I can't ping LAN ip to WAN ip



  • I can't ping FROM IP LAN TO WAN IP

    LAN IP  : 192.168.3.1
    WANIP  : 192.168.4.1



  • Delete your LAN rule.  It's not needed.  LAN has access to everywhere as a default.

    Just delete the first WAN rule.  (The second rule will take care of getting traffic from PC1 to PC2.)



  • @biggsy:

    Delete your LAN rule.  It's not needed.  LAN has access to everywhere as a default.

    Just delete the first WAN rule.  (The second rule will take care of getting traffic from PC1 to PC2.)

    he doesn't work    :-\


  • LAYER 8 Global Moderator

    @biggsy – WHAT??  Sorry but you need a lan rule.. Yes one is CREATED by default, does not mean you can delete it and expect things to work.

    He does NOT need a WAN rule if he is trying to ping from lan to wan.. If he wanted to ping from wan to lan then yes he would need a forward..  But ping is not really a port so he could not forward it.  etc..  That would be another topic trying to ping wan from lan ips over ipv4.

    Just went over this in another thread..  Here is how to troubleshoot it -- but its most likely your firewall or security/antivirus suite on pc1..  By default windows does not allow ping from segment other than its local one.

    http://forum.pfsense.org/index.php/topic,67781.msg371385.html#msg371385




  • @johnpoz:

    @biggsy – WHAT??  Sorry but you need a lan rule.. Yes one is CREATED by default, does not mean you can delete it and expect things to work.

    He does NOT need a WAN rule if he is trying to ping from lan to wan.. If he wanted to ping from wan to lan then yes he would need a forward..  But ping is not really a port so he could not forward it.  etc..  That would be another topic trying to ping wan from lan ips over ipv4.

    Just went over this in another thread..  Here is how to troubleshoot it -- but its most likely your firewall or security/antivirus suite on pc1..  By default windows does not allow ping from segment other than its local one.

    http://forum.pfsense.org/index.php/topic,67781.msg371385.html#msg371385

    firewall and antivirus is off IN PC 1  AND PC2

    but i can't ping  :-\

    please help  :-\


  • LAYER 8 Global Moderator

    Well then do the simple sniff test..  You will clearly be able to see where the issue is with a simple sniff..  Do you see your packets leave pfsense.. Do they leave pfsense but your client does not see them, if client does seem them - why not answer back?

    Can you ping the client from pfsense using the interface in that segment?  I'm pretty sure I was quite detailed in my instructions from the previous thread.



  • You have modified the default LAN rule and, even though it's wrong, I shouldn't have told you to delete it.  It should look like the first picture below. (Without the IPv6 rule probably)

    Your WAN rule needs to look like one of the next three images.

    The first allows anything on WAN to talk to anything on LAN.
    The second allows just 192.168.4.4 to talk to anything on LAN.
    The last just allows 192.168.4.4 to talk to 192.168.3.3.

    "WAN address" means pfSense's WAN address.  It doesn't mean WAN subnet.

    ![2013-10-12 08-44-42.png](/public/imported_attachments/1/2013-10-12 08-44-42.png)
    ![2013-10-12 08-44-42.png_thumb](/public/imported_attachments/1/2013-10-12 08-44-42.png_thumb)
    ![2013-10-12 08-45-55.png](/public/imported_attachments/1/2013-10-12 08-45-55.png)
    ![2013-10-12 08-45-55.png_thumb](/public/imported_attachments/1/2013-10-12 08-45-55.png_thumb)
    ![2013-10-12 08-48-32.png](/public/imported_attachments/1/2013-10-12 08-48-32.png)
    ![2013-10-12 08-48-32.png_thumb](/public/imported_attachments/1/2013-10-12 08-48-32.png_thumb)
    ![2013-10-12 08-49-11.png](/public/imported_attachments/1/2013-10-12 08-49-11.png)
    ![2013-10-12 08-49-11.png_thumb](/public/imported_attachments/1/2013-10-12 08-49-11.png_thumb)


  • LAYER 8 Global Moderator

    Again WANT??  You don't need any wan rule to allow devices to ANSWER a connection from something on the lan side..

    Do you need wan rules to talk to pfsense.org from lan device for web traffic?

    You would only need a WAN rule if you were doing a Port Forward and wanted unsolicited traffic to be able to start a conversation with an IP on the lan..  In this case you need a NAT rule and the wan rule to allow the traffic.  But clearly that is not what he is saying.

    He want to ping from lan to wan – just like you would ping say google.com

    So as you can see I can ping google.com from my lan

    C:>ping google.com

    Pinging google.com [173.194.46.38] with 32 bytes of data:
    Reply from 173.194.46.38: bytes=32 time=12ms TTL=55
    Reply from 173.194.46.38: bytes=32 time=13ms TTL=55
    Reply from 173.194.46.38: bytes=32 time=11ms TTL=55
    Reply from 173.194.46.38: bytes=32 time=10ms TTL=55

    Ping statistics for 173.194.46.38:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 10ms, Maximum = 13ms, Average = 11ms

    But I don't have any WAN rule that would permit that..



  • I'm not talking about reply traffic.  I'm talking about basic problems with his rules and trying to help him understand how they should be written.

    On the LAN side:

    He can ping from PC2 on the LAN to his pfSense WAN interface but not beyond that to to PC1 on the WAN net.

    @sangour111:

    I can't ping FROM IP LAN TO WAN IP

    Read that whatever way you like but the reason is because he used "WAN address" as the destination, not "WAN net" or the IP address of PC1 in his second LAN rule.

    That's the simple fix answer to the original question.  However, look at the WAN rules.

    On the WAN side:

    With the first WAN rule he allows PC1 to talk to pfSense's WAN interface. Fine.

    In the second rule he allows PC1 to talk to anything.  Presumably that has been put there to allow traffic from WAN to LAN - including pings, maybe.

    However, that second rule makes the first rule redundant.

    From all of this I figure the OP doesn't understand the difference between "XXX address" and "XXX net".

    The rules are bad.  It wasn't Windows firewall and, given the state of the rules, a "simple sniff" might not be so simple for the OP.

    Rather than say "change this to that" on a rule to fix that one (rather ill-defined) problem, "I can't ping FROM IP LAN TO WAN IP", I was trying to help the OP understand.


  • LAYER 8 Global Moderator

    Again He does NOT need WAN rules in his setup..  He never stated that he wants to ping from wan to wan to lan - and even if he does those rules would not work for ping now would they, nor would they work for anything because he has no NAT.

    But yup the LAN rule is the issue - since his destination is WAN address.. Good catch!!


Log in to reply