as per user settings.
                            If not, this forum would be swamped by angry user posts ^^

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            1 out of 13
                            • First post
                              1/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.