Incoming ICMP blocked on virtual IP, despite rules in place to pass!



  • Hi all,

    Would really appreciate some help with this one!

    Have 2 WAN connections, both PPPoE on pfSense.
    WAN 1 has an interface address assigned by DHCP from the ISP, with 5 Static IPs configured as Virtual IP Aliases.
    WAN 2 has a single Static IP, assigned via DHCP from the ISP.

    From outside, I can ping WAN 2 on it's static IP just fine, as it's the same IP as the Interface address.
    WAN 1 however, will only respond to a ping on it's interface address, but not on any of the IP Aliases. In the system logs, it shows this traffic as a pass entry (I specified to log it), but the machine is not getting a response.

    Makes no sense!!

    Any suggestions would be much appreciated. Please let me know if I can help by providing any more information.

    Thanks in advance.



  • Try adding individual firewall rules for each alias on your interface. Sounds weird, I know, but that's what fixed it for me. I ended up creating firewall aliases for my public IP ranges, and allowing ICMP for those seemed to do the trick.



  • Thanks timthetortoise, though I tried this already.

    Here's a shot of my rules. The top one allows the ping to the interface address, which works. The other 5 for the aliases just seem to have no effect!

    Any other suggestions would be greatly appreciated!


  • Rebel Alliance Global Moderator

    And what kind of virtual IP did you create - some will not answer ICMP
    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F



  • They are set as IP Alias, the one that was introduced in pfSense 2.0, which is said to support ICMP.

    So confused!


  • Rebel Alliance Global Moderator

    did you set them with the mask of your real IP or /32

    can you post up the configuration you have set for the vip.. You are trying to ping them from outside your wan right?

    Are you using it in a 1:1 Nat?  If so I would believe the natted device would have to answer the ping.



  • I have set them up with the mask of the real IP. Is that the correct thing to do? I think I did try setting them as /32 already and it didn't have any effect at all.

    Here's a shot of the configuration.

    Yes I am trying to ping from outside the WAN, but the same issue also exists when trying to ping from inside.

    No 1:1 configurations are used.



  • I tell a lie, I have set them to /29 because on the documents from my ISP, it lists the IP range with a subnet mask of 255.255.255.248. The real IP (assigned by DHCP) has a subnet mask of 255.255.255.255



  • Could you clarify what you mean by that? I don't believe that you can have a /32 over WAN, only really for loopbacks.



  • Sure, when I go to Status -> Interfaces and look at WAN 1, it shows the interface IP (dynamically assigned by the ISP) and the subnet mask as 255.255.255.255.
    On the paperwork from my ISP where it lists the range of 5 static IPs for that connection, it states to use the subnet mask 255.255.255.248, so I set them as /29 on the virtual IP page.



  • If you've got static IPs, why are you letting it assign it via DHCP? Assign it statically and use the correct mask on the actual interface.



  • That's how it works with this ISP (BT Business). Their modem does the same thing. If you have a single static IP, then that's what the interface gets, but if you have a range of static IPs, then your interface gets a separate one and the static IP range gets routed to that.

    In my case, I have a range of 5 static IPs, so they're all set up as IP Aliases.



  • This is what the Interfaces screen looks like for WAN 1.

    Not sure why pfSense lists all of it's DNS servers under that box but the first one is it's own DNS forwarder, 2 & 3 are the servers on that connection (WAN 1), 4 & 5 are the server on WAN 2 and 6 & 7 are the servers on the LAN.