Routing Loop?

A Former User · May 22, 2014, 8:10 AM

This post is deleted!

divsys · May 22, 2014, 12:20 PM

I don't quite understand your setup,

WAN1
(multiple External IP's attached)

WAN2
(multiple External IP's attached)

What do you mean by "(multiple External IP's attached)"? If you have more than one external IP address assigned to a WAN port by your ISP, then you need to tell pfsense about each of them and assign rules to allow pings, etc. for each to work.

If you could describe your setup in a little more detail and perhaps post your firewall rules that work, maybe we can help.

MindfulCoyote · May 22, 2014, 4:58 PM

By default inbound (from the Internet) ICMP (ping protocol) to the WAN interface is blocked. You will need to add a rule allowing inbound ICMP to the WAN(s). It would look something like:

ID Proto Source Port Destination Port Gateway Queue Schedule Description
IPv4 * * WAN address * * none
ICMP

This is done on the Firewall Menu; Rules; WAN tab.

A Former User · May 23, 2014, 3:53 AM

This post is deleted!

A Former User · May 23, 2014, 3:55 AM

This post is deleted!

MindfulCoyote · May 23, 2014, 4:56 AM

If I understand you correctly, you have two WAN interfaces configured with static IP addresses and both WAN interfaces have multiple virtual IP addresses assigned of type "IP Alias". The primary IP addresses on each respond to pings while none of the virtual IPs do.

Are you trying to ping through the firewall to an internal host, (i.e. through NAT) or simply ping the firewall itself? I believe the NAT rules are processed first, so it's entirely possible the firewall is simply dropping the ICMPs if no NAT rule is in place to forward them to an internal host. If so you'll want to add a "Port Forward" NAT entry and specify ICMP as the protocol.

Just curious, does pinging the virtual IPs fail from either side of the firewall? i.e. Ping fails when pinging from the LAN side toward one of the WAN virtual IPs as well? Another test would be to try pinging them from the command line of the firewall. (Menu, Diagnostics; Command Prompt.)

If a firewall rule is at fault, you should be able to catch it in the logs. Try this:
Menu, Status; System Logs; Firewall Tab
Enter the virtual IP in the 'Destination IP address' box, and optionally ICMP in the 'Protocol' box.

Another option might be to make the ICMP rule floating if it isn't already.

stephenw10 · May 23, 2014, 11:44 AM

@evano666:

I should also mention I already have a rule in place for ICMP…

IPv4 ICMP * * * * * none

Where is that rule?

As others have said, what sort of NAT arrangement to you have on these virtual IPs? It would be common to use 1:1 NAT to your internal servers but if you're not doing that then have you NAT'd ICMP?

Steve