Can't ping from the pfsense system to other systems on the network
-
Hello Experts,
I have a network which is not yet connected to the Internet. The network comprises of 5 systems. 2 systems connect to a switch and have IP addresses 172.16.1.2 and 172.16.1.3. Two other systems are connected to another switch with IP addresses 192.168.1.2 and 192.168.1.3. The pfsense system has two network interfaces which connect to the 2 switches. The pfsense system has IP addresses 172.16.1.1 and 192.168.1.1 for each of the switches/sub networks. 172.16.1.1 for the wan interface and 192.168.1.1 for the lan network. I try to ping from the pfsense system to the other systems but it doesnt work also from the other systems to the pfsense system.
Am I to add the ips of the pfsense system to the hosts file of the other systems ? Is this like a DNS issue? What could possibly be the problem? All other systems are on Ubuntu.
Thanks.
-
so you have this
172.16.1.2 – switch -- 172.16.1.1 wan pfsense lan 192.168.1.1 -- switch 192.168.1.2
So you have rfc1918 on the wan of pfsense - did you turn off the block private networks on your wan interface?
Block private networks
When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8). You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.Can you ping on the lan side of pfsense - I have to assume you would be using ip address vs name, if your wanting to ping by name then yes some form of name resolution would have to be working.
-
Thanks johnpoz for your response.
I am trying to run some tests now on pfsense before i can present it to my company as a firewall solution.
For the WAN and LAN am using private IP addresses (172.x.x.x and 192.x.x.x). From your reply you propose I turn off the "block private networks" since am using a private IP on the WAN side. Is that correct? and if so how do I do that?
Also I can't also ping on the LAN side from the pfsense system. I have attached my setup diagram so you could have a good view.
Thanks again..
 -
Yes if your using rfc1918 on wan you have to disable the block – this is done on the interface settings. Main menu on the top, interfaces click the wan interface and on the bottom of the screen will be checkbox you can uncheck.
If you can not ping the LAN side that you have something else going on. Can 192.168.1.2 ping 192.168.1.3 ?
What are you lan firewall rules? The default lan rules would be any any and would allow you to ping your pfsense lan interface from anything on the lan network.
-
Yes… 192.168.1.2 can ping 192.168.1.3 but neither can ping 192.168.1.1(pfSense) server.
No rules were set. I just setup the switches and they are working.
What is awkward is the pfsense server can't ping any other computer and any other computer can't ping the pfsense server. The computers on the 172.16.1.x lan can ping themselves.
Is there a setting on the pfsense server that is blocking requests in and out? I can't even access the web interface to do anything.
Thanks...
-
"I can't even access the web interface to do anything."
Well if you can not PING - its unlikely you could access the web gui ;)
Again - on the WAN side your not going to be able to ping pfsense because default rules bock all unsolicited traffic anyway. If your going to use rfc1918 addressing then you need to disable the default block on the wan interface of these addresses.
On the LAN, by default it would be a any any rule and should be able to ping it. So either your interface did not come up, you did something with the default rules. You have your interfaces reversed? And what you think is your wan is really connected to your lan, etc.
Do you see the mac address of pfsense lan interface from one of your 192.168.1.2 or .3 machines after you try pinging it?
simple arp -a should show you this.
I would validate via mac on pfsense that your lan is really your lan, and your wan is really your wan.
-
Thanks a lot for all your replies johnpoz..
I will go to the Lab and check all these out and get back to you.
-
I would have to suggest an odd switch setup with that behaviour.
You should still be able to ping systems in the 172.16.1.* subnet from the pfSense console even with the 'block rfc1928' rule still enabled. That rule doesn't prevent packets returning corresponding with an existing active state nor outgoing packets.Weird. :-\ Are the NICs actually UP? Wiring problem?
Steve
-
Agreed - pfsense pinging a resource on the wan side should not be a problem, even with the default block rfc1918 in place. But devices on that network would not be able to ping pfsense wan. Even if you created a firewall to allow it because of the rfc1918 rule that would be first in the list.
I kind of think maybe he has wan/lan interfaces reversed.
-
That would explain it. ;)
-
Thanks for all the feedback guys and maybe ladies if there are :)
Now, I could get pfsense to ping the 2 systems on the LAN and viceversa. This was achieved by making pfsense a dhcp server on the LAN side.
One question I have now is why couldn't I connect using static IP addresses ??? In a real network, does pfsense get IP from the DHCP server on the LAN ntwk or is it supposed to act as a DHCP server to the LAN. I would like to know the best practice.
Again the WAN side in this setup is not working yet because all the IPs are static. In a real network, the WAN side of pfsense typically gets IP through DHCP from the ISP. So what would you guys recommend I use for testing before applying on a real network ?
Thanks a lot.
-
There is no reason why it shouldn't work with static IPs. There are many people using just such a setup. Using pfSense as a dhcp server does reduce the possibility of making a configuration error on an individual client.
The most common configuration would be to use pfSense as a DHCP server though it's possible to have the LAN as static or to receive it's address from some other DHCP server on the LAN side.
For testing you can set the WAN interface to dhcp and set it up behind some other router. You will probably be double NATing and you have to ensure that the WAN and LAN subnets are different but for basic connectivity testing that's fine.Steve
