Not able to ping LAN interface from OPT1 or OPT2 networks

dcica

Setting up my second pfsense firewall (Protectli hardware) with 2.4.5-RELEASE-p1 as a replacement. Both are running the same version. Starting over from a fresh install. Not copying the config. Original device has three networks - LAN, OPT1 and OPT2. I am able to ping the LAN interface from the other two networks.

On the new fresh install I setup the three interfaces. I set the DHCP for each interface and confirmed it works. I created an "allow to any" rule on the OPT1 and OPT2 interfaces. I can ping the OPT1 and OPT interfaces from each network but can only ping the LAN interface from the LAN network. I haven't modified anything else. No VLANs. No installed packages. No additional rules, gateways, bridges or anything else.

I have assumed I messed up somewhere and have reloaded a fresh installation twice now. I have compared the config side-by-side with my old in production firewall. Has anyone had trouble with a base installation not able to ping the LAN from a second interface?

stephenw10

Can we see a screenshot of the rule you added on either OPT interface?

Are they definitely using different subnets?

Steve

johnpoz

@dcica said in Not able to ping LAN interface from OPT1 or OPT2 networks:

Has anyone had trouble with a base installation not able to ping the LAN from a second interface?

Never had any issues with any installations be it base, or out the wazzo configured with every package available, etc.

Simple test - can your devices on optX network ping the pfsense lan IP?

Common mistakes users make is rules default to tcp.. So its possible your rules are only tcp any any and do not allow for ping (icmp)

dcica

Thank you for the reply stephenw10 and johnpoz. These are both great questions. Again no additional configuring has been made other than enabling the interfaces. This has worked fine in the past when I have setup pfsense. I am sure we can figure this out. I am open to any suggestions. I am certain somewhere I made a goof. I just can't find it yet.

Interfaces are as follows (double checked these settings):
LAN 192.168.1.1 /24
OPT1 192.168.2.1 /24
OPT2 192.168.3.1 /24

Rules:
LAN (Default "allow any to any" rules for IPv4 and 6):
IPv4 * LAN net * * * * none Default allow LAN to any rule
IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule
OPT1 (Created myself after enabling interface):
IPv4 * OPT1 net * * * * none allow OPT1 to any rule
IPv6 * OPT1 net * * * * none allow OPT1 IPv6 to any rule
OPT2 (Created myself after enabling interface):
IPv4 * OPT2 net * * * * none allow OPT2 to any rule
IPv6 * OPT2 net * * * * none allow OPT2 IPv6 to any rule

Thank you again for helping

dcica

@johnpoz said in Not able to ping LAN interface from OPT1 or OPT2 networks:

Simple test - can your devices on optX network ping the pfsense lan IP?

I forgot to answer this question...sorry. No they can not. If I connect a laptop to OPT1 or OPT2 then I am not able to ping the LAN interface. I can ping the OPT1 and OPT2 interfaces. If I plug a laptop into the LAN interface then I can ping all three interfaces.

dcica

Problem solved! I am such a goof.
I have been setting this up in a "lab" to prepare to replace my current pfsense firewall. I have only been using a single laptop to test. I discovered that if I don't have a device plugged into the LAN port then I can't ping the LAN interface. This is not true with the OPT1 and OPT2 interfaces. They can be left empty. I took a send laptop and plugged one into LAN and one into OPT1. The pings were successful.

I want to thank you for your help. I was offered clear and accurate questions. This was not a waste but prompted me to keep going. Thanks again. I love pfsense and have been using it since 2004. I just have not created this mistake in the past. Maybe I should move my "lab" from my living room away from all the kid distractions.

stephenw10

Hmm, I would not normally expect that. Did you add a gateway on LAN maybe?

Steve

dcica

@stephenw10
No I did not add or change anything. All I did was plug in a device on LAN and OPT1 ports and was able to ping to the LAN interface from the OPT1 network. BTW...I am on the new firewall!

dcica

Online with pfblockering, snort and detailed interface rules. I love pfsense!