LAN Interface not replying to ICMP Request from WAN Network


  • @nogbadthebad

    Yep, Port forwards have been removed:
    67021c00-51c3-4b34-8ba4-63cbd8c1ef90-image.png

    NAT is disabled:
    b101fe40-7ff4-46a1-9aa4-0ee8fd1fbf22-image.png

    But still cannot receive reply from 10.0.0.1 (or 10.0.0.100) from 192.168.1.112


  • @nogbadthebad

    Also, with NAT disabled my 192.168.1.1 router page gives:
    4c4e4d5d-2ddd-45d7-a7cf-f50bdfca0754-image.png

  • Galactic Empire

    @tgwaku

    It's talking to your router:-

    The HTTP 403 is a HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it due to client-related issues. IIS defines non standard "sub-status" error codes that provide a more specific reason for responding with the 403 status code.


  • @nogbadthebad

    I have a feeling the 403 error is because the router doesn't like to accept connections from ip's on a different subnet. with auto nat on it connect to the router page under the gateway ip of 192.168.1.199 which is accepted. or at least this is my best guess at what is going on there.

    still unable to ping my setup however :(


  • @tgwaku Its not a feeling, its reality
    Shitty isp routers only accept connections from connected lans.
    It might be possible to allow access, if the settings permit, and you will also need a static route on the isp router pointing at the pfsense gw for your pf lan space

    Not always the case that you can do that.
    For the scenario at hand, all nat sessions are handled by the isp router, which usually becomes problematic whith many sessions.
    Also inbound filtering is limited to the capabilities of the isp router.

    Consider putting the isp router in bridge mode
    and also eliminate the wireless connection to pf, for gods shake. :)

  • Galactic Empire

    @netblues said in LAN Interface not replying to ICMP Request from WAN Network:

    @tgwaku Its not a feeling, its reality
    Shitty isp routers only accept connections from connected lans.
    It might be possible to allow access, if the settings permit, and you will also need a static route on the isp router pointing at the pfsense gw for your pf lan space

    Not always the case that you can do that.
    For the scenario at hand, all nat sessions are handled by the isp router, which usually becomes problematic whith many sessions.
    Also inbound filtering is limited to the capabilities of the isp router.

    Consider putting the isp router in bridge mode
    and also eliminate the wireless connection to pf, for gods shake. :)

    ^^ This


  • So basically, my setup is trash and i need to rethink my topology?

    fair enough.

    Ideally I would never have had it set up this way but I'm in a share house and it seemed like the most anti-social way to do it so i didn't have to have a conversation with my house mates about messing with their ISP router ๐Ÿ˜…

  • Galactic Empire

    @tgwaku Enable nat and pop an access-point behind your pfSense router.

    You may have problems with double nat, but all your equipment would be on the same lan segment.

    You could get rid of the WiFi bridge using two ethernet over power gadgets.


  • @tgwaku If you know what you are doing, your housemates will love you about the performance...

  • LAYER 8 Global Moderator

    @tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

    it seemed like the most anti-social way to do it so i didn't have to have a conversation with my house mates about messing with their ISP router

    You can for sure do it that way.. With the AP as a client bridge wireless connection to the house network.

    But you need to give pfsense wan an IP on this network, just use dhcp should be your best choice there. Let the house dhcp server give it an IP on that 192.168.1 network.

    Yes double nat, leave pfsense default for nat (auto). Then setup pfsense lan to be something other than 192.168.1 or anything that over laps that, 10.0.0/24 would be fine for you pfsense lan.

    This isolates you from the house network. If you do want to get access to something behind pfsense to the lan, then you would need to setup a port forward.

    But I concur I would classify such a setup with a wireless connection like that as "trash" no offense ;) But yeah sometimes you have to work with what you have.


  • @johnpoz

    Thank you John for giving me to confidence to keep persevering with this issue! I am not one to give up easy, so after adding every firewall rule under the sun.. Trying hybird nat with manual rules, port forwarding everything i could think of... Nothing was working..

    Then I just started trying random things. and one of those things was to delete the ARP Cache entries for a few ip's (can't remember which one's, probably for 192.168.1.112). I deleted on both the pfSense router and on the ISP TP Link router ARP Tables. Then tried to ping again from 192.168.1.112 to 10.0.0.1...... and it... worked... ๐Ÿ˜•

    Does this make any sense why that would fix the issue? is it a thing like, arp cache gets too full or something and ping requests get dropped in one direction?

    Full head scratcher!!! but it's working now which is good. I'm gambling that in a week it may break again so I will put a reminder on my phone to test the ping, and if it's not working I'll delete the ARP Table entries again (this time paying more attention) so i can confirm that this was indeed the nail in the coffin.

    Thanks everyone for your help troubleshooting! @NogBadTheBad @netblues @johnpoz

  • LAYER 8 Global Moderator

    At a complete and utter loss to why you think you should be able to ping the lan IP of pfsense from such a setup..

    Your .112 client has no clue how to get to 10.0.0.1, so it would send it to its gateway. That router has no clue how to get to some 10 network, so best case it would just drop the traffic because its rfc1918 - but it would most likely send it onto the isp gateway.

    I have no idea what you think is going on, or what you have actually clicked or configured. But as drawn - there is NO Possible way for .112 to be able to ping 10.x -- unless you setup a route on it?? To point to pfsense wan IP to get to 10.x network..


  • @johnpoz

    Correct, there is a static router on the ISP TP Link Router:

    f9a6f47e-14bb-4884-af70-8029c96eeb33-image.png

  • LAYER 8 Global Moderator

    That is a asymmetrical mess.. And your going to have nothing but problems with it. For a downstream router you would need a transit network. Or is asymmetrical.. If you were going to route then it would be done on the .112 box directly not the isp router.. To make sure the traffic is not asymmetrical.

    Dude - double nat, and port forward for whatever services you want something on the 192.168.1 network to get to behind pfsense.

    I gave you the solution to how to do this.. And pinging behind a nat is problematic, and your only ever going to setup 1 port forward for icmp if you wanted to ping pfsense lan IP or something behind pfsense.

    Just ping pfsense wan IP to validate connectivity..


  • @tgwaku
    In order for an ip packet to reach it's destination, the sending host must know the MAC address (layer 2) of destination host.
    ARP resolves ip to mac.
    ping 10.0.0.1 and the OS will check arp cache for MAC of 10.0.0.1. If it doesn't reside in cache, OS will send ARP broadcast on LAN, not cross router, to find destination host.

    During your setup and tinkering, your arp tables changed. But, your OS cache didn't. Or, visa versa.

    It makes sense that clearing ARP cache worked. If you don't touch anything, you shouldn't ever have this problem again.

  • LAYER 8 Global Moderator

    @laamidd said in LAN Interface not replying to ICMP Request from WAN Network:

    you shouldn't ever have this problem again.

    Other than its asymetrical, while it might work because the isp router prob has no state involved in this connection?

    A setup with a route to 10.x on the isp router is asymmetrical.. Unless the route was via a transit network to downstream router.


  • @johnpoz
    Actually, Looking at his setup and seeing that routers/access points are getting their IP's via DHCP, you very may well have this issue again.

    Routers, Firewalls, AP's, etc... should be set static. When the IP of one of these changes, your OS arp table will be wrong and you'll be broken again.

  • LAYER 8 Global Moderator

    Well what the AP ip is doesn't matter.. And pfsense wan IP should never change.. Unless he turns if off for extended period? And anyway arps are only temp, say 20 minute max is what pfsnese default to.. Off the top head not sure about windows version he has but old use to be 2 minutes, and believe current is some random time between 15 and 45 seconds.

    I have no idea why it wasn't working before - but can tell you right now that asymmetrical setup is borked!! And even if it "works" it might not tmrw.. It should not be setup that way.


  • @johnpoz
    yes it is borked... lol


  • @laamidd said in LAN Interface not replying to ICMP Request from WAN Network:

    @tgwaku
    In order for an ip packet to reach it's destination, the sending host must know the MAC address (layer 2) of destination host.
    ARP resolves ip to mac.
    ping 10.0.0.1 and the OS will check arp cache for MAC of 10.0.0.1. If it doesn't reside in cache, OS will send ARP broadcast on LAN, not cross router, to find destination host.

    During your setup and tinkering, your arp tables changed. But, your OS cache didn't. Or, visa versa.

    It makes sense that clearing ARP cache worked. If you don't touch anything, you shouldn't ever have this problem again.

    Thanks @laamidd this is a great explanation!

    @johnpoz

    I had a try with your recommended configuration however i was unable to ping 10.0.0.1 or use RDP service to my computer (10.0.0.100) via 192.168.1.122 on port 3389:

    Nat = auto
    392192c6-697d-4065-9114-9f1af86d5bf8-image.png
    Forwarded Ports
    06829468-9e77-4d0a-a95f-fc310dd15520-image.png
    Associated Firewall Filters/Rules
    834e5a78-d5f8-4530-a082-900cd813f422-image.png

    Static routing on the TP LINK router is now turned off.

    Can ping from 10.0.0.100 to 192.168.1.112 (however very lagged?)
    622481bd-9319-444c-8a57-f8013bf8ecf0-image.png

    Cannot ping from 192.168.1.112 to 10.0.0.1
    903d1075-2f31-476d-a1df-6552eb43e3f2-image.png

    Cannot RDP from .112 to 10.0.0.100
    95c08366-43ed-41e4-a960-802f1f9dc3de-image.png

  • LAYER 8 Global Moderator

    This isn't that complicated ;)

    Not sure what services he wants to have the 192.168.1 network get to behind pfsense. But all that is required is simple port forwards.

    Normally such a setup is to prevent this upstream network from talking to shit behind pfsense.. So can't believe there is that much to forward. If he wants all his stuff exposed.. Then why use pfsense?

    If he has multiple things that he wants to expose to 192.168.1 - simple solution would also just to put those things on that network.. He could get simple dumb switch or use the switch ports on his client bridge wifi device or just wifi And only put stuff behind pfsense he wants to firewall off, etc. This requires zero communication with his flat mates, etc.

    This setup is nothing a 1000 users are not setting up every day to be honest.. The only thing that is a bit different than the 100's of posts we have seen with this exact setup is the wifi client bridge setup.. But if his pfsense wan is getting an ip via dhcp - that is working fine..

  • LAYER 8 Global Moderator

    @tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

    Cannot RDP from .112 to 10.0.0.100

    Dude.. What part of this are you not understanding?? Did you setup a port forward to 10.0.0.100 for rdp.. Access pfsense wan IP for rdp.. It will forward to what IP you want to access, if you have multiple devices then use different ports 3389, 3390, 3391 and forward those to your different 10 addresses.

    Why are you trying to ping 10 addresses?

    windows firewall is not going to allow access from 192.168.1 if its on 10.x address for rdp - unless you set the windows firewall to allow that also.. Windows firewall pretty much blocks all access to any of its services, even ping from non local network.


  • @johnpoz

    Thanks John,

    Looks like I got it all working now.

    Thanks everyone for your help!


  • @tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

    3389 TCP AND UDP, and use the remote desktop's IP address, not netbios name. Also, netcat and nmap are your friends: https://nmap.org/ncat/

    with netcat, you can run it on the remote host, set it to listen on 3389 (turn off rdp in windows first) then from your local machine run netcat and see if you can connect to the remote host.

    from your 10.0.0.100 host, run netcat to listen on port 3389, I think it's nc -nl 10.0.0.1 3389
    from your 192.168.1.112 host run: nc -nv 10.0.0.100 3389

    does it connect?
    nmap from 192 to 10 network scan ports, with either RDP enabled 3389 or nc listening on 3389, do you see 3389?


  • @laamidd

    I can connect RDP to 192.168.1.199 from 192.168.1.112

    this works for me and provides the functionality I need.

    i have no need to connect on ip 10.0.0.100 or to be able to ping ip 10.0.0.100. It was just something that i was wondering is possible to do?

    so for now all seems to be working :) thanks for your help :)

  • LAYER 8 Global Moderator

    @tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

    i have no need to connect on ip 10.0.0.100 or to be able to ping ip 10.0.0.100. It was just something that i was wondering is possible to do?

    It is very possible to do, just not in the sort of setup you have. If you had an upstream router, where you could create another network/vlan to use as a transit. And also allow that upstream router to nat downstream networks.

    Neither of which are possible with your typical soho wifi router, atleast ones not running 3rd party firmware.

    Then yes it would be quite easy and simple to have downstream router not doing nat where you could route to downstream networks, ie your 10.x network And then firewall off different protocols or ports if you wanted to.

    But in your sort of setup, with the lack of features of your edge(upstream router) and your ability to do vlans on your infrastructure - no its not really possible. And the double nat setup is the easiest solution to isolate your network from the houses network. While still allowing access to resources behind pfsense via simple port forwards.

    If your upstream router, ie the router you have connected to the internet was also say pfsense. And your switching and APs in use could do vlans - then there really isn't anything you couldn't do from a networking perspective.