<![CDATA[LAN host can't ping pfSense or beyond]]>HI all.
Excuse long message but wanted to give detail. I am stumped. It might be I've made some embarrassing mistake here but here goes…

I'm testing pfSense on my home network, trying to simulate multiple LANS accessing WAN through pfSense.

Scroll down if you want to see the problem before the config. Basically can't ping from the laptop 1 hop away from pfsense.

Config:

All subnets are /24s.

I'm using the below hardware. Borris is a laptop connected directly to the cisco router fa0/1 interfaces.

Phobos is my sniffing machine.

borris = Linux Ubuntu laptop. 192.168.3.37
phobos Windows Seven laptop. 192.168.2.32
pfsense = PC Engines Alix board pfsense embedded. Hostname pfsense.test. 192.168.2.1
cisco = Cisco 2621. 192.168.2.2
adsl = draytek vigor. 192.168.0.1. My edge router here.

Topology:
For the purposes of sniffing, phobos is connected to a layer 1 hub with cisco and pfsense on the 192.168.2.0/24 network.
adsl - (pfsense, phobos, cisco) - borris

Full interface IP addresses.

adsl LAN: 192.168.0.1
pfsense wan: 192.168.0.2
pfsense lan: 192.168.2.1
cisco fa0/0: 192.168.2.2
cisco fa0/1. 192.168.3.1
phobos 192.168.2.32
borris lan: 192.168.3.37

pfsense setup:
Automatic NAT.
No firewall rules set other than one allowing management access from wan.

WAN interface:
Enabled.
Bogons are not blocked.
1918 addresses are not blocked.
The wan interface has a gateway configured. This is the lan address of the adsl router. 192.168.0.1.

LAN interface:
Enabled.
Bogons are not blocked.
1918 addresses are not blocked.
No gateway is set.

Routing:
A gateway to the wan is set. adsl 192.168.0.1. As above.
A Gateway on the LAN interfaces is set, the IP address of the cisco router. 192.168.2.2.
There's a route for 192.168.3.0/24 pointing to the LAN gateway above.

Tests:

phobos can ping pfsense cisco and internet.
After adding route from phobos to borris via cisco:
route add 192.168.3.0 mask 255.255.255.0 192.168.2.2
Pings between phobos and borris work.
cisco can ping borris, pfsense and internet.
borris can ping both interfaces of cisco
borris can't ping pfsense or beyond.

Captures:

borris.
ping 192.168.2.1

Listening from phobos on the layer 1 hub.
windump -i 3 -f "icmp"

13:22:23.794568 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3010, length 64
13:22:24.802621 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3011, length 64
13:22:25.810595 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3012, length 64
13:22:26.819189 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3013, length 64
13:22:27.829165 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3014, length 64
13:22:28.834699 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3015, length 64
...

From the diagnostics page in pfsense. Capture on LAN:

Packets Captured:
13:22:33.560150 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3021, length 64
13:22:34.568176 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3022, length 64
13:22:35.576142 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3023, length 64
13:22:36.584163 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3024, length 64
13:22:37.592130 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3025, length 64
13:22:38.600171 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3026, length 64
...

*** Here's what's going wrong I think but why. ***
A little while later, ping is still running on borris, capture on pfsense wan:

Packets Captured:
13:26:56.222915 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 41015, seq 10524, length 44
13:26:56.223146 IP 192.168.0.1 > 192.168.0.2: ICMP echo reply, id 41015, seq 10524, length 44
13:26:57.233103 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 41015, seq 10780, length 44
13:26:57.233334 IP 192.168.0.1 > 192.168.0.2: ICMP echo reply, id 41015, seq 10780, length 44
13:26:58.243268 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 41015, seq 11036, length 44
...

*** Why is pfsense forwarding the ping to the adsl ruter when it's destination is it's LAN interface. I assume the adsl router is replying with a network unreachable and it's not getting babk to borris. ***

Another ping test from pfsense default interface:
PING 192.168.3.37 (192.168.3.37): 56 data bytes
64 bytes from 192.168.3.37: icmp_seq=0 ttl=63 time=1.724 ms
64 bytes from 192.168.3.37: icmp_seq=1 ttl=63 time=0.515 ms
64 bytes from 192.168.3.37: icmp_seq=2 ttl=63 time=0.483 ms

Another example. Capture of a rerun of the ping from pfsens' lan interface to borris. This capture taken from phobos on the hub again:

13:34:50.415783 IP pfsense.test > 192.168.3.37: ICMP echo request, id 58587, seq 0, length 64
13:34:50.416671 IP 192.168.3.37 > pfsense.test: ICMP echo reply, id 58587, seq 0, length 64
13:34:51.424552 IP pfsense.test > 192.168.3.37: ICMP echo request, id 58587, seq 1, length 64
13:34:51.425441 IP 192.168.3.37 > pfsense.test: ICMP echo reply, id 58587, seq 1, length 64
13:34:52.434747 IP pfsense.test > 192.168.3.37: ICMP echo request, id 58587, seq 2, length 64
13:34:52.435618 IP 192.168.3.37 > pfsense.test: ICMP echo reply, id 58587, seq 2, length 64

Grateful for any suggestions though might not get to try for a little while.

]]>https://forum.netgate.com/topic/79494/lan-host-can-t-ping-pfsense-or-beyondRSS for NodeMon, 20 Apr 2026 09:04:40 GMTSun, 08 Feb 2015 14:57:06 GMT60<![CDATA[Reply to LAN host can't ping pfSense or beyond on Sun, 08 Feb 2015 18:54:35 GMT]]>Ah what a div.  :-[ Shoulda checked that.

Thanks for the hint, that's exactly what it was.

I'm more used to iptables I suppose with it's default policy of accept. I've added a rule now letting my test subnets through and all is workink. Can get on to the internet from the host on 192.168.3.0/24 subnet.
:)

]]>https://forum.netgate.com/post/517236https://forum.netgate.com/post/517236Sun, 08 Feb 2015 18:54:35 GMT<![CDATA[Reply to LAN host can't ping pfSense or beyond on Sun, 08 Feb 2015 15:31:51 GMT]]>The pings you see on the WAN are just pfSense monitoring its default gateway once a second.

The default LAN firewall rule is set to allow traffic only from the LAN subnet so it will dump traffic that's been routed from 192.168.3.X. Have you changed that?

Steve

]]>https://forum.netgate.com/post/517200https://forum.netgate.com/post/517200Sun, 08 Feb 2015 15:31:51 GMT