How to allow webGUI access and ICMP ping on WAN interface?

xZer0

Hi, I have a little problem like as below topic.
http://forum.pfsense.org/index.php/topic,524.0.html

I just want to test firewall rules. I have two interfaces and setting info as below:

WAN -> em1 (192.168.1.11/24)
             gw (192.168.1.1)
LAN -> em0 (10.30.30.1/24)

My pfSense webGUI's setting on https protocol and I configured firewall rule to allow ICMP Echo reply and https. (See attachment)
I can't ping and open webGUI via WAN Interface (https://192.168.1.11)

I'm using pfSense version 2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6

Whats wrong? Why it doesnt work?

johnnybe

Change the ICMP protocol to echo request.
As of for the Gui Admin access, try using the IP on Wan, ie https://your_wanip.

Guest

Can the gateway (192.168.1.1) ping your pfsense? I imagine you're trying to ping from behind the gateway originally? If not what's your network topology look like?
It looks like you've already unchecked "block private networks" in the WAN interface tab, so that's ruled out.

example                LAN                          OPT1              WAN                        LAN
In my head I picture… You (172.19.15.20) > (172.19.15.1) Gateway (192.168.1.1) > (192.168.1.11) pfsense (10.30.30.1) > workgroup

xZer0

Yes, It doesn't work when I'm trying to ping pfSense host from another host on the same WAN network (IP:192.168.1.25).
And when I'm trying to ping gateway(192.168.1.1) from pfSense host. It doesn't work either.

There is routing tables in my network.

[2.0.1-RELEASE][root@pfSense.localdomain]/root(9): netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1    UGS        0        4    em1
localhost          link#3            UH          0      121    lo0
10.30.30.0        link#1            U          0    1451    em0
pfsense            link#1            UHS        0        0    lo0
192.168.1.0/24  link#2            U          0      377    em1
192.168.1.11    link#2            UHS        0        0    lo0

Guest

Your routing tables look like mine so I would say it's safe to assume your pfsense is configured correctly. You said you pinged pfsense from "another host on the same WAN network" - does this sit behind 192.168.1.1 or parallel to it? Even though it's an internal network, is your gateway blocking ICMP packets on all interfaces?

I decided to add the same rule as you - ICMP - Echo Reply, and I'm unable to ping myself. Changing it to request, and I'm able to ping myself. (Since my WAN is an outside IP, I used network-tools.com).

As you ping from the WAN side > pfsense, maybe look at the packet capture (Diagnostics > packet capture) and see if pfsense even gets hit.

@xZer0:

Yes, It doesn't work when I'm trying to ping pfSense host from another host on the same WAN network (IP:192.168.1.25).
And when I'm trying to ping gateway(192.168.1.1) from pfSense host. It doesn't work either.

There is routing tables in my network.

[2.0.1-RELEASE][root@pfSense.localdomain]/root(9): netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1    UGS         0        4    em1
localhost          link#3             UH          0      121    lo0
10.30.30.0        link#1             U           0     1451    em0
pfsense            link#1             UHS         0        0    lo0
192.168.1.0/24   link#2             U           0      377    em1
192.168.1.11    link#2             UHS         0        0    lo0

xZer0

Thanks all.  :D

I got it. It's just a problem about my network. I tried to install on virtual machine. But I'm not config the active interface to WAN Network. It worked after I re-config the active interface.