ICMP pings still timing out despite ICMP traffic being reported as passed
-
Why don't you create a LAN to any allow rule, but for any protocol? For sure that uses UDP as well
OK so I set the WAN and LAN rules to allow any traffic, and I am still getting 100% packet loss when I poll. Checking the firewall logs, it says every single connection is being allowed. I searched the IP addresses that matched the UOT Utility, and they all were ICMP.
http://i.imgur.com/4ED7xv5.png
-
Maybe these are packets with IP options? Set the allow rules to allow packets with IP options to pass (advanced option). BTW, I am just guessing now…
-
Maybe these are packets with IP options? Set the allow rules to allow packets with IP options to pass (advanced option). BTW, I am just guessing now…
Still not working. Nothing is coming up as blocked in the system logs.
-
I'm still having this issue. Has anyone downloaded that program and gotten the Poll function to work behind their pfsense router?
-
No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.
-
No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.
After it finishes a Traceroute, you have to click Poll. Then it will fill out the columns to the right.
-
Log from traceroute:
pass Nov 8 09:37:17 LAN 10.100.4.45:137 159.153.225.30:137 UDP pass Nov 8 09:37:12 LAN 10.100.4.45:137 159.153.225.5:137 UDP pass Nov 8 09:37:08 LAN 10.100.4.45:137 10.242.195.225:137 UDP pass Nov 8 09:37:03 LAN 10.100.4.45:137 10.105.0.1:137 UDP pass Nov 8 09:37:03 LAN 10.100.4.45 159.153.234.54 ICMPLog from polling:
pass Nov 8 09:38:17 LAN 10.100.4.45 159.153.226.105 ICMP pass Nov 8 09:38:17 LAN 10.100.4.45 159.153.225.30 ICMP pass Nov 8 09:38:15 LAN 10.100.4.45 159.153.225.5 ICMP pass Nov 8 09:38:14 LAN 10.100.4.45 206.126.236.55 ICMP pass Nov 8 09:38:12 LAN 10.100.4.45 96.34.3.89 ICMP pass Nov 8 09:38:11 LAN 10.100.4.45 96.34.0.48 ICMP pass Nov 8 09:38:09 LAN 10.100.4.45 96.34.2.40 ICMP pass Nov 8 09:38:08 LAN 10.100.4.45 96.34.80.126 ICMP pass Nov 8 09:38:06 LAN 10.100.4.45 96.34.84.142 ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 10.242.195.225 ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 x.x.x.x ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 10.105.0.1 ICMPMy suggestion would be to allow any to any from your internal IP and log the traffic. Everything that I can touch, the uo program can touch.
-
I made any to any in the WAN rules, with logging, and the only thing that showed up was ICMP packets. I already have any to any in the LAN rules. When I did a Poll, I was still getting 100% loss.
-
Not having any issues here with polling.
I have no special rules other than the default lan rules.. Nat is automatic - you really should not have to do anything for pings to work.
So curious - are you behind a double nat.. You hide that second hop in your trace..
-
Second hop is very likely his public IP.
-
I made any to any in the WAN rules
Well there's your problem. You're allowing anyone from anywhere into your WAN interface. Firewall rules apply to inbound packets. The ones from you are inbound on your LAN interface, outbound on your WAN interface. Once they've traversed your WAN interface, for all intents and purposes they're considered an established session, and you don't need any rules on your WAN interface to keep it working. Take the any to any rule off of your WAN interface, that's extremely dangerous.
Create a rule like this:
only with your IP instead of mine, and let me know what happens. Make sure that in the "protocol" section you select "any." -
Second hop is very likely his public IP.
It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21 So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)
-
Yeah, meant gateway. Slow brain day. I've got a /28, so exposing my gateway would not be a great idea. Most people don't get /21s to play around with.
-
Second hop is very likely his public IP.
It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21 So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)
It is my WAN IP that I did block out of the picture. My pfSense router is connected to a Motorola SURFboard SB 6121 modem, which should have no routing or firewalling of any kind.
I made the rule exactly as you said, and here it is under pfsense firewall logs.
Edit: While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem. Immediatly I started getting responses. It's not my ISP or modem, it's pfsense. I just need to know what setting I have wrong in my router.
-
"While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."
Really – normally you need to power cycle a cable modem. I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.
Power cycle your modem after you connect pfsense.
Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.
As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop. So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.
-
"While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem."
Really – normally you need to power cycle a cable modem. I have the SB6120 and if I change the mac of the device connected to it - I have to power cycle.
Power cycle your modem after you connect pfsense.
Here is the thing - out of the box what your doing should work.. you should not have to do anything for pings, or traceroutes to work.
As to what your blocking out - that should NOT be your wan IP.. What should be in there is the IP of your ISP router your hitting as first hop. So in my case its 24.13.176.1 while my actual IP is 24.13.x.x in that /21 range.
Oh you're right. That's a different IP address. The more I know….
I am gonna power cycle everything once people aren't using the Teamspeak server.
Edit: Power cycled, removed the MAC Address spoofing, but still having the issue.
-
I too am having this issue.
Have 2 WAN connections, both PPPoE on pfSense.
WAN 1 has an interface address (DHCP) with 5 Static IPs configured as Virtual IP Alias.
WAN 2 has a single Static IP, assigned via DHCP from the ISP.I can ping WAN 2 on it's static IP just fine, as it's the same IP as the Interface address.
WAN 1 however, will only respond to a ping on it's interface address, but not on any of the IP Aliases. In the system logs, it shows this traffic as a pass entry (I specified to log it), but the machine is not getting a response.Makes no sense!!
Any suggestions would be much appreciated. Please let me know if I can help by providing any more information.
Thanks in advance.
-
Your issue is not anything like the OP, not you have described it not.
The OP can not ping or traceroute to outside IPs.
Your talking about pinging your wans virtual IPs - not even in the same ballpark. Start your own thread!
-
My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.
Good luck OP
-
My apologies, you're right. I've skimmed so many articles to try and find a solution, I misread this one.
Good luck OP
Try adding individual firewall rules for each IP on the interface, that was my fix in your case.
-
I downloaded the utility and ran it, no issues with the polling function behind pfSense. Furthermore, I ran a wireshark capture on its traffic and all it generates is ICMP pings. I really can't see why it wouldn't just work ???
-
I disabled all packet filtering temporarily and despite NAT being completely off, it's still not working. Also I polled a couple of computers on the network just fine, with 0% loss.
So if it's not the firewall that's stopping it, what is?
-
What if you get one of those hops and ping it from a console? Do you get replies?
-
can we see your wan and lan rules.. And are you nats automatic - and your floating tab is empty?
and you only have wan and lan interfaces on pfsense right?
This should just work out of the box, bing bang zoom.. You have something odd going on that is for sure - but without seeing your wan and lan rules and any nats you might have setup its hard to tell where your issue is.
Please post screen shots of these screens so we can see your full set.
-
What if you get one of those hops and ping it from a console? Do you get replies?
Yes, pinging the hops individually works fine.
can we see your wan and lan rules.. And are you nats automatic - and your floating tab is empty?
and you only have wan and lan interfaces on pfsense right?
This should just work out of the box, bing bang zoom.. You have something odd going on that is for sure - but without seeing your wan and lan rules and any nats you might have setup its hard to tell where your issue is.
Please post screen shots of these screens so we can see your full set.
I've attached all the firewall rules and LAN/WAN settings.
http://imgur.com/a/MM8a8
 -
Ok why and the hell do you have a 192.168.1.50 address as vip for a 1:1 to your wan?
What do you think that 1:1 nat is doing?
Your LAN rules say if your coming from 192.168.1.50 you can talk to 192.168.1.234?? When would that rule ever come into play? A box on 192.168.1.0/24 ie your lan would never even send a packet to 192.168.1.1 because 192.168.1.234 is its own network. And isn't .50 the vip you created?
I would suggest you remove all that stuff. I would then delete your nat rules since seems your currently set to auto but must at one time set it to manual.. So those should be deleted.
Your best best would be to prob just from the console do a
4) Reset to factory defaultsAnd then see what happens.
-
Reset to factory defaults, haven't changed a single option, and still getting timeout when I do a Poll.
-
dude your rules make no sense.. Why do you have rules for lan to lan traffic - you do understand that pfsense has nothing to do with boxes talking to each other on 192.168.1.0/24 – it is a gateway OFF that network..
You clearly created a VIP for a 1:1 - 192.168.1.50
You have setup a 1:1 NAT to what??
Simple just reset to factory and all that nonsense goes away. Then ask how to do what you want to do.. What is the purpose of 192.168.1.50 on your WAN interface in a 1:1 nat? What do you expect to accomplish with that?
-
dude your rules make no sense.. Why do you have rules for lan to lan traffic - you do understand that pfsense has nothing to do with boxes talking to each other on 192.168.1.0/24 – it is a gateway OFF that network..
You clearly created a VIP for a 1:1 - 192.168.1.50
You have setup a 1:1 NAT to what??
Simple just reset to factory and all that nonsense goes away. Then ask how to do what you want to do.. What is the purpose of 192.168.1.50 on your WAN interface in a 1:1 nat? What do you expect to accomplish with that?
I just reset, as I have said in my earlier post.
Also I didn't have that rule there 15 minutes before this post, as I was trying to figure out how to do an emulation of an IP address so if a computer requests 192.168.1.50, it will redirect them to 192.168.1.234. This is due to a limitation of Apple Computers where a Hostname cannot be used for a network printer, only an IP address, and every once in a while the IP will change. The only way to change the IP of an installed network printer on a Mac is to reinstall the printer software. It would be ten times easier just to have all the Macs point to a virtual IP, which redirects them to the printer's real IP.
-
so you have reset or have not reset with out those 1:1 without the manual nat rules showing up?
So your saying if you do ping to those hops from pfsense, or from box behind pfsense they work?
If they do not work from pfsense then its not pfsense causing the problem. If they work from pfsense console, but dont' work behind pfsense then there is something wrong with pfsense.
-
so you have reset or have not reset with out those 1:1 without the manual nat rules showing up?
I reset all settings in the entire box. There is no rules, except for the default LAN rules ones that allow networked PCs to communicate. All NAT settings are empty.
So your saying if you do ping to those hops from pfsense, or from box behind pfsense they work?
If they do not work from pfsense then its not pfsense causing the problem. If they work from pfsense console, but dont' work behind pfsense then there is something wrong with pfsense.
If I ping them behind pfsense in windows command line, it works. Same with tracert. If I poll them in this tool, I have 100% loss.
If I unplug my pfsense router and connect to my modem directly, I can poll everything just fine.
I can also poll other computers on the same network fine.
Edit: I can also tracert from pfsense fine.
-
Well that makes absolutely no sense - all the tool is doing is icmp pings.
And you say if you do the same tracert and ping command work from windows directly.
So look here is sniff of the traffic, all its sending is pings in the poll
did you tweak anything in the tool settings.. what is your ping TTL set too?
-
As to your printer stuff - what are you trying to accomplish. Why would your printers not be discovered with airprint/bonour/mdns/dns-sd?
Seems to be they are the same segment. If not on same segment then you can do look up cross segments support for printers with apple, etc.
I don't have any apple to play with other than my ipad - but I shared out my printer via cups and finds it by name no problem.
dnssd://Samsung%20ML-2570%20Series%20(samsung)._printer._tcp.local/
Trying to setup via IP I agree would be a pain to be sure.. I find it hard to believe you can not setup FQDN when adding a printer to apples? Do you not have normal dns services on your network.. Pfsense can for sure hand out say printer1.somedomain.tld to your network. Then if IP changes just update your host over ride in pfsense to point to new IP, etc.
-
I strongly believe there's something wrong with either your PC or that "pinging software". Did you try from another PC within the same LAN?
BTW, what was the actual problem??? I got lost
-
I strongly believe there's something wrong with either your PC or that "pinging software". Did you try from another PC within the same LAN?
BTW, what was the actual problem??? I got lost
I just tried it on 2 other laptops in the house. They all had the same exact issue: Trace Route works, but Polling gives a 100% loss. All ICMP traffic in pfsense was marked as "passed" in the firewall logs.
The original issue was that in Battlefield 4 and Battlefield 3 my ping displays as a dash in game. I contacted EA, and they gave me that tool. When I remove my router and directly connect to my mode, that tool and my ping in Battlefield both start working properly, thus leading me to believe both use similar pinging methods, and thus being able to successfully Poll with this tool while behind pfsense will allow me to see pings in BF4.
Well that makes absolutely no sense - all the tool is doing is icmp pings.
And you say if you do the same tracert and ping command work from windows directly.
So look here is sniff of the traffic, all its sending is pings in the poll
did you tweak anything in the tool settings.. what is your ping TTL set too?
All the settings in the tool were the same as you posted. I did however do a packet sniff, and it looks like I'm getting the replies.
-
Did you try turning your firewall off? Maybe it is configuring itself on different "profiles" depending on whether you are connecting directly to your router or not
-
Did you try turning your firewall off? Maybe it is configuring itself on different "profiles" depending on whether you are connecting directly to your router or not
Windows Firewall service is disabled.
-
Man I am glad I found this thread, as I have been having this exact same problem. In Battlefield 3 and 4 my ping shows as "-" in game. If I connect directly to the cable modem or use my old wrt54gl in place of the pfSense box then the pings show up.
When I go through the pf sense box the ping shows fine in battlelog (web based server browser for the game) and I can open up command prompt and ping sites just fine. I also created a rule to allow icmp requests on the wan and going to www.whatsmyip.org/ping/ pings show up just fine. So then i decided to create a NAT rule that passed icmp to the machine running the game and that didn't work either. I also downloaded that EA utility and when I do the Poll option I get the same results as the OP.
My pfsense box is running v2.1 on live cd. I have everything set to defaults except for the WAN rule allowing icmp through. Hopefully we can get this fixed because the game server admins keep kicking out of their servers cause they think my ping is to high.
-
"Windows Firewall service is disabled."
that is NOT the way to disable your firewall - the service should be left running, and you go into the settings and turn it off. I have to assume your machine is not allowing you to see the returns.. Since clearly from your sniff, on your machine pfsense is sending your replies to you.
So something in your OS is not allowing the tool to see those replies.
I would suggest you let the service run, and just turn off the firewall for whatever network profile your on - I would assume home. Are you running any other sort of security suite on your machines?
Clearly from your sniff your machine is getting the replies to the pings - so your problem has NOTHING to do with pfsense.
If I had to guess as mentioned when your connected to pfsense your under some other network profile, when when you connect to your modem directly. And either your other security software is causing you problems - or that you have disabled the firewall service is causing you issues under these different profiles.
So enable the service - go into the firewall settings and allow icmp, then turn off the firewall but do not mess with the firewall service.
To bob314 - I see no point in forwarding ICMP into something behind your pfsense.. Why can pfsense not just answer the pings, just allow icmp to your wan interface and you should be fine. If your going to forward icmp to something behind pfsense - then you need to make sure that something answers and does not have some firewall running or in an odd state like the OP.
-
"Windows Firewall service is disabled."
that is NOT the way to disable your firewall - the service should be left running, and you go into the settings and turn it off. I have to assume your machine is not allowing you to see the returns.. Since clearly from your sniff, on your machine pfsense is sending your replies to you.
So something in your OS is not allowing the tool to see those replies.
I would suggest you let the service run, and just turn off the firewall for whatever network profile your on - I would assume home. Are you running any other sort of security suite on your machines?
Clearly from your sniff your machine is getting the replies to the pings - so your problem has NOTHING to do with pfsense.
If I had to guess as mentioned when your connected to pfsense your under some other network profile, when when you connect to your modem directly. And either your other security software is causing you problems - or that you have disabled the firewall service is causing you issues under these different profiles.
So enable the service - go into the firewall settings and allow icmp, then turn off the firewall but do not mess with the firewall service.
Turned on the firewall service, turned on the firewall, allowed ICMP traffic. Still same issue. Turned off firewall, still had service enabled, same issue. I don't think the firewall is the problem since it was completely disabled on my system.
I checked all my network settings that have to do with the specific network. It's set to Private (the least restrictive), and all sharing options are enabled.
Also this occurs on multiple computers on the same network, it's not isolated.
Could it be pfsense is modifying the packets somehow? Changing the headers or the content?
I'm going to contact EA, now that I have proof the packets are indeed received on my computer.
