Cannot ping webserver from inside PFsense network



  • My Current Setup is Cable modem => 8 port switch = >PF sense( 186 ) => rest of network
                                                                          = >Webserver 187
                                                                          => Webserver 188

    I've got a block of static ips my cable company provided for me. 186 - 190. Currently my problem is this : I am inside my pfsense network and can ping / browse to / ssh to my 188 webserver. (everything is fine). If I try to do the same to the 187 webserver, I cannot ping / browse / ssh to it.  If i am outside my network ( ie. at home ) i can see both 188 AND 187 servers just fine.  No special routes have been setup for 188 so i am very confused why one works and the other does not.

    Some things I have tried:
    Recreated both web servers from scratch
    can ping 188 from 187 and vise versa.
    changing my 187 to 189 and 190. ( those don't work either.)
    Called my cable company and made sure they all Macs are trusted in their system.

    Could this have a 1:1 NAT solution?  The only reason I haven't started just making some NAT routes and really messing with the pfsense is because 188 works out of the gate!

    Sincerely, Confused!



  • As I know/practically seen is that normal behavior should be outside equal independent of target (if firewall rules allow it).

    • Can you ping (both) servers from Firewll itself (Diagnostig->Ping) ?
    • Do you see perhaps some ICMP blocking in your firewall logs to your 2nd server ?
    • If you're running Linux: default there is UDP ping => do you tried ICMP ping, too (parameter -I) ?


  • Can you ping (both) servers from Firewll itself (Diagnostig->Ping) ?
          Yes, However my 187 server produces (DUP!) replies. I get 3 replies and +2 duplicates
                                    188 server produces a standard reply. 3 replies no duplicates.. Although when i do about 10 pings I do get some lost packets.

    I haven't gotten the chance to try the ICMP Ping. I will do that tonight. Does the DUP responses to pings mean anything to you?



  • @asgray:

    Can you ping (both) servers from Firewll itself (Diagnostig->Ping) ?
           Yes, However my 187 server produces (DUP!) replies. I get 3 replies and +2 duplicates
                                    188 server produces a standard reply. 3 replies no duplicates.. Although when i do about 10 pings I do get some lost packets.

    I haven't gotten the chance to try the ICMP Ping. I will do that tonight. Does the DUP responses to pings mean anything to you?

    yes. DUP! must not come… there are several problems which can cause that...

    Best I guess... take a look with tcpdump if 187 receives the ping request and sent it back to firewall
    ... it could be perhaps that the firewll blocks/loops something and didn't forward it to the server correctly
    ... or you have a network loop (employees like to self-administrate loose or "unsorted" cables ^^)
    ... i have sometime from my 2.0.2/2.0.3 firewalls udp "redirects" (but no DUP!) ... which can show not so nice output, too on ping side

    easy - you can check your routing:
    on console:

    route -n get <ip.187>route -n get <ip.188>Should give right interface for both addresses.

    You can tcpdump pfsense on web-gui or better(?) on shell console with tcpdump too on your LAN and DMZ/WAN side… somewhere must ping received... and normally again go out ^^

    tcpdump -ni <interface>icmp or
    tcpdump -ni <interface>icmp and host</interface></interface></ip.188></ip.187>



  • Okay….

    Seeing something different here.

    My trouble IP 187 gives me this readout

    $ route -n get xxx.187
      route to: xxx.187
    destination: xxx.184
          mask: 255.255.255.252
      interface: em1
          flags: <up,done>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
          0        0        0        0      1500        1        0

    when the good one that is routing correctly does this...

    $ route -n get xxx.188
      route to: xxx.188
    destination: default
          mask: default
        gateway: xxx.185
      interface: em1
          flags: <up,gateway,done,static>recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
          0        0        0        0      1500        1        0

    Thank you for all your help</up,gateway,done,static></up,done>


Log in to reply