Can't ping from Windows host to LAN interfaces in VMWare Workstation

forsenga

Hi
I have a Windows uses Vmware Workstation including PFsense virtual machine.
The WAN card is configured with VMWare's NAT and the other interfaces (LAN, OPT1, OPT2,..) are configured with LAN Segment.

The problem is I can't ping from Windows host to the VMs behind the PFsense (LAN, OPT1, OPT2,..) firewall except for the WAN. Meanwhile, it can be done vice versa, all the LAN interfaces can ping each other or to the Windows host successfully.

I set the Pfsense rules to pass any of the protocols on every interfaces and configured the static routes on Windows host too but it does not work.

The only succesful ping is to the PFsense WAN but not other interfaces behind it. When I switched the WAN interface to VM bridge mode then it works but this is VMWare NAT mode so I think that is where the problem at.

My interface assigments:

Ping from Windows host:

C:\Users\Admin>ping 192.168.232.9

Pinging 192.168.232.9 with 32 bytes of data:
Reply from 192.168.232.9: bytes=32 time<1ms TTL=64
Reply from 192.168.232.9: bytes=32 time<1ms TTL=64
Reply from 192.168.232.9: bytes=32 time<1ms TTL=64
Reply from 192.168.232.9: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.232.9:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\Admin>ping 192.168.30.11

Pinging 192.168.30.11 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.30.11:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

My route print :

Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
     192.168.30.0    255.255.255.0    192.168.232.1       1
     192.168.40.0    255.255.255.0    192.168.232.1       1
     192.168.20.0    255.255.255.0    192.168.232.1       1

Gblenn

@forsenga I'm not sure how VMWare NAT vs Bridge mode works and exactly how your setup is in terms of physical ports.

But, what is the IP of the Windows host you are using to ping from? If it is not on any of the segments 192.168.20 , 30 or 40 it shouldn't be able to ping those segments.

You have put pfsense in between and it is doing it's job as a firewall, isn't it...
Meaning you can't ping WAN -> LAN, since it is by default closed and should stay that way unless you open a specific port to one of your servers for example.

If by putting the VMWare port in bridge mode, you have opened up between 192.168.232.0/24 and the em1, em2 and em3? Then you are effectively bypassing pfsense aren't you?

Pinging from 192.168.20.1 to 192.168.232.N should of course work, since it's LAN -> WAN (internet)...

Pinging between segments .20 .30 and .40 would work but depends on the rules you set up in pfsense for those segments.

stephenw10

Unless you have configured it otherwise pfSense will be NATing between the WAN and internal subnets.

The host system routes should be via the pfSense WAN address not the host address.

You would need firewall rules on the pfSense WAN to pass that traffic.

forsenga

@stephenw10

The host system routes should be via the pfSense WAN address not the host address.

Can you clarify more on this? Isn't this already via the WAN address:

Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
     192.168.30.0    255.255.255.0    192.168.232.1       1
     192.168.40.0    255.255.255.0    192.168.232.1       1
     192.168.20.0    255.255.255.0    192.168.232.1       1

(I forgot to mention the route print output was on the Windows host)

and I've already set rules to pass all any traffics with any protocols in every interfaces and on WAN of course but the pings from Windows host only reach the WAN and not reach to the other subnets.

stephenw10

The pfSense WAN is 192.168.232.9. The subnets are behind pfSense so traffic needs to be routed via that.

forsenga

@stephenw10 thanks man, it works now.