ICMP pings still timing out despite ICMP traffic being reported as passed
-
What if you get one of those hops and ping it from a console? Do you get replies?
-
can we see your wan and lan rules.. And are you nats automatic - and your floating tab is empty?
and you only have wan and lan interfaces on pfsense right?
This should just work out of the box, bing bang zoom.. You have something odd going on that is for sure - but without seeing your wan and lan rules and any nats you might have setup its hard to tell where your issue is.
Please post screen shots of these screens so we can see your full set.
-
What if you get one of those hops and ping it from a console? Do you get replies?
Yes, pinging the hops individually works fine.
can we see your wan and lan rules.. And are you nats automatic - and your floating tab is empty?
and you only have wan and lan interfaces on pfsense right?
This should just work out of the box, bing bang zoom.. You have something odd going on that is for sure - but without seeing your wan and lan rules and any nats you might have setup its hard to tell where your issue is.
Please post screen shots of these screens so we can see your full set.
I've attached all the firewall rules and LAN/WAN settings.
http://imgur.com/a/MM8a8
 -
Ok why and the hell do you have a 192.168.1.50 address as vip for a 1:1 to your wan?
What do you think that 1:1 nat is doing?
Your LAN rules say if your coming from 192.168.1.50 you can talk to 192.168.1.234?? When would that rule ever come into play? A box on 192.168.1.0/24 ie your lan would never even send a packet to 192.168.1.1 because 192.168.1.234 is its own network. And isn't .50 the vip you created?
I would suggest you remove all that stuff. I would then delete your nat rules since seems your currently set to auto but must at one time set it to manual.. So those should be deleted.
Your best best would be to prob just from the console do a
4) Reset to factory defaultsAnd then see what happens.
-
Reset to factory defaults, haven't changed a single option, and still getting timeout when I do a Poll.
-
dude your rules make no sense.. Why do you have rules for lan to lan traffic - you do understand that pfsense has nothing to do with boxes talking to each other on 192.168.1.0/24 – it is a gateway OFF that network..
You clearly created a VIP for a 1:1 - 192.168.1.50
You have setup a 1:1 NAT to what??
Simple just reset to factory and all that nonsense goes away. Then ask how to do what you want to do.. What is the purpose of 192.168.1.50 on your WAN interface in a 1:1 nat? What do you expect to accomplish with that?
-
dude your rules make no sense.. Why do you have rules for lan to lan traffic - you do understand that pfsense has nothing to do with boxes talking to each other on 192.168.1.0/24 – it is a gateway OFF that network..
You clearly created a VIP for a 1:1 - 192.168.1.50
You have setup a 1:1 NAT to what??
Simple just reset to factory and all that nonsense goes away. Then ask how to do what you want to do.. What is the purpose of 192.168.1.50 on your WAN interface in a 1:1 nat? What do you expect to accomplish with that?
I just reset, as I have said in my earlier post.
Also I didn't have that rule there 15 minutes before this post, as I was trying to figure out how to do an emulation of an IP address so if a computer requests 192.168.1.50, it will redirect them to 192.168.1.234. This is due to a limitation of Apple Computers where a Hostname cannot be used for a network printer, only an IP address, and every once in a while the IP will change. The only way to change the IP of an installed network printer on a Mac is to reinstall the printer software. It would be ten times easier just to have all the Macs point to a virtual IP, which redirects them to the printer's real IP.
-
so you have reset or have not reset with out those 1:1 without the manual nat rules showing up?
So your saying if you do ping to those hops from pfsense, or from box behind pfsense they work?
If they do not work from pfsense then its not pfsense causing the problem. If they work from pfsense console, but dont' work behind pfsense then there is something wrong with pfsense.
-
so you have reset or have not reset with out those 1:1 without the manual nat rules showing up?
I reset all settings in the entire box. There is no rules, except for the default LAN rules ones that allow networked PCs to communicate. All NAT settings are empty.
So your saying if you do ping to those hops from pfsense, or from box behind pfsense they work?
If they do not work from pfsense then its not pfsense causing the problem. If they work from pfsense console, but dont' work behind pfsense then there is something wrong with pfsense.
If I ping them behind pfsense in windows command line, it works. Same with tracert. If I poll them in this tool, I have 100% loss.
If I unplug my pfsense router and connect to my modem directly, I can poll everything just fine.
I can also poll other computers on the same network fine.
Edit: I can also tracert from pfsense fine.
-
Well that makes absolutely no sense - all the tool is doing is icmp pings.
And you say if you do the same tracert and ping command work from windows directly.
So look here is sniff of the traffic, all its sending is pings in the poll
did you tweak anything in the tool settings.. what is your ping TTL set too?
-
As to your printer stuff - what are you trying to accomplish. Why would your printers not be discovered with airprint/bonour/mdns/dns-sd?
Seems to be they are the same segment. If not on same segment then you can do look up cross segments support for printers with apple, etc.
I don't have any apple to play with other than my ipad - but I shared out my printer via cups and finds it by name no problem.
dnssd://Samsung%20ML-2570%20Series%20(samsung)._printer._tcp.local/
Trying to setup via IP I agree would be a pain to be sure.. I find it hard to believe you can not setup FQDN when adding a printer to apples? Do you not have normal dns services on your network.. Pfsense can for sure hand out say printer1.somedomain.tld to your network. Then if IP changes just update your host over ride in pfsense to point to new IP, etc.
-
I strongly believe there's something wrong with either your PC or that "pinging software". Did you try from another PC within the same LAN?
BTW, what was the actual problem??? I got lost
-
I strongly believe there's something wrong with either your PC or that "pinging software". Did you try from another PC within the same LAN?
BTW, what was the actual problem??? I got lost
I just tried it on 2 other laptops in the house. They all had the same exact issue: Trace Route works, but Polling gives a 100% loss. All ICMP traffic in pfsense was marked as "passed" in the firewall logs.
The original issue was that in Battlefield 4 and Battlefield 3 my ping displays as a dash in game. I contacted EA, and they gave me that tool. When I remove my router and directly connect to my mode, that tool and my ping in Battlefield both start working properly, thus leading me to believe both use similar pinging methods, and thus being able to successfully Poll with this tool while behind pfsense will allow me to see pings in BF4.
Well that makes absolutely no sense - all the tool is doing is icmp pings.
And you say if you do the same tracert and ping command work from windows directly.
So look here is sniff of the traffic, all its sending is pings in the poll
did you tweak anything in the tool settings.. what is your ping TTL set too?
All the settings in the tool were the same as you posted. I did however do a packet sniff, and it looks like I'm getting the replies.
-
Did you try turning your firewall off? Maybe it is configuring itself on different "profiles" depending on whether you are connecting directly to your router or not
-
Did you try turning your firewall off? Maybe it is configuring itself on different "profiles" depending on whether you are connecting directly to your router or not
Windows Firewall service is disabled.
-
Man I am glad I found this thread, as I have been having this exact same problem. In Battlefield 3 and 4 my ping shows as "-" in game. If I connect directly to the cable modem or use my old wrt54gl in place of the pfSense box then the pings show up.
When I go through the pf sense box the ping shows fine in battlelog (web based server browser for the game) and I can open up command prompt and ping sites just fine. I also created a rule to allow icmp requests on the wan and going to www.whatsmyip.org/ping/ pings show up just fine. So then i decided to create a NAT rule that passed icmp to the machine running the game and that didn't work either. I also downloaded that EA utility and when I do the Poll option I get the same results as the OP.
My pfsense box is running v2.1 on live cd. I have everything set to defaults except for the WAN rule allowing icmp through. Hopefully we can get this fixed because the game server admins keep kicking out of their servers cause they think my ping is to high.
-
"Windows Firewall service is disabled."
that is NOT the way to disable your firewall - the service should be left running, and you go into the settings and turn it off. I have to assume your machine is not allowing you to see the returns.. Since clearly from your sniff, on your machine pfsense is sending your replies to you.
So something in your OS is not allowing the tool to see those replies.
I would suggest you let the service run, and just turn off the firewall for whatever network profile your on - I would assume home. Are you running any other sort of security suite on your machines?
Clearly from your sniff your machine is getting the replies to the pings - so your problem has NOTHING to do with pfsense.
If I had to guess as mentioned when your connected to pfsense your under some other network profile, when when you connect to your modem directly. And either your other security software is causing you problems - or that you have disabled the firewall service is causing you issues under these different profiles.
So enable the service - go into the firewall settings and allow icmp, then turn off the firewall but do not mess with the firewall service.
To bob314 - I see no point in forwarding ICMP into something behind your pfsense.. Why can pfsense not just answer the pings, just allow icmp to your wan interface and you should be fine. If your going to forward icmp to something behind pfsense - then you need to make sure that something answers and does not have some firewall running or in an odd state like the OP.
-
"Windows Firewall service is disabled."
that is NOT the way to disable your firewall - the service should be left running, and you go into the settings and turn it off. I have to assume your machine is not allowing you to see the returns.. Since clearly from your sniff, on your machine pfsense is sending your replies to you.
So something in your OS is not allowing the tool to see those replies.
I would suggest you let the service run, and just turn off the firewall for whatever network profile your on - I would assume home. Are you running any other sort of security suite on your machines?
Clearly from your sniff your machine is getting the replies to the pings - so your problem has NOTHING to do with pfsense.
If I had to guess as mentioned when your connected to pfsense your under some other network profile, when when you connect to your modem directly. And either your other security software is causing you problems - or that you have disabled the firewall service is causing you issues under these different profiles.
So enable the service - go into the firewall settings and allow icmp, then turn off the firewall but do not mess with the firewall service.
Turned on the firewall service, turned on the firewall, allowed ICMP traffic. Still same issue. Turned off firewall, still had service enabled, same issue. I don't think the firewall is the problem since it was completely disabled on my system.
I checked all my network settings that have to do with the specific network. It's set to Private (the least restrictive), and all sharing options are enabled.
Also this occurs on multiple computers on the same network, it's not isolated.
Could it be pfsense is modifying the packets somehow? Changing the headers or the content?
I'm going to contact EA, now that I have proof the packets are indeed received on my computer.
-
And why would it be doing that, when its not doing it on mine other people in the thread that says it works.
Clearly you see from sniff the replies are there, if you ping from cmd line on your client they work. If you traceroute from cmd line on your client it works. Its this software that is not seeing them.
Why I have no idea currently - the software works on my machine, and I am running through pfsense 2.1
I would have to think its something your doing in your os setup, security software your running? Do you run any security software? Maybe something to do with icmp rate limiting?
If you think what this software is doing - it could look malicious to me, pinging what could look like random IPs very quickly.
Take a look at the details of the packets when you do a normal ping from your command line that works. And what you get sent back in the reply. Then look at the packets the tool sends out and what you get back - do you see any thing odd.
From my quick look it was your typical ping.. But when I get home I can do that test and compare what sent and recv'd when normally ping and what that tool sends and what is sent back.
Then repeat the sniffs while directly connected to your modem and see.. I would be curious what firewall profile you get, what does windows identify the network as when your directly connected to the modem vs when your connected to pfsense. Or what some other software your running - are you running anything, antivirus sort of tools? Many of them contain firewalls or firewall like features, etc.
edit: as a side note and for completeness - here is why I say not to disable the firewall service.
http://technet.microsoft.com/en-us/library/cc766337%28v=ws.10%29.aspx
Do not disable Windows Firewall by stopping the service. Instead, use one of the preceding procedures (or an equivalent Group Policy setting) to turn the firewall off. If you turn off the Windows Firewall with Advanced Security service, you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, Windows Service Hardening, and network protection from attacks that employ network fingerprinting.I have never seen a reason why this service should be disabled. I personally don't see a need for the windows firewall on my machines - they are on my secure private lan. But I just turn off the firewall vs turning off the service. If for some strange reason my machine got connected to different network say wireless or something - then it would not be identified as home network, but public - and in that case I would want the software firewall. Laptops for example - they don't need the firewall while connected to my network. But when they get taken outside my secure network - then yes that network should be public and firewall ON..
-
And why would it be doing that, when its not doing it on mine other people in the thread that says it works.
This baffles me more than anyone. I know it should be working, I'm hosting a website, teamspeak, and I've hosted plenty of gaming servers. Why a simple ICMP packet cannot get through is confusing.
Clearly you see from sniff the replies are there, if you ping from cmd line on your client they work. If you traceroute from cmd line on your client it works. Its this software that is not seeing them.
Why I have no idea currently - the software works on my machine, and I am running through pfsense 2.1
I would have to think its something your doing in your os setup, security software your running? Do you run any security software? Maybe something to do with icmp rate limiting?
If you think what this software is doing - it could look malicious to me, pinging what could look like random IPs very quickly.
The only software I have INSTALLED (not running) is Kaspersky Anti-Virus 2013, which doesn't have firewalling. I had Spybot Search and Destroy which blocked tens of thousands of IP addresses, but I reversed its changes and uninstalled it. I also have Peer Block, but it is not running AND it blocks IP addresses, not specific packets. Other than windows firewall which is disabled, and which I have always hated since Windows XP had it install automatically in a service pack years ago, there is nothing running on this PC that interferes with network traffic.
Take a look at the details of the packets when you do a normal ping from your command line that works. And what you get sent back in the reply. Then look at the packets the tool sends out and what you get back - do you see any thing odd.
From my quick look it was your typical ping.. But when I get home I can do that test and compare what sent and recv'd when normally ping and what that tool sends and what is sent back.
Then repeat the sniffs while directly connected to your modem and see.. I would be curious what firewall profile you get, what does windows identify the network as when your directly connected to the modem vs when your connected to pfsense. Or what some other software your running - are you running anything, antivirus sort of tools? Many of them contain firewalls or firewall like features, etc.
OK I did that. Here is the log file. I've slightly altered it to show when and where I disconnect my pfsense and connect my modem. The first 3 lines of the log tell you what lines the parts of the log are on. I can't really understand what it says myself.
Here's a comparison from a poll to the same IP address. These first two resulted in a 100% loss, while behind my pfsense router:
No. Time Source Destination Protocol Length Info 18 1.429306000 192.168.1.139 4.69.201.38 ICMP 42 Echo (ping) request id=0x0001, seq=2323/4873, ttl=64 (reply in 21) Frame 18: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0 Ethernet II, Src: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd), Dst: Trendnet_26:b9:d8 (00:14:d1:26:b9:d8) Internet Protocol Version 4, Src: 192.168.1.139 (192.168.1.139), Dst: 4.69.201.38 (4.69.201.38) Internet Control Message Protocol No. Time Source Destination Protocol Length Info 21 1.514691000 4.69.201.38 192.168.1.139 ICMP 60 Echo (ping) reply id=0x0001, seq=2323/4873, ttl=53 (request in 18) Frame 21: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Ethernet II, Src: Trendnet_26:b9:d8 (00:14:d1:26:b9:d8), Dst: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd) Internet Protocol Version 4, Src: 4.69.201.38 (4.69.201.38), Dst: 192.168.1.139 (192.168.1.139) Internet Control Message ProtocolNow here's to the same IP when connected to my modem, which resulted in a successful polling in this tool:
No. Time Source Destination Protocol Length Info 1935 80.618835000 67.180.200.247 4.69.201.38 ICMP 42 Echo (ping) request id=0x0001, seq=27944/10349, ttl=64 (reply in 1940) Frame 1935: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0 Ethernet II, Src: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd), Dst: Cadant_63:ce:46 (00:01:5c:63:ce:46) Internet Protocol Version 4, Src: 67.180.200.247 (67.180.200.247), Dst: 4.69.201.38 (4.69.201.38) Internet Control Message Protocol No. Time Source Destination Protocol Length Info 1940 80.697383000 4.69.201.38 67.180.200.247 ICMP 60 Echo (ping) reply id=0x0001, seq=27944/10349, ttl=55 (request in 1935) Frame 1940: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Ethernet II, Src: Cadant_63:ce:46 (00:01:5c:63:ce:46), Dst: AsustekC_cc:9f:bd (c8:60:00:cc:9f:bd) Internet Protocol Version 4, Src: 4.69.201.38 (4.69.201.38), Dst: 67.180.200.247 (67.180.200.247) Internet Control Message Protocol
