Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP only from 1 host to 1 Host

    Scheduled Pinned Locked Moved Traffic Shaping
    1 Posts 1 Posters 72 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Ernat
      last edited by

      Strange ICMP Behavior: Only One Remote Host Cannot Ping Main LAN Interface IP, but Can Ping VIP

      Environment

      • PfSense Version: 2.7.2-RELEASE
      • Configuration: IPsec tunnel between networks

      Issue Description

      I'm experiencing a very specific issue with ICMP traffic through an IPsec tunnel. A single remote host (192.168.x.45) cannot ping the main LAN interface IP address (192.168.y.5) of my PfSense firewall, but it CAN successfully ping the Virtual IP (192.168.y.3) on the same interface. This issue is isolated to this specific source-destination pair - other hosts in the remote network can ping both addresses without issues.

      Important Details

      • The problem affects only one remote host (192.168.x.45)
      • The problem affects only pings to the main LAN interface IP (192.168.y.5)
      • The same host can successfully ping the VIP (192.168.y.3) on the same interface
      • Regular traffic between the networks works fine
      • There are no firewall rules blocking this specific traffic
      • Phase 2 IPsec configuration includes both networks (192.168.y.0/24 and 192.168.x.0/24)

      Troubleshooting Steps Already Performed

      1. Verified firewall rules - confirmed no specific blocks for this traffic
      2. Checked routing tables - both IPs are correctly routed
      3. Checked IPsec policies with setkey -DP - policies appear correct for the networks
      4. Packet capture on LAN interface shows no packets arriving from 192.168.x.45 when pinging 192.168.y.5
      5. Verified IPsec status with ipsec statusall - tunnel is established correctly
      6. Tried different packet sizes with ping -s 100 - no change in behavior
      7. Checked for special system parameters with sysctl net.inet.icmp - nothing unusual
      8. Attempted to clear states with pfctl -k 192.168.x.45 -k 192.168.y.5 - no states found

      PfSense Configuration

      • Main LAN interface: 192.168.y.5/24 (bge5)
      • Virtual IP on LAN: 192.168.y.3
      • IPsec Phase 2 includes networks 192.168.y.0/24 and 192.168.x.0/24

      Questions for the Community

      1. Is this a known behavior in PfSense 2.7.2 where the main LAN interface IP is specially protected from ICMP over IPsec?
      2. Could this be a bug in how PfSense handles ICMP packets to the main interface IP versus VIPs in IPsec tunnels?
      3. Are there any hidden firewall rules or system configurations that might be causing this behavior?
      4. Has anyone experienced a similar issue and found a solution?

      Any insights would be greatly appreciated as this behavior has me completely stumped. While I can work around it by using the VIP, I'd like to understand if this is expected behavior or a configuration issue.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.