How to allow webGUI access and ICMP ping on WAN interface?

xZer0 · Dec 6, 2012, 7:41 AM

Hi, I have a little problem like as below topic.
http://forum.pfsense.org/index.php/topic,524.0.html

I just want to test firewall rules. I have two interfaces and setting info as below:

WAN -> em1 (192.168.1.11/24)
gw (192.168.1.1)
LAN -> em0 (10.30.30.1/24)

My pfSense webGUI's setting on https protocol and I configured firewall rule to allow ICMP Echo reply and https. (See attachment)
I can't ping and open webGUI via WAN Interface (https://192.168.1.11)

I'm using pfSense version 2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6

Whats wrong? Why it doesnt work?
![Screen shot 2012-12-06 at 2.09.03 PM.png](/public/imported_attachments/1/Screen shot 2012-12-06 at 2.09.03 PM.png)
![Screen shot 2012-12-06 at 2.09.03 PM.png_thumb](/public/imported_attachments/1/Screen shot 2012-12-06 at 2.09.03 PM.png_thumb)

johnnybe · Dec 6, 2012, 1:10 PM

Change the ICMP protocol to echo request.
As of for the Gui Admin access, try using the IP on Wan, ie https://your_wanip.

Guest · Dec 6, 2012, 3:33 PM

Can the gateway (192.168.1.1) ping your pfsense? I imagine you're trying to ping from behind the gateway originally? If not what's your network topology look like?
It looks like you've already unchecked "block private networks" in the WAN interface tab, so that's ruled out.

example LAN OPT1 WAN LAN
In my head I picture… You (172.19.15.20) > (172.19.15.1) Gateway (192.168.1.1) > (192.168.1.11) pfsense (10.30.30.1) > workgroup

xZer0 · Dec 7, 2012, 3:41 AM

Yes, It doesn't work when I'm trying to ping pfSense host from another host on the same WAN network (IP:192.168.1.25).
And when I'm trying to ping gateway(192.168.1.1) from pfSense host. It doesn't work either.

There is routing tables in my network.

[2.0.1-RELEASE][root@pfSense.localdomain]/root(9): netstat -r
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGS 0 4 em1
localhost link#3 UH 0 121 lo0
10.30.30.0 link#1 U 0 1451 em0
pfsense link#1 UHS 0 0 lo0
192.168.1.0/24 link#2 U 0 377 em1
192.168.1.11 link#2 UHS 0 0 lo0

Guest · Dec 10, 2012, 3:52 PM

Your routing tables look like mine so I would say it's safe to assume your pfsense is configured correctly. You said you pinged pfsense from "another host on the same WAN network" - does this sit behind 192.168.1.1 or parallel to it? Even though it's an internal network, is your gateway blocking ICMP packets on all interfaces?

I decided to add the same rule as you - ICMP - Echo Reply, and I'm unable to ping myself. Changing it to request, and I'm able to ping myself. (Since my WAN is an outside IP, I used network-tools.com).

As you ping from the WAN side > pfsense, maybe look at the packet capture (Diagnostics > packet capture) and see if pfsense even gets hit.

@xZer0:

Yes, It doesn't work when I'm trying to ping pfSense host from another host on the same WAN network (IP:192.168.1.25).
And when I'm trying to ping gateway(192.168.1.1) from pfSense host. It doesn't work either.

There is routing tables in my network.

[2.0.1-RELEASE][root@pfSense.localdomain]/root(9): netstat -r
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGS 0 4 em1
localhost link#3 UH 0 121 lo0
10.30.30.0 link#1 U 0 1451 em0
pfsense link#1 UHS 0 0 lo0
192.168.1.0/24 link#2 U 0 377 em1
192.168.1.11 link#2 UHS 0 0 lo0

xZer0 · Dec 11, 2012, 4:51 AM

Thanks all. :D

I got it. It's just a problem about my network. I tried to install on virtual machine. But I'm not config the active interface to WAN Network. It worked after I re-config the active interface.