Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Please help with blocked 1.1.1.1 ping after 2.8.0 upgrade

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 1 Posters 88 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WA2FAST
      last edited by

      I've been searching and cannot find a straight forward answer to this, hoping someone can help me here please and thank you.

      I've upgraded from 2.7.2 to 2.8.0 and everything went well and is working just fine except now my log is full of 1.1.1.1 ping (ICMP) blocks. This was not the case before and I cannot ping obviously 1.1.1.1 from my internal network anymore. Should be a simple fix I'm assuming however I just simply cannot figure this simple one out for some reason.

      Log reads as follows:
      Action: Block
      Reason: match
      Tracker ID: ----------
      Matched Rule:
      @131 block drop out log quick inet proto icmp from an to 1.1.1.1 icmp-type echoreq label "gateway monitoring" ridentifier ----------

      Again, I'm sure this is a very simple, stupid quick fix but would like to get this addressed as I have some very active clients on the network (along with one of my WAN interfaces monitoring) and the log has tons of entries like this.

      Thank you very much in advance!

      1 Reply Last reply Reply Quote 0
      • W
        WA2FAST
        last edited by

        Okay, in playing around with this, I just learned the behavior which is new from the previous version of PFSense.

        If you have an alternate address entered for it's monitoring IP address (to ping instead of DHCP's default gateway on the WAN interface), PFSense then takes that as fact and that IP must not be valid or alive. This would be the case for disconnected WAN interfaces that have a public IP address set as their alternate IP address. When I removed that line or changed it to a different public IP address for monitoring, it "released" 1.1.1.1 and allows pings through.

        So this must be by design, but an interesting change from the previous version. There is a case where I have to use something other than the WAN interface's default gateway to determine if traffic should be routed to it in a WAN interface group I have, and this is where it was coming from. So please disregard, hopefully this info is helpful to others.

        Thanks

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.