gateway pings from LAN, not from the WAN-interface

sgw · Sep 12, 2021, 9:31 AM

pfsense-21.05p1 on a SG-3100, 2 WAN-interfaces, gateway groups in place

One WAN-monitoring works OK
the other: not

I can ping the gw-IP from the LAN ok.

If I try to ping from pfsense-shell or GUI: 100% packet loss.

I wonder if my Outbound NAT rules are wrong, they are set up with "Hybrid Mode", although there are only 4 rules in there which were Auto-created.

For now I use 8.8.8.8 as monitoring IP, but would like to improve things by pinging the gw itself.

What should I check/change? thanks ...

viragomann · Sep 12, 2021, 3:02 PM

@sgw said in gateway pings from LAN, not from the WAN-interface:

2 WAN-interfaces, gateway groups in place

One WAN-monitoring works OK
the other: not

The default gateway or primary?

I can ping the gw-IP from the LAN ok.
If I try to ping from pfsense-shell or GUI: 100% packet loss.

When you ping it from LAN, are you sure the ping is going out the respective interface?

For now I use 8.8.8.8 as monitoring IP, but would like to improve things by pinging the gw itself.

Is it in online state this way?
If the gateway doesn't respond to pings there is no other option than using another public IP for monitoring.

I wonder if my Outbound NAT rules are wrong

What are you rules look like?

sgw · Sep 12, 2021, 3:32 PM

@viragomann

The problematic gw is the one chosen as primary in the gw groups (because it's the faster line).

🔒 Log in to view

See pic for NAT rules.

rule 1&2 are for WAN_1, the "good one", 3&4 for WAN_2, the "bad one".

The multiple subnets in "Source" are various VLANs, the "Mappings" are used to map the mailserver in the DMZ to a specific external IP and all the VOIP-devices in a VLAN to another external IP.

The gw should ping according to the provider. I assume the LAN-ping goes out via the right interface because the gw-IP doesn't ping from the internet or other subnets.

viragomann · Sep 12, 2021, 7:37 PM

@sgw said in gateway pings from LAN, not from the WAN-interface:

I assume the LAN-ping goes out via the right interface because the gw-IP doesn't ping from the internet or other subnets.

Has the gw a public IP or a private / CGN?

I cannot see a reason, why the gateway should be pingable from your LAN but not from pfSense itself. If your outbound NAT is working properly the ping packets go out with the WAN IP in both cases, so it shouldn't make any difference.

But you can verify this using the packet capture tool on pfSense. Try a ping from LAN and from pfSense itself, while you capture the traffic on the respective interface.

sgw · Sep 13, 2021, 2:22 AM

@viragomann

It's a public IP range. I will try the packet capture (again) later today.

sgw · Sep 13, 2021, 2:52 PM

Did a packet capture on the problematic WAN interface filtering for the IP of its gateway and ICMP only.

pinged from LAN and from the shell on the pfsense:

in the packet capture log I see no difference: WAN IP sends request, WAN GW sends reply. But on the LAN Server I see pings with times, on pfsense I see 100% packet loss.

viragomann · Sep 13, 2021, 3:12 PM

@sgw said in gateway pings from LAN, not from the WAN-interface:

in the packet capture log I see no difference: WAN IP sends request, WAN GW sends reply.

That's what I expected.

But on the LAN Server I see pings with times, on pfsense I see 100% packet loss.

Cannot think of any reason, why pfSense shows packet loss even though it get replies.

sgw · Sep 13, 2021, 6:12 PM

@viragomann maybe the php-script does something else than the shell command does