ICMP pings still timing out despite ICMP traffic being reported as passed
-
So this started out with Battlefield 3 and Battlefield 4 not displaying ping in game (just a dash). After making forum posts on Battlefield's website with no responses, I finally contacted EA support. They showed me a tool called Ultima Online Trace Utility, which does trace routes and polling
Using the UOTU I can Trace Route their server easo.ea.com with no packet loss. However, when I use the Poll feature I get 100% packet loss. When I unplug my pfsense router and plug directly into my modem, I get 0% packet loss when polling. I did some research and found out that the Polling feature in UOTU might use ICMP. So I allowed ICMP, turned on logging. When I Polled, I still got 100% packet loss. However, in my pfsense firewall logs it says ICMP traffic is being allowed to those addresses successfully. So what's going on? Can anyone try out this tool and see if they can get it working with their router?
Ultima Online Trace Utility download: ftp://ftp.ea.com/pub/origin/patches/uo/uotrace.exe
Trace Route and then Poll while connected to pfsense
pfsense logs on ICMP traffic
Trace Route and then Poll while directly connected to modem (no pfsense)
LAN Rule
WAN Rule
-
How about turning the NAT on or do a static route on the modem for the pfsense's LAN subnet :)
-
How about turning the NAT on or do a static route on the modem for the pfsense's LAN subnet :)
I created a NAT rule but no changes have taken place.
-
It's better if you could add static route on the modem, but if that's not possible - NAT should be on the WAN interface and not for ICMP only, but for "any".
-
Oops, I realized I already had Automatic outbound NAT rule generation enabled, making that ICMP rule redundant.
-
Why don't you create a LAN to any allow rule, but for any protocol? For sure that uses UDP as well
-
Why don't you create a LAN to any allow rule, but for any protocol? For sure that uses UDP as well
OK so I set the WAN and LAN rules to allow any traffic, and I am still getting 100% packet loss when I poll. Checking the firewall logs, it says every single connection is being allowed. I searched the IP addresses that matched the UOT Utility, and they all were ICMP.
http://i.imgur.com/4ED7xv5.png
-
Maybe these are packets with IP options? Set the allow rules to allow packets with IP options to pass (advanced option). BTW, I am just guessing now…
-
Maybe these are packets with IP options? Set the allow rules to allow packets with IP options to pass (advanced option). BTW, I am just guessing now…
Still not working. Nothing is coming up as blocked in the system logs.
-
I'm still having this issue. Has anyone downloaded that program and gotten the Poll function to work behind their pfsense router?
-
No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.
-
No problems here behind NAT with no specific outgoing ICMP rules. I know that some implementations of traceroute use UDP, so you may want to allow that through as well.
After it finishes a Traceroute, you have to click Poll. Then it will fill out the columns to the right.
-
Log from traceroute:
pass Nov 8 09:37:17 LAN 10.100.4.45:137 159.153.225.30:137 UDP pass Nov 8 09:37:12 LAN 10.100.4.45:137 159.153.225.5:137 UDP pass Nov 8 09:37:08 LAN 10.100.4.45:137 10.242.195.225:137 UDP pass Nov 8 09:37:03 LAN 10.100.4.45:137 10.105.0.1:137 UDP pass Nov 8 09:37:03 LAN 10.100.4.45 159.153.234.54 ICMPLog from polling:
pass Nov 8 09:38:17 LAN 10.100.4.45 159.153.226.105 ICMP pass Nov 8 09:38:17 LAN 10.100.4.45 159.153.225.30 ICMP pass Nov 8 09:38:15 LAN 10.100.4.45 159.153.225.5 ICMP pass Nov 8 09:38:14 LAN 10.100.4.45 206.126.236.55 ICMP pass Nov 8 09:38:12 LAN 10.100.4.45 96.34.3.89 ICMP pass Nov 8 09:38:11 LAN 10.100.4.45 96.34.0.48 ICMP pass Nov 8 09:38:09 LAN 10.100.4.45 96.34.2.40 ICMP pass Nov 8 09:38:08 LAN 10.100.4.45 96.34.80.126 ICMP pass Nov 8 09:38:06 LAN 10.100.4.45 96.34.84.142 ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 10.242.195.225 ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 x.x.x.x ICMP pass Nov 8 09:38:05 LAN 10.100.4.45 10.105.0.1 ICMPMy suggestion would be to allow any to any from your internal IP and log the traffic. Everything that I can touch, the uo program can touch.
-
I made any to any in the WAN rules, with logging, and the only thing that showed up was ICMP packets. I already have any to any in the LAN rules. When I did a Poll, I was still getting 100% loss.
-
Not having any issues here with polling.
I have no special rules other than the default lan rules.. Nat is automatic - you really should not have to do anything for pings to work.
So curious - are you behind a double nat.. You hide that second hop in your trace..
-
Second hop is very likely his public IP.
-
I made any to any in the WAN rules
Well there's your problem. You're allowing anyone from anywhere into your WAN interface. Firewall rules apply to inbound packets. The ones from you are inbound on your LAN interface, outbound on your WAN interface. Once they've traversed your WAN interface, for all intents and purposes they're considered an established session, and you don't need any rules on your WAN interface to keep it working. Take the any to any rule off of your WAN interface, that's extremely dangerous.
Create a rule like this:
only with your IP instead of mine, and let me know what happens. Make sure that in the "protocol" section you select "any." -
Second hop is very likely his public IP.
It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21 So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)
-
Yeah, meant gateway. Slow brain day. I've got a /28, so exposing my gateway would not be a great idea. Most people don't get /21s to play around with.
-
Second hop is very likely his public IP.
It shouldn't be his ip, the gateway off the segment he is connected too sure, which with most isps prob a large segment - mine for example is a /21 So sure in a privacy concern issue you might want to hide part of that IP range.. But it only gives away a segment he is on that would for example in my case be some 2000 addresses ;)
It is my WAN IP that I did block out of the picture. My pfSense router is connected to a Motorola SURFboard SB 6121 modem, which should have no routing or firewalling of any kind.
I made the rule exactly as you said, and here it is under pfsense firewall logs.
Edit: While the Poll was cycling through, I unplugged my computer from the pfsense router, unplugged the router from the modem, and plugged my PC directly to the modem. Immediatly I started getting responses. It's not my ISP or modem, it's pfsense. I just need to know what setting I have wrong in my router.
