Cannot ping webserver from inside PFsense network
-
My Current Setup is Cable modem => 8 port switch = >PF sense( 186 ) => rest of network
= >Webserver 187
=> Webserver 188I've got a block of static ips my cable company provided for me. 186 - 190. Currently my problem is this : I am inside my pfsense network and can ping / browse to / ssh to my 188 webserver. (everything is fine). If I try to do the same to the 187 webserver, I cannot ping / browse / ssh to it. If i am outside my network ( ie. at home ) i can see both 188 AND 187 servers just fine. No special routes have been setup for 188 so i am very confused why one works and the other does not.
Some things I have tried:
Recreated both web servers from scratch
can ping 188 from 187 and vise versa.
changing my 187 to 189 and 190. ( those don't work either.)
Called my cable company and made sure they all Macs are trusted in their system.Could this have a 1:1 NAT solution? The only reason I haven't started just making some NAT routes and really messing with the pfsense is because 188 works out of the gate!
Sincerely, Confused!
-
As I know/practically seen is that normal behavior should be outside equal independent of target (if firewall rules allow it).
- Can you ping (both) servers from Firewll itself (Diagnostig->Ping) ?
- Do you see perhaps some ICMP blocking in your firewall logs to your 2nd server ?
- If you're running Linux: default there is UDP ping => do you tried ICMP ping, too (parameter -I) ?
-
Can you ping (both) servers from Firewll itself (Diagnostig->Ping) ?
Yes, However my 187 server produces (DUP!) replies. I get 3 replies and +2 duplicates
188 server produces a standard reply. 3 replies no duplicates.. Although when i do about 10 pings I do get some lost packets.I haven't gotten the chance to try the ICMP Ping. I will do that tonight. Does the DUP responses to pings mean anything to you?
-
Can you ping (both) servers from Firewll itself (Diagnostig->Ping) ?
Yes, However my 187 server produces (DUP!) replies. I get 3 replies and +2 duplicates
188 server produces a standard reply. 3 replies no duplicates.. Although when i do about 10 pings I do get some lost packets.I haven't gotten the chance to try the ICMP Ping. I will do that tonight. Does the DUP responses to pings mean anything to you?
yes. DUP! must not come… there are several problems which can cause that...
Best I guess... take a look with tcpdump if 187 receives the ping request and sent it back to firewall
... it could be perhaps that the firewll blocks/loops something and didn't forward it to the server correctly
... or you have a network loop (employees like to self-administrate loose or "unsorted" cables ^^)
... i have sometime from my 2.0.2/2.0.3 firewalls udp "redirects" (but no DUP!) ... which can show not so nice output, too on ping sideeasy - you can check your routing:
on console:route -n get <ip.187>route -n get <ip.188>Should give right interface for both addresses.
You can tcpdump pfsense on web-gui or better(?) on shell console with tcpdump too on your LAN and DMZ/WAN side… somewhere must ping received... and normally again go out ^^
tcpdump -ni <interface>icmp or
tcpdump -ni <interface>icmp and host</interface></interface></ip.188></ip.187> -
Okay….
Seeing something different here.
My trouble IP 187 gives me this readout
$ route -n get xxx.187
route to: xxx.187
destination: xxx.184
mask: 255.255.255.252
interface: em1
flags: <up,done>recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0when the good one that is routing correctly does this...
$ route -n get xxx.188
route to: xxx.188
destination: default
mask: default
gateway: xxx.185
interface: em1
flags: <up,gateway,done,static>recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0Thank you for all your help</up,gateway,done,static></up,done>