Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't ping WAN IP address

    Scheduled Pinned Locked Moved Virtualization
    17 Posts 3 Posters 2.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      devwinner-sek
      last edited by

      We just installed Pfsense 2.4.5 on proxmox 6.3.6 and then we have:

      1. Configured on the WAN, LAN and DMZ interfaces:
        • WAN interface (em0), public IPv4 + Gateway
        • LAN interface (em1), IPv4 10.12.2.4
        • DMZ interface (em2)

      2. Created a bridge interface (WAN, DMZ).

      3. Added the following rules:
        • DMZ: Allow all from any source to any destination
        • WAN: Allow icmp from any source to WAN address
        • LAN: Allow icmp from LAN address to WAN address

      For informations,
      Pfsense uses the WAN interface gateway as the default gateway.
      VMs with just one LAN IP have the Pfsense LAN IP as their gateway (10.12.2.4)
      VMs with a public IP have the same Gateway as Pfsense and are linked to the DMZ interface

      NB: We use public fail-over IP addresses from So you start

      Report:
      From 1 VM with a LAN interface:
      • The ping of the public IP address of Pfsense passes

      What is our problem?
      From 1 VM with a LAN interface, it is:
      • Unable to ping other public IP addresses
      • Unable to access any service located on 1 public IP

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @devwinner-sek
        last edited by

        @devwinner-sek said in Can't ping WAN IP address:

        What is our problem?
        From 1 VM with a LAN interface, it is:
        • Unable to ping other public IP addresses
        • Unable to access any service located on 1 public IP

        So allow all services you need to any or to the desired destinations.
        Since you have only allowed ping from LAN (I assume, you have LAN net in the source instead address) to pfSense WAN address, this is what pfSense permit now.

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          devwinner-sek @viragomann
          last edited by

          @viragomann
          Ok thanks for you proposal. I will try it and check if it solves the issue.

          D 1 Reply Last reply Reply Quote 0
          • D Offline
            devwinner-sek @devwinner-sek
            last edited by

            @devwinner-sek
            With your advice, i have added two new rules to LAN interfaces

            1: Allow any protocol from LAN address to WAN address
            2. Allow any protocol from LAN address to DMZ address

            But ping from LAN to public ip steal not working.

            johnpozJ V 2 Replies Last reply Reply Quote 0
            • johnpozJ Online
              johnpoz LAYER 8 Global Moderator @devwinner-sek
              last edited by

              At a loss to why someone would have just now installed such old versions of either pfsense or proxmox.

              Moving this it VM section..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @devwinner-sek
                last edited by

                @devwinner-sek
                That's not what I tried to suggest.
                "LAN address" is the IP of pfSenses LAN interface. "WAN address" is the WAN IP.

                So on LAN the source should be "LAN net", which embraces the whole LAN subnet. For accessing any IP in the internet you have to set the destination to any. This includes the DMZ network as well, so one rule is sufficient.

                1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @johnpoz
                  last edited by

                  @johnpoz
                  To be honest, I have upgraded my home installation a few days ago.

                  D 1 Reply Last reply Reply Quote 0
                  • D Offline
                    devwinner-sek @viragomann
                    last edited by

                    @viragomann
                    Thanks for the help.

                    The rule : LAN net from any protocol to any is a default rule on Pfsense LAN interface. We haven't deleted this rule.

                    I have also updated today Pfsense to version 2.5.2. But still have the same problem.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator @devwinner-sek
                      last edited by johnpoz

                      @devwinner-sek Well if you lan rule is default any any - and your on the lan network you would for sure be able to ping your wan IP.

                      If you can not, then can you even ping the Lan IP? You sure your pinging the correct wan IP? Unless you put a floating rule to block, or you have some other rule above the default lan rule - did you happen to enable block rfc1918 on your lan or bogon.. Seen users do that - haven't a clue in the world why anyone would do such a thing.. But have seen it multiple times.. Either of those things could prevent you from pinging the wan.

                      Why don't you actually post up your rules - other thing you sure your not forcing traffic out some gateway, that can not get to your wan IP, etc..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        devwinner-sek
                        last edited by

                        @johnpoz said in Can't ping WAN IP address:

                        rfc1918

                        Hello johnpoz.

                        Like i said, the ping of the WAN IP of Pfsense only is working.
                        Ping to other WAN Ip address doesn't work.
                        I don't have rfc1918 block rule on my Pfsense

                        Images of my rules

                        bridges.PNG

                        rules_floating.PNG rules_WAN.PNG
                        rules_LAN.PNG rules_DMZ.PNG

                        V 1 Reply Last reply Reply Quote 0
                        • V Offline
                          viragomann @devwinner-sek
                          last edited by

                          @devwinner-sek
                          You have to go to Interface > Assignments and add and activate the bridges.

                          D 1 Reply Last reply Reply Quote 0
                          • D Offline
                            devwinner-sek @viragomann
                            last edited by devwinner-sek

                            @viragomann

                            ok.

                            I think the bridges interfaces are yet enabled

                            Image Interface Assignments

                            Pfsense_interfaces_assigned.PNG

                            V 1 Reply Last reply Reply Quote 0
                            • V Offline
                              viragomann @devwinner-sek
                              last edited by

                              @devwinner-sek
                              No. If they were you would see them here.

                              Open the drop-down at "Available network ports", select the bridge you have configured before, hit Add, open the new interface and enable it.

                              D 1 Reply Last reply Reply Quote 0
                              • D Offline
                                devwinner-sek @viragomann
                                last edited by

                                @viragomann

                                Ok.
                                I have enabled the bridges interfaces.
                                Still have ping issue on other WAN IP address.

                                Images interfaces

                                bridges_added.PNG

                                Images poing from LAN VM
                                ping_host_denied.PNG

                                D V 2 Replies Last reply Reply Quote 0
                                • D Offline
                                  devwinner-sek @devwinner-sek
                                  last edited by

                                  @devwinner-sek

                                  But ping from WAN IP to WAN IP is working.

                                  Ping from LAN IP to Pfsense WAN IP is working

                                  1 Reply Last reply Reply Quote 0
                                  • V Offline
                                    viragomann @devwinner-sek
                                    last edited by

                                    After changing interface configuration it's recommended to reboot the box.

                                    @devwinner-sek said in Can't ping WAN IP address:

                                    Still have ping issue on other WAN IP address.

                                    What is this other address assigned to? To a DMZ device?

                                    D 1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      devwinner-sek @viragomann
                                      last edited by

                                      @viragomann

                                      Ok. Thanks.

                                      I have restarted the server. Problem not solved.

                                      The other address i want to ping is a public ip. It is linked to DMZ interface.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.