Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot ping WAN interface

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jannita
      last edited by

      Hi, I'm new to pfsense.
      I chosse pfsense in order to replace a Cisco PIX 501. I have perfomed all the configs and now I'm testing (trying to) in a lab network.
      The network setup is as follows

      Internet
          |
          |
        TPLinkrouter (192.168.140.1 )–-----(wan em0 192.168.140.112)-- PFSense---- (lan em1 192.168.0.15)  ----X--- 192.168.0.240 (PC2)
          |
          |
      192.168.140.101 (PC1)

      From PC1 I'm not able to ping WAN Interface:
      -  They are on the same subnet, so according to documentation there is no need to add static routes.
      -  I put a rule allowing ICMP Traffic on the wan network
      -  the ARP table on pfsense contains an entry for 192.168.140.101
      -  check boxes for Block private networks and  Block bogon networks on the wan interface: UNCHECKED
      -  routing tables seems to be ok for me

      default 192.168.140.1 UGS 0 4655 1500 em0
      127.0.0.1 link#7 UH 0 32 16384 lo0
      192.168.0.0/24 link#2 U 0 9052 1500 em1
      192.168.0.15 link#2 UHS 0 0 16384 lo0
      192.168.140.0/24 link#1 U 0 66 1500 em0
      192.168.140.1 00:18:71:ea:a9:b5 UHS 0 2443 1500 em0
      192.168.140.112 link#1 UHS 0 0 16384 lo0

      Any ideas?
      Thank you very much in advance
      Ana

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What mode is the TPlink in?  Are you just using it as a switch?  If so why are you calling it a router?

        If it's a router, why are two interfaces on the same IP network?

        Post screen shots.  I could set this up 1000 times and it would work every time so things are not how you think they are.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jannita
          last edited by

          The TP LInk is a modem router ADSL with 4 LAN ports

          Attached a more detailed diagram

          The problem is I cannot ping from PC1 to WAN interface nor from WAN to PC1.
          From WAN I'm able to ping the gateway 192.168.140.1
          Frpm PC1 I'm able to ping the gateway 192.168.140.1

          Thank you very much
          Regards
          Ana

          diagram.jpg
          diagram.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • pttP
            ptt Rebel Alliance
            last edited by

            Please attach a screenshot of the FW WAN rules

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              On your new pfSense please.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • J
                jannita
                last edited by

                Attahced WAN Fw rules

                Thank you

                rules1.jpg
                rules1.jpg_thumb
                rules2.jpg
                rules2.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  OK.  That looks right.  What happens if you plug PC1 into the pfSense WAN port?  Can you ping it?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • J
                    jannita
                    last edited by

                    same result :-(  (I have  tried with a normal cable and with a crossover cable)

                    In the original scenario, pfsense and PC1 are able to ping their default gateway (192.168.140.1). pf sense (via its WAN if) it is able to ping any other public IP.

                    For some reason I'm not able to see pfsense is not able to see any in the WAN network  with the exception of its default gateway

                    Thank you.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      No idea.  Diagnostics->Packet Capture on WAN and see what it shows.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        Could be a firewall problem on PC1

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          I know what it isn't.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            What isn't it?

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              FreeBSD/pf with an em card.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                I'd tend to agree.

                                I wonder if he could be talked into downloading ubuntu or linux mint and booting it live from disk and then checking connectivity from pc1?

                                That way I'd be pretty sure that a firewall or other setting on PC1 wasn't the issue.

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Easier to capture the traffic on WAN on pfSense.  Or install wireshark on PC1.  Or both.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • O
                                    onizuka_pts
                                    last edited by

                                    may be you config worng

                                    kenh14
                                    gai xinh
                                    gai dep

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      jannita
                                      last edited by

                                      PC1 it is able to ping PC3… anyway I have disabled the FW/AV software on PCI, same result.

                                      I'll try later with the WAN/PC1 captures

                                      Regards

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jannita
                                        last edited by

                                        Well  I have performed the captures.
                                        Only ARP broadcast messages….
                                        In pfsense (192.168.140.112)

                                        10:18:57.255415 ARP, Reply 192.168.140.112 is-at 00:18:71:ea:a9:b5, length 28
                                        10:18:58.253579 ARP, Request who-has 192.168.140.112 tell 192.168.140.101, length 46
                                        10:18:58.253586 ARP, Reply 192.168.140.112 is-at 00:18:71:ea:a9:b5, length 28
                                        10:18:59.253501 ARP, Request who-has 192.168.140.112 tell 192.168.140.101, length 46
                                        10:18:59.253508 ARP, Reply 192.168.140.112 is-at 00:18:71:ea:a9:b5, length 28
                                        10:19:00.255669 ARP, Request who-has 192.168.140.112 tell 192.168.140.101, length 46
                                        10:19:00.255676 ARP, Reply 192.168.140.112 is-at 00:18:71:ea:a9:b5, length 28
                                        10:19:01.253716 ARP, Request who-has 192.168.140.112 tell 192.168.140.101, length 46
                                        10:19:01.253723 ARP, Reply 192.168.140.112 is-at 00:18:71:ea:a9:b5, length 28

                                        In PC1 (see attached)

                                        pc1.jpg
                                        pc1.jpg_thumb

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          OK.  The PC is asking who has .112 and something is replying.  Then the PC asks again.  And again.  And again.  You need to find out why your PC is receiving an arp reply and ignoring it.

                                          00:18:71:ea:a9:b5 should be what you expect for the MAC address of the interface on 192.168.140.112

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.