gateway pings from LAN, not from the WAN-interface
-
pfsense-21.05p1 on a SG-3100, 2 WAN-interfaces, gateway groups in place
One WAN-monitoring works OK
the other: notI can ping the gw-IP from the LAN ok.
If I try to ping from pfsense-shell or GUI: 100% packet loss.
I wonder if my Outbound NAT rules are wrong, they are set up with "Hybrid Mode", although there are only 4 rules in there which were Auto-created.
For now I use 8.8.8.8 as monitoring IP, but would like to improve things by pinging the gw itself.
What should I check/change? thanks ...
-
@sgw said in gateway pings from LAN, not from the WAN-interface:
2 WAN-interfaces, gateway groups in place
One WAN-monitoring works OK
the other: notThe default gateway or primary?
I can ping the gw-IP from the LAN ok.
If I try to ping from pfsense-shell or GUI: 100% packet loss.When you ping it from LAN, are you sure the ping is going out the respective interface?
For now I use 8.8.8.8 as monitoring IP, but would like to improve things by pinging the gw itself.
Is it in online state this way?
If the gateway doesn't respond to pings there is no other option than using another public IP for monitoring.I wonder if my Outbound NAT rules are wrong
What are you rules look like?
-
The problematic gw is the one chosen as primary in the gw groups (because it's the faster line).
See pic for NAT rules.
rule 1&2 are for WAN_1, the "good one", 3&4 for WAN_2, the "bad one".
The multiple subnets in "Source" are various VLANs, the "Mappings" are used to map the mailserver in the DMZ to a specific external IP and all the VOIP-devices in a VLAN to another external IP.
The gw should ping according to the provider. I assume the LAN-ping goes out via the right interface because the gw-IP doesn't ping from the internet or other subnets.
-
@sgw said in gateway pings from LAN, not from the WAN-interface:
I assume the LAN-ping goes out via the right interface because the gw-IP doesn't ping from the internet or other subnets.
Has the gw a public IP or a private / CGN?
I cannot see a reason, why the gateway should be pingable from your LAN but not from pfSense itself. If your outbound NAT is working properly the ping packets go out with the WAN IP in both cases, so it shouldn't make any difference.
But you can verify this using the packet capture tool on pfSense. Try a ping from LAN and from pfSense itself, while you capture the traffic on the respective interface.
-
It's a public IP range. I will try the packet capture (again) later today.
-
Did a packet capture on the problematic WAN interface filtering for the IP of its gateway and ICMP only.
pinged from LAN and from the shell on the pfsense:
in the packet capture log I see no difference: WAN IP sends request, WAN GW sends reply. But on the LAN Server I see pings with times, on pfsense I see 100% packet loss.
-
@sgw said in gateway pings from LAN, not from the WAN-interface:
in the packet capture log I see no difference: WAN IP sends request, WAN GW sends reply.
That's what I expected.
But on the LAN Server I see pings with times, on pfsense I see 100% packet loss.
Cannot think of any reason, why pfSense shows packet loss even though it get replies.
-
@viragomann maybe the php-script does something else than the shell command does