ICMP responses for some IP-addresses are not propagated to LAN interface
-
Not sure that it's the right subforum, but the problem looks NAT-related. Here's my problem:
ICMP requests (to 8.8.8.8) come from LAN interface, leave from WAN interface, response comes to WAN interface, but the corresponding packet doesn't appear on LAN interface.
pfSense version: 2.5.0-RELEASE
Here's the tcpdump sample from LAN:
00:56:34.120561 IP 192.168.120.120 > 1.1.1.1: ICMP echo request, id 19, seq 37, length 64 00:56:35.144625 IP 192.168.120.120 > 1.1.1.1: ICMP echo request, id 19, seq 38, length 64 00:56:36.168579 IP 192.168.120.120 > 1.1.1.1: ICMP echo request, id 19, seq 39, length 64
And here's tcpdump sample from WAN:
00:56:36.501079 IP 6.7.8.9 > 1.1.1.1: ICMP echo request, id 6313, seq 12531, length 9 00:56:36.564018 IP 1.1.1.1 > 6.7.8.9: ICMP echo reply, id 6313, seq 12531, length 9 00:56:37.006353 IP 6.7.8.9 > 1.1.1.1: ICMP echo request, id 6313, seq 12532, length 9 00:56:37.069395 IP 1.1.1.1 > 6.7.8.9: ICMP echo reply, id 6313, seq 12532, length 9
Extract from pftop:
icmp In 192.168.120.120:19 1.1.1.1:19 0:0 00:01:58 00:00:10 232 19488 icmp Out 6.7.8.9:32752 1.1.1.1:32752 0:0 00:01:58 00:00:10 232 19488
I also noticed that this problem does not manifest for all ip-addresses - for example, 1.0.0.1 works fine.
I'm using autogenerated outbound NAT rules, they appear to be okay - they include 192.168.120.120 (ping source machine) for the WAN interface.
I have a gateway group set up (for failover), the primary interface (currently shown as active) is WAN.
I also have a catch-all rule in LAN Firewall rules that sends all packets to Failover gateway group.What could cause such behaviour? Where should I look to debug this?