Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Incoming ICMP blocked on virtual IP, despite rules in place to pass!

    Firewalling
    3
    13
    2349
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      axis-frank last edited by

      Hi all,

      Would really appreciate some help with this one!

      Have 2 WAN connections, both PPPoE on pfSense.
      WAN 1 has an interface address assigned by DHCP from the ISP, with 5 Static IPs configured as Virtual IP Aliases.
      WAN 2 has a single Static IP, assigned via DHCP from the ISP.

      From outside, I can ping WAN 2 on it's static IP just fine, as it's the same IP as the Interface address.
      WAN 1 however, will only respond to a ping on it's interface address, but not on any of the IP Aliases. In the system logs, it shows this traffic as a pass entry (I specified to log it), but the machine is not getting a response.

      Makes no sense!!

      Any suggestions would be much appreciated. Please let me know if I can help by providing any more information.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • T
        timthetortoise last edited by

        Try adding individual firewall rules for each alias on your interface. Sounds weird, I know, but that's what fixed it for me. I ended up creating firewall aliases for my public IP ranges, and allowing ICMP for those seemed to do the trick.

        1 Reply Last reply Reply Quote 0
        • A
          axis-frank last edited by

          Thanks timthetortoise, though I tried this already.

          Here's a shot of my rules. The top one allows the ping to the interface address, which works. The other 5 for the aliases just seem to have no effect!

          Any other suggestions would be greatly appreciated!

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            And what kind of virtual IP did you create - some will not answer ICMP
            https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

            1 Reply Last reply Reply Quote 0
            • A
              axis-frank last edited by

              They are set as IP Alias, the one that was introduced in pfSense 2.0, which is said to support ICMP.

              So confused!

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                did you set them with the mask of your real IP or /32

                can you post up the configuration you have set for the vip.. You are trying to ping them from outside your wan right?

                Are you using it in a 1:1 Nat?  If so I would believe the natted device would have to answer the ping.

                1 Reply Last reply Reply Quote 0
                • A
                  axis-frank last edited by

                  I have set them up with the mask of the real IP. Is that the correct thing to do? I think I did try setting them as /32 already and it didn't have any effect at all.

                  Here's a shot of the configuration.

                  Yes I am trying to ping from outside the WAN, but the same issue also exists when trying to ping from inside.

                  No 1:1 configurations are used.

                  1 Reply Last reply Reply Quote 0
                  • A
                    axis-frank last edited by

                    I tell a lie, I have set them to /29 because on the documents from my ISP, it lists the IP range with a subnet mask of 255.255.255.248. The real IP (assigned by DHCP) has a subnet mask of 255.255.255.255

                    1 Reply Last reply Reply Quote 0
                    • T
                      timthetortoise last edited by

                      Could you clarify what you mean by that? I don't believe that you can have a /32 over WAN, only really for loopbacks.

                      1 Reply Last reply Reply Quote 0
                      • A
                        axis-frank last edited by

                        Sure, when I go to Status -> Interfaces and look at WAN 1, it shows the interface IP (dynamically assigned by the ISP) and the subnet mask as 255.255.255.255.
                        On the paperwork from my ISP where it lists the range of 5 static IPs for that connection, it states to use the subnet mask 255.255.255.248, so I set them as /29 on the virtual IP page.

                        1 Reply Last reply Reply Quote 0
                        • T
                          timthetortoise last edited by

                          If you've got static IPs, why are you letting it assign it via DHCP? Assign it statically and use the correct mask on the actual interface.

                          1 Reply Last reply Reply Quote 0
                          • A
                            axis-frank last edited by

                            That's how it works with this ISP (BT Business). Their modem does the same thing. If you have a single static IP, then that's what the interface gets, but if you have a range of static IPs, then your interface gets a separate one and the static IP range gets routed to that.

                            In my case, I have a range of 5 static IPs, so they're all set up as IP Aliases.

                            1 Reply Last reply Reply Quote 0
                            • A
                              axis-frank last edited by

                              This is what the Interfaces screen looks like for WAN 1.

                              Not sure why pfSense lists all of it's DNS servers under that box but the first one is it's own DNS forwarder, 2 & 3 are the servers on that connection (WAN 1), 4 & 5 are the server on WAN 2 and 6 & 7 are the servers on the LAN.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2021 Rubicon Communications, LLC | Privacy Policy