Can't ping WAN IP address

devwinner-sek

We just installed Pfsense 2.4.5 on proxmox 6.3.6 and then we have:

Configured on the WAN, LAN and DMZ interfaces:
• WAN interface (em0), public IPv4 + Gateway
• LAN interface (em1), IPv4 10.12.2.4
• DMZ interface (em2)
Created a bridge interface (WAN, DMZ).
Added the following rules:
• DMZ: Allow all from any source to any destination
• WAN: Allow icmp from any source to WAN address
• LAN: Allow icmp from LAN address to WAN address

For informations,
Pfsense uses the WAN interface gateway as the default gateway.
VMs with just one LAN IP have the Pfsense LAN IP as their gateway (10.12.2.4)
VMs with a public IP have the same Gateway as Pfsense and are linked to the DMZ interface

NB: We use public fail-over IP addresses from So you start

Report:
From 1 VM with a LAN interface:
• The ping of the public IP address of Pfsense passes

What is our problem?
From 1 VM with a LAN interface, it is:
• Unable to ping other public IP addresses
• Unable to access any service located on 1 public IP

viragomann

@devwinner-sek said in Can't ping WAN IP address:

What is our problem?
From 1 VM with a LAN interface, it is:
• Unable to ping other public IP addresses
• Unable to access any service located on 1 public IP

So allow all services you need to any or to the desired destinations.
Since you have only allowed ping from LAN (I assume, you have LAN net in the source instead address) to pfSense WAN address, this is what pfSense permit now.

devwinner-sek

@viragomann
Ok thanks for you proposal. I will try it and check if it solves the issue.

devwinner-sek

@devwinner-sek
With your advice, i have added two new rules to LAN interfaces

1: Allow any protocol from LAN address to WAN address
2. Allow any protocol from LAN address to DMZ address

But ping from LAN to public ip steal not working.

johnpoz

At a loss to why someone would have just now installed such old versions of either pfsense or proxmox.

Moving this it VM section..

viragomann

@devwinner-sek
That's not what I tried to suggest.
"LAN address" is the IP of pfSenses LAN interface. "WAN address" is the WAN IP.

So on LAN the source should be "LAN net", which embraces the whole LAN subnet. For accessing any IP in the internet you have to set the destination to any. This includes the DMZ network as well, so one rule is sufficient.

viragomann

@johnpoz
To be honest, I have upgraded my home installation a few days ago.

devwinner-sek

@viragomann
Thanks for the help.

The rule : LAN net from any protocol to any is a default rule on Pfsense LAN interface. We haven't deleted this rule.

I have also updated today Pfsense to version 2.5.2. But still have the same problem.

johnpoz

@devwinner-sek Well if you lan rule is default any any - and your on the lan network you would for sure be able to ping your wan IP.

If you can not, then can you even ping the Lan IP? You sure your pinging the correct wan IP? Unless you put a floating rule to block, or you have some other rule above the default lan rule - did you happen to enable block rfc1918 on your lan or bogon.. Seen users do that - haven't a clue in the world why anyone would do such a thing.. But have seen it multiple times.. Either of those things could prevent you from pinging the wan.

Why don't you actually post up your rules - other thing you sure your not forcing traffic out some gateway, that can not get to your wan IP, etc..

devwinner-sek

@johnpoz said in Can't ping WAN IP address:

rfc1918

Hello johnpoz.

Like i said, the ping of the WAN IP of Pfsense only is working.
Ping to other WAN Ip address doesn't work.
I don't have rfc1918 block rule on my Pfsense

Images of my rules