LAN Interface not replying to ICMP Request from WAN Network

laamidd

@tgwaku
In order for an ip packet to reach it's destination, the sending host must know the MAC address (layer 2) of destination host.
ARP resolves ip to mac.
ping 10.0.0.1 and the OS will check arp cache for MAC of 10.0.0.1. If it doesn't reside in cache, OS will send ARP broadcast on LAN, not cross router, to find destination host.

During your setup and tinkering, your arp tables changed. But, your OS cache didn't. Or, visa versa.

It makes sense that clearing ARP cache worked. If you don't touch anything, you shouldn't ever have this problem again.

johnpoz

@laamidd said in LAN Interface not replying to ICMP Request from WAN Network:

you shouldn't ever have this problem again.

Other than its asymetrical, while it might work because the isp router prob has no state involved in this connection?

A setup with a route to 10.x on the isp router is asymmetrical.. Unless the route was via a transit network to downstream router.

laamidd

@johnpoz
Actually, Looking at his setup and seeing that routers/access points are getting their IP's via DHCP, you very may well have this issue again.

Routers, Firewalls, AP's, etc... should be set static. When the IP of one of these changes, your OS arp table will be wrong and you'll be broken again.

johnpoz

Well what the AP ip is doesn't matter.. And pfsense wan IP should never change.. Unless he turns if off for extended period? And anyway arps are only temp, say 20 minute max is what pfsnese default to.. Off the top head not sure about windows version he has but old use to be 2 minutes, and believe current is some random time between 15 and 45 seconds.

I have no idea why it wasn't working before - but can tell you right now that asymmetrical setup is borked!! And even if it "works" it might not tmrw.. It should not be setup that way.

laamidd

@johnpoz
yes it is borked... lol

TgWaKu

@laamidd said in LAN Interface not replying to ICMP Request from WAN Network:

@tgwaku
In order for an ip packet to reach it's destination, the sending host must know the MAC address (layer 2) of destination host.
ARP resolves ip to mac.
ping 10.0.0.1 and the OS will check arp cache for MAC of 10.0.0.1. If it doesn't reside in cache, OS will send ARP broadcast on LAN, not cross router, to find destination host.

During your setup and tinkering, your arp tables changed. But, your OS cache didn't. Or, visa versa.

It makes sense that clearing ARP cache worked. If you don't touch anything, you shouldn't ever have this problem again.

Thanks @laamidd this is a great explanation!

@johnpoz

I had a try with your recommended configuration however i was unable to ping 10.0.0.1 or use RDP service to my computer (10.0.0.100) via 192.168.1.122 on port 3389:

Nat = auto

Forwarded Ports

Associated Firewall Filters/Rules

Static routing on the TP LINK router is now turned off.

Can ping from 10.0.0.100 to 192.168.1.112 (however very lagged?)

Cannot ping from 192.168.1.112 to 10.0.0.1

Cannot RDP from .112 to 10.0.0.100

johnpoz

This isn't that complicated ;)

Not sure what services he wants to have the 192.168.1 network get to behind pfsense. But all that is required is simple port forwards.

Normally such a setup is to prevent this upstream network from talking to shit behind pfsense.. So can't believe there is that much to forward. If he wants all his stuff exposed.. Then why use pfsense?

If he has multiple things that he wants to expose to 192.168.1 - simple solution would also just to put those things on that network.. He could get simple dumb switch or use the switch ports on his client bridge wifi device or just wifi And only put stuff behind pfsense he wants to firewall off, etc. This requires zero communication with his flat mates, etc.

This setup is nothing a 1000 users are not setting up every day to be honest.. The only thing that is a bit different than the 100's of posts we have seen with this exact setup is the wifi client bridge setup.. But if his pfsense wan is getting an ip via dhcp - that is working fine..

johnpoz

@tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

Cannot RDP from .112 to 10.0.0.100

Dude.. What part of this are you not understanding?? Did you setup a port forward to 10.0.0.100 for rdp.. Access pfsense wan IP for rdp.. It will forward to what IP you want to access, if you have multiple devices then use different ports 3389, 3390, 3391 and forward those to your different 10 addresses.

Why are you trying to ping 10 addresses?

windows firewall is not going to allow access from 192.168.1 if its on 10.x address for rdp - unless you set the windows firewall to allow that also.. Windows firewall pretty much blocks all access to any of its services, even ping from non local network.

TgWaKu

@johnpoz

Thanks John,

Looks like I got it all working now.

Thanks everyone for your help!

laamidd

@tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

3389 TCP AND UDP, and use the remote desktop's IP address, not netbios name. Also, netcat and nmap are your friends: https://nmap.org/ncat/

with netcat, you can run it on the remote host, set it to listen on 3389 (turn off rdp in windows first) then from your local machine run netcat and see if you can connect to the remote host.

from your 10.0.0.100 host, run netcat to listen on port 3389, I think it's nc -nl 10.0.0.1 3389
from your 192.168.1.112 host run: nc -nv 10.0.0.100 3389

does it connect?
nmap from 192 to 10 network scan ports, with either RDP enabled 3389 or nc listening on 3389, do you see 3389?

TgWaKu

@laamidd

I can connect RDP to 192.168.1.199 from 192.168.1.112

this works for me and provides the functionality I need.

i have no need to connect on ip 10.0.0.100 or to be able to ping ip 10.0.0.100. It was just something that i was wondering is possible to do?

so for now all seems to be working :) thanks for your help :)

johnpoz

@tgwaku said in LAN Interface not replying to ICMP Request from WAN Network:

i have no need to connect on ip 10.0.0.100 or to be able to ping ip 10.0.0.100. It was just something that i was wondering is possible to do?

It is very possible to do, just not in the sort of setup you have. If you had an upstream router, where you could create another network/vlan to use as a transit. And also allow that upstream router to nat downstream networks.

Neither of which are possible with your typical soho wifi router, atleast ones not running 3rd party firmware.

Then yes it would be quite easy and simple to have downstream router not doing nat where you could route to downstream networks, ie your 10.x network And then firewall off different protocols or ports if you wanted to.

But in your sort of setup, with the lack of features of your edge(upstream router) and your ability to do vlans on your infrastructure - no its not really possible. And the double nat setup is the easiest solution to isolate your network from the houses network. While still allowing access to resources behind pfsense via simple port forwards.

If your upstream router, ie the router you have connected to the internet was also say pfsense. And your switching and APs in use could do vlans - then there really isn't anything you couldn't do from a networking perspective.

TgWaKu

@johnpoz

Out of curiosity, how would one go about setting up a transit network if I had two pfsense routers in my topology.

johnpoz

A transit network is just a network that connects routers that has no hosts on it..

So pick a network, 172.16.0.0/30 works.. No need for more address. And connect the 2 routers with it..

This can be physical network, or just a vlan..

Here..

It removes the asymmetrical traffic flow..

When you have hosts on your transit, that do not do host routing for the downstream network. Or when the downstream router is not natting you run into this.