Can't get private IPs on WAN



  • I'm tired of fighting with this and am relatively certain that it is something simple that I am overlooking, but I cannot get devices on my LAN to communicate with devices on one of my WAN interfaces that I help manage for a local WISP.  It used to work fine, but after a update or recovery from a crash (I tend to test things on my pfSense before I institute them on the one that supports the WISP) it no longer will even see any of the devices on the WAN other than the GW and my WAN interface.

    I have a single LAN and a dual-WAN.  The primary WAN is a satellite ISP and the secondary WAN is the WISP.  I have a routing table and rule set to use both WANs and they work (I see traffic on both interfaces).  I have another rule before that one to send any WISP traffic (192.168.X.0/24) to the WISP GW, however attempting to ping or otherwise communicate with any IP other than 192.168.x.1 (GW) or 192.168.x.169 (my pfsense WISP interface) fails.

    I have tried setting a rule on my WISP WAN to allow traffic from the WAN to the LAN, but that changed nothing.

    I am probably leaving something important out, but I'm numb from fighting with this.  Any advice and/or assistance would be helpful.  BTW, and for what it's worth, I have been running pfsense with a certain degree of success for over 3 years and really appreciate the forums as they are a wealth of information.  I just can't seem to find a answer for this one….....  :-\


  • LAYER 8 Netgate

    Need screenshots of your interfaces/rules and a diagram.



  • Attached is the LAN rule set.  Both WANs are empty.  Also, there is a simplistic layout.  Hopefully this makes things clearer to someone…...





  • LAYER 8 Netgate

    Do you have Block Private and Block Bogons unchecked on WAN ??



  • Ok, guess I'm being really dense, but I don't remember having anything special for that other than a couple of port forwards on the old WISP router for TeamSpeak and Ventrilo that I don't use anymore.


  • LAYER 8 Netgate

    Does that mean it's fixed?  pfSense, by default, blocks private addresses in and out of WAN.



  • Do you have Block Private and Block Bogons unchecked on WAN ??

    At this time, neither are checked on WISPWAN or LAN.  Bogons is checked on SATWAN.

    This NAT rule didn't allow me to ping from 7.2 either…....



  • LAYER 8 Netgate

    What about WAN 2 on "pfSense router" with 192.168.7.x?



  • Opt1 is WAN2 and called WISPWAN, so no, neither are checked on it.  If I understand your question…..


  • LAYER 8 Netgate

    All I can do is ask about names in your diagram.  It should work.  Probably time for a packet capture of your WAN 2 interface. (Diagnostics->Packet Capture).  See if the echo request is going out and if the reply is coming back.



  • No, don't get me wrong.  I fully understand that non-standard nomenclature can be confusing and I truly appreciate your time and effort in trying to help me resolve my problem.

    Am checking Packet Capture now…....



  • Ok, I am beginning to understand the problem a little better, but still not any clearer on the solution.  ICMP requests are going out, but the WISP router is forwarding all out it's WAN but it's own instead of servicing them on it's LAN…....

    From my pfSense WAN2 interface.....
    18:16:09.816997 IP 69.31.135.173 > 192.168.168.169: ICMP net 192.168.168.104 unreachable, length 76
    18:16:09.989043 IP 192.168.168.169 > 192.168.168.1: ICMP echo request, id 16761, seq 25859, length 44
    18:16:09.991400 IP 192.168.168.1 > 192.168.168.169: ICMP echo reply, id 16761, seq 25859, length 44
    18:16:10.033050 IP 204.2.241.93 > 192.168.168.169: ICMP net 192.168.168.243 unreachable, length 76
    18:16:10.365821 IP 204.2.241.93 > 192.168.168.169: ICMP net 192.168.168.26 unreachable, length 76
    18:16:10.994894 IP 192.168.168.169 > 192.168.168.1: ICMP echo request, id 16761, seq 26115, length 44
    18:16:11.032200 IP 192.168.168.1 > 192.168.168.169: ICMP echo reply, id 16761, seq 26115, length 44
    18:16:12.001169 IP 192.168.168.169 > 192.168.168.1: ICMP echo request, id 16761, seq 26371, length 44
    18:16:12.003212 IP 192.168.168.1 > 192.168.168.169: ICMP echo reply, id 16761, seq 26371, length 44
    18:16:12.400989 IP 192.168.168.169 > 192.168.168.79: ICMP echo request, id 62320, seq 64155, length 12
    18:16:12.402974 IP 192.168.168.169 > 192.168.168.81: ICMP echo request, id 8092, seq 64411, length 12

    ..... any thoughts?


  • LAYER 8 Netgate

    Good question for them.

    Looks like it's not pfSense.



  • Unfortunately, that is a pfSense router also and I maintain it, as I mentioned in my opening…...

    I'm tired of fighting with this and am relatively certain that it is something simple that I am overlooking, but I cannot get devices on my LAN to communicate with devices on one of my WAN interfaces that I help manage for a local WISP.  It used to work fine, but after a update or recovery from a crash (I tend to test things on my pfSense before I institute them on the one that supports the WISP) it no longer will even see any of the devices on the WAN other than the GW and my WAN interface.

    ….... so here I am again, hat in hand.  Trying to figure out what I have done  :-[



  • Found it!  The Allow Any rule on the WISP LAN interface didn't get changed when they quit using two ISPs.  So the Gateway was pointing to a Gateway Group that was only halfway working (it had one non-existent Gateway/Interface in it).  I set it to the default Gateway and my traffic is no longer being forwarded.

    Thank you, so very much, for persevering with me through this ordeal.  I have been beating my head against the wall alone for months on end trying to figure out what I had done or in this case had NOT done.

    Now I can look into several other things that have been on hold pending the reconciliation of this problem.


  • LAYER 8 Netgate

    Good to hear.  Congrats.


Log in to reply